Re: crypto-ISSUE-11 (storage attribute): Is there a need for a storage attribute, indicating storage in a hardware token

At the f2f, I argued that we do not need this attribute.

In some ways, having this attribute is dangerous (leads to unsafe assumptions by developers). And in case developers are indeed cognizant of what they are doing, they will not need this, as they will be putting in place alternate trust mechanisms any way.

However, for performance reasons, for search I think that we need a notion of 'fetch a key [reference] (probably satisfying other criteria as well) from a (given set of) provider(s)'. This way, any UI actions (to insert a card, for example) can be controlled/triggered by the application.

Thanks,
Seetharama


On 8/3/12 7:49 AM, "Web Cryptography Working Group Issue Tracker" <sysbot+tracker@w3.org<mailto:sysbot+tracker@w3.org>> wrote:

crypto-ISSUE-11 (storage attribute): Is there a need for a storage attribute, indicating storage in a hardware token

http://www.w3.org/2012/webcrypto/track/issues/11

Raised by: Virginie GALINDO
On product:

During our summer F2F meeting, some discussions were held about the need or not to have an attribute associated with a key, indicating the storage used for this key. This attribute, while being mentioned in our discussions several time, was challenged by the fact that the reliability of this attribute could be weak - how can you trust the environment when saying that the key bis stored in a hardware token ?
This issue is to keep track of the discussion and make decision about endorsing or not such attribute, once the key object description will be made available.

Received on Friday, 3 August 2012 15:45:57 UTC