- From: Web Cryptography Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Mon, 06 Aug 2012 04:46:57 +0000
- To: public-webcrypto@w3.org
crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API] http://www.w3.org/2012/webcrypto/track/issues/16 Raised by: Ryan Sleevi On product: Web Cryptography API During the July Face-to-Face, the topic of Key Expiration was raised. However, a solid definition is lacking for what the semantics should be. Argument for Implementation Semantics: - Expiration could serve as a quota-management technique. Keys may represent expensive resources, particularly in constrained environments. Therefore, an understanding of how long a key is supposed to live may allow a user agent to remove 'expired' keys over time. Argument for Application Semantics: - Expiration should have no specific meaning to the implementation; it is simply provided to the application in an advisory capability to inform the application how a key can/should be used. This is particularly important for implementations that use pre-existing cryptographic APIs, such as OS APIs, as the underlying API may enforce these semantics. An example was given for a keypair where the private key may no longer be able to sign messages after a particular date, but the associated public key may be used to verify existing messages. Should expiration be handled on a per-application basis in the custom attributes, or is it a global attribute on all Key types that should be managed by the User Agent?
Received on Monday, 6 August 2012 04:46:58 UTC