Re: crypto-ISSUE-26 (multi-origin access): Should key generation be allowed to specify multi-origin shared access [Web Cryptography API] from Wan-Teh Chang on 2012-08-23 (public-webcrypto@w3.org from August 2012)

From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 22 Aug 2012 18:28:20 -0700
To: Mountie Lee <mountie.lee@mw2.or.kr>
Cc: Ryan Sleevi <sleevi@google.com>, Seetharama Rao Durbha <S.Durbha@cablelabs.com>, David Dahl <ddahl@mozilla.com>, Web Cryptography Working Group <public-webcrypto@w3.org>
Message-ID: <CALTJjxEMKL4zqY4v_O0cdVGR-kaNrJa-rXwbdp1J1Y+w99SstA@mail.gmail.com>

It would be nice for implementations to be able to support two types
of key access:
- origin-bound keys
- shared keys that are associated with certificates

The Key object should be specified to have an attribute related to
which origins may use the key. We can start with supporting
origin-bound keys only.

Also, after a signing key has been used, it seems dangerous to broaden
the origins. I am worried that an old signature generated when only
one origin was allowed may become valid for other origins
retroactively. So this key attribute for access control probably
should be immutable for signing keys at least.

Wan-Teh

Received on Thursday, 23 August 2012 01:28:56 UTC