RE: crypto-ISSUE-22: Should CryptoOperations be clonable [Web Cryptography API]

Regarding the clonable aspect of keys, there could be some use cases that require it- e.g. a key could be bound to only one origin, and has to be cloned before it can be used from another. In such scenarios it would be OK to allow a key to be cloned. Alternatively, we can add a "cloneable" property to the key. If this is true then the key can be cloned and application is free to update any attribute, including the origin - thus enabling its use from other origins. On the other hand if this property is false, then the key cannot be cloned, and can also not be used from another origin.

Regards,
--- asad

-----Original Message-----
From: Vijay Bharadwaj [mailto:Vijay.Bharadwaj@microsoft.com] 
Sent: Monday, August 27, 2012 4:59 AM
To: Wan-Teh Chang; David Dahl
Cc: Ryan Sleevi; Web Cryptography Working Group
Subject: RE: crypto-ISSUE-22: Should CryptoOperations be clonable [Web Cryptography API]

BCryptDuplicateHash supports SSL/TLS. It also supports other protocols which produce signatures over packets, with many packets (e.g. all packets in a specific session) sharing a common header.

CNG also has BCryptDuplicateKey. When called on a symmetric key object, this duplicates key expansion and chaining state.

All that said, I am not sure if this facility is truly required in a v1 WebCrypto API.

-----Original Message-----
From: Wan-Teh Chang [mailto:wtc@google.com] 
Sent: Thursday, August 23, 2012 5:09 PM
To: David Dahl
Cc: Ryan Sleevi; Web Cryptography Working Group
Subject: Re: crypto-ISSUE-22: Should CryptoOperations be clonable [Web Cryptography API]

In NSS, cloning of a crypto operation is only used in the SSL/TLS protocol and only used for the handshake hashes:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/ssl3con.c&rev=1.186&mark=3695-3697,3704,3731-3732#3694

In SSL/TLS, the handshake hashes are used in the Finished message, but if client authentication is used, the handshake hashes are also used in the CertificateVerify message.

A function for cloning a hash operation is also present in Windows
CNG: BCryptDuplicateHash
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375413(v=vs.85).aspx

I suspect BCryptDuplicateHash (and its predecessor CryptDuplicateHash) was also added to support SSL/TLS.

This is the only use of cloning I know of.

If no one else comes forward with a use case or a use of cloning in some other protocol, then it doesn't seem necessary to support cloning CryptoOperations.

Wan-Teh

Received on Monday, 27 August 2012 16:30:51 UTC