RE: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API]

Hi Wan-Teh,

Yes I remember discussing this issue at the F2F meeting. At that time there was also some talk of setting the key source as an attribute - pending subsequent discussion. I am fine with binding of private keys through their corresponding certificates so that the right key gets selected. But the key/certificate can still reside in a smart card or in a soft key store managed by the browser, and this information has to be conveyed to the application. In that respect Karen and I have not changed our mind; we still maintain that application needs to know where the key is coming from. Exactly how this is done can be discussed. We had suggested key attribute, but if that is problematic we are open to other mechanisms of passing the source info to applications.

If the API can include a way for the application to limit the selection of keys (directly or indirectly through certificates) to those residing in a smart card, that will be fine. Conversely, there could be no such restriction upfront, but once a key is selected (again, directly or indirectly) the source information is passed to the application, that will work too. My concern is more on getting this source information to the app, and less on how we do it.

As Ryan pointed out, the current API only deals with keys generated by the application - which is why we did not see how pre-provisioned keys from smart card could be selected. Once we start discussing discovery/selection of such keys I am sure we can find a way to address these concerns. I know that this will not be possible before the first public draft, but I will be happy if we agree in principal that the application will be informed of the key source. We can then hash out the details.

best regards,
--- asad



-----Original Message-----
From: Wan-Teh Chang [mailto:wtc@google.com] 
Sent: Monday, August 27, 2012 5:09 PM
To: Ryan Sleevi
Cc: Mark Watson; GALINDO Virginie; Lu HongQian Karen; Ali Asad; public-webcrypto@w3.org
Subject: Re: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API]

Matching an associated certificate is the best way to find the right private key. The search criteria for the associated certificate should be such that only the certificates associated with private keys stored in the right smart card will match. Ideally the search criteria should be narrow enough so that only one certificate (and therefore only one private key) will match, so that we don't need to ask the user to choose one.

We have explained this private key lookup method before, including at the face-to-face meeting in July. I remember Karen and Asad considered this method satisfactory. Karen, Asad, have you changed your opinion?
Or are you worried that the current API draft does not provide a way to look up a private key by matching its associated certificate?

Thanks,
Wan-Teh

Received on Tuesday, 28 August 2012 14:58:21 UTC