- From: Wan-Teh Chang <wtc@google.com>
- Date: Mon, 11 Jun 2012 11:45:39 -0700
- To: Ryan Sleevi <sleevi@google.com>
- Cc: David Dahl <ddahl@mozilla.com>, Ali Asad <Asad.Ali@gemalto.com>, "James L. Davenport" <jdavenpo@mitre.org>, public-webcrypto@w3.org
On Fri, Jun 8, 2012 at 11:44 AM, Ryan Sleevi <sleevi@google.com> wrote: > > I would prefer that, in our first draft, and consistent with the charters > goals, that any awareness of smart cards or secure elements be left out. > Simply dealing in key IDs is, I believe, sufficient enough to support the > core use cases and primary goals, and also gives implementors the > flexibility to expose keys stored in secure elements in an > implementation-independent way that is compatible with the core API. +1. I also prefer this. I've given this some thought over the weekend. The only problem I came up with is the operations that do not take a key: * hashing * generating random bytes Even for these two operations, I don't think we should burden a web application with the selection of a crypto module to compute a hash or generate random bytes. The browser should select the best crypto module for these operations. Any "secure element" should be configured either in the browser or in the OS to be used for their strengths (either for strong physical protection of keys or true random number generation). Wan-Teh
Received on Monday, 11 June 2012 18:46:24 UTC