W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2012

Re: ECC vs RSA, and Similar Conflicts

From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 22 May 2012 08:54:36 -0700
Message-ID: <CABcZeBOG4JX0nY+rxF3RWCg2qS2i0jMpLbgKkk7DqRizV8KQeQ@mail.gmail.com>
To: David McGrew <mcgrew@cisco.com>
Cc: Anil Saldhana <Anil.Saldhana@redhat.com>, public-webcrypto@w3.org
On Tue, May 22, 2012 at 2:23 AM, David McGrew <mcgrew@cisco.com> wrote:
> On May 10, 2012, at 10:36 AM, Anil Saldhana wrote:
>
>> Giving direct access to private keys to the JS api is trouble.
>>
>> I support David's thoughts on just allowing references to IDs of Private Keys.
>
> +1
>
> It will also be important that the API itself not allow manipulations of the secret and private keys that allow an attacker to cause one of those keys to be revealed by executing a (possibly convoluted) sequence of operations on it, as has been shown to be the case for PKCS#11 (see for instance <http://www.lsv.ens-cachan.fr/~steel/pkcs11/>)

David,

I think this is actually an argument *against* key isolation.

As soon as protecting the keys becomes a system invariant, then the
introduction of any new API call requires extensive cryptographic
review. As I've been putting it lately, "every time you want to add
a new API point, you need to call Dan Boneh".

This isn't to say that there is no use for key isolation, but that making it
a security guarantee of the system is quite expensive in terms of
design cost.

-Ekr
Received on Tuesday, 22 May 2012 15:56:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:01:01 UTC