Re: Key id

On Tue, Sep 4, 2012 at 12:07 PM, Mitch Zollinger <mzollinger@netflix.com> wrote:
>
> Regarding Section 11.2:
>
> id
>
> For all Keys visible within a given origin, each Key shall have a unique, opaque identifier assigned that may be used to uniquely identify that Key within the set of keys.
>
> Within the same origin, if two Keys are created from the same underlying keying material, they MUST share the same id.
>
>
> What is meant by "if two Keys are created from the same underlying keying material" here?
>
> Does this mean that if I have some key material that I use as an AES key in one case and as a 3DES key in another, they will have the same ID?


Thanks for pointing out the ambiguity, caused by an assumption on my
part on the implementation details.

The /intent/ was for implementations that use handles from underlying
cryptographic providers, that the ID remains the same. This was in
anticipation of things like key querying, which multiple queries
should return the same key ID for the same logical key.

That said, it may be inappropriately overspecified here, in addition
to the ambiguity. I'll see if I can find a better way to word this (or
suggestions welcome, or perhaps it's unnecessary), but the intent was
that algorithm was part of the identity of the underlying key - ergo,
two different IDs.

>
> Also, would the algorithm be such that if my keying material on one device matched the keying material on another device that this ID would be identical for the same origin?

No statement is made one way or the other. This is a user agent (eg:
purely client side) behaviour. As long as an implementation meets
those criteria, I would expect it to be fine. So they may share the
same ID between devices, or they may be unique between devices.

Received on Tuesday, 4 September 2012 22:34:05 UTC