- From: Mark Watson <watsonm@netflix.com>
- Date: Tue, 9 Jul 2013 09:32:04 -0700
- To: Nick Van den Bleeken <Nick.Van.den.Bleeken@inventivegroup.com>
- Cc: "<public-webcrypto@w3.org>" <public-webcrypto@w3.org>
- Message-ID: <CAEnTvdDxEE3Sk5vQoEae=TD9dRTkq-C++XH6WxWnu2S3GHLkbw@mail.gmail.com>
On Mon, Jul 8, 2013 at 11:46 PM, Nick Van den Bleeken < Nick.Van.den.Bleeken@inventivegroup.com> wrote: > Hi Mark, > > First of all thank you for making Key Discovery API promises based just > like the Web Crypto API! > > For the other change, I'm not that convinced anymore that there should be > only one key with a certain name (I know we discussed this at the FtF > but…). > > With the current spec someone can choose to deploy multiple keys with > the same name and use a particular naming schema for the ID to distinguish > the keys. (There is currently no query or list functionality so you need to > know the name of the key upfront (you can't for example use a particular > naming schema on the name to because then you don't know the exact name for > the key)). > > In a future version of the Key Discovery API we might add other > 'attributes' that could be assigned to keys by the provisioner, which make > it even more useful to return multiple keys (but currently implementers > could choose to experiment with adding their own extension attributes). > > A possible use case could be pre-provisioned keys issued by a particular > issuer for a particular usage that have an X.509 certificate associated > with them. But even without the certificate, when you are in a trusted > environment only having the ID, which encodes the 'subject' will benefit by > being able to return multiple keys for the same name. > Yep, I agree with all of the above. What we need, though, is very concrete use-cases and then we can decide if we should add new kinds of pre-provisioned key with attributes and the associated methods to query them. For the moment, the only use-case we have is when the pre-provisioned keys are associated with the device. So there can be no ambiguity - the application knows exactly the names it is looking for and there is only one key for each name. We should keep the API simple until we have a concrete use-case motivating more complexity. ...Mark > > Regards, > > Nick > > > > On 09 Jul 2013, at 01:51, Mark Watson <watsonm@netflix.com> wrote: > > All, > > I updated the Key Discovery editor's draft to use Promises and to > support retrieval of a single named key: > https://dvcs.w3.org/hg/webcrypto-keydiscovery/raw-file/tip/Overview.html > > (Yes, I know it should be Promise<any> in the IDL, but I don't think > respec supports this ...) > > There have been some requests for APIs to discover multiple keys, for > which I'm waiting on a clear use-case. > > ...Mark > > > > ------------------------------ > > Inventive Designers' Email Disclaimer: > http://www.inventivedesigners.com/email-disclaimer >
Attachments
- image/png attachment: image003.png
- image/png attachment: image001.png
- image/png attachment: image002.png
Received on Tuesday, 9 July 2013 16:32:31 UTC