- From: Hutchinson Michael <Michael.Hutchinson@gemalto.com>
- Date: Tue, 18 Jun 2013 00:10:19 +0200
- To: Ryan Sleevi <sleevi@google.com>
- CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Ryan, 14.2.10. The wrapKey method 7 If Key.extractable is not true, terminate this algorithm with an error. need "Key" to be lower case "key" 7 If key.extractable is not true, terminate this algorithm with an error. 14.2.11. The unwrapKey method 8 If Key.extractable is not true, terminate this algorithm with an error. This does not make sense as Key has no association here; maybe a copy and paste from 14.2.10 7? Should it not be 8 If unwrappingKey.extractable is true, terminate this algorithm with an error. Also, should there be some security checking for the unwrap key, such as: If unwrappingKey.keyUsage contains the "decrypt" KeyUsage, terminate this algorithm with an error. or would that be a function of the high level API? :-) Also, I note that many of the methods do not contain the test for their own key usage. e.g. decrypt does not contain If key.keyUsage does not contain the "decrypt" KeyUsage, terminate this algorithm with an error. Of course, as Unwrap is effectively a high level API (it makes use of decrypt) inclusion of both the security check and the key usage self test would block the Unwrap from using the decrypt implementation directly. :-( >Michael
Received on Monday, 17 June 2013 22:10:44 UTC