Re: [WebCrypto Key Discovery] Algorithm names in named keys

Hi Nick,

In WebCrypto, keys are associated with a very specific algorithm, such as RSAES-PKCS1-v1_5. When you pre-provision named keys for a specific origin, you should pre-provision their attributes - including this specific algorithm - as well.

Now, since the pre-provisioning mechanism is out-of-scope of the specification, you can implement this however you like. If you want to expose multiple named keys that - under the covers - are derived from the same secret keying material then you are free to do that (although I cannot comment on the wisdom of that from a security perspective).

I think it is an open issue whether getKeysByName should be able to return multiple values. At one point the idea was that you could specify wildcard names. Without wildcards we'd imagined that getKeysByName should return a single value. This could be another reason to return multiple.

...Mark

Sent from my iPhone

On Mar 1, 2013, at 7:09 AM, "Nick Van den Bleeken" <Nick.Van.den.Bleeken@inventivegroup.com<mailto:Nick.Van.den.Bleeken@inventivegroup.com>> wrote:

All,

While implementing the WebCrypto Key Discovery API I wondered what the intended behaviour of getkeysByName() was related to the returned Algorithm property of the returned keys.

Suppose that the key is an RSA key, should I then return a NamedKey for every Algorithm that uses this type of key. Which might be a long list (RSAES-PKCS1-v1_5, RSASSA-PKCS1-v1_5, RSA-PSS, RSA-OAEP), but probably is the only valid option, because the keyUsage flags may be different for some of the algorithms.


Kind regards,

Nick Van den Bleeken
R&D Manager

Phone: +32 3 425 41 02
Office fax: +32 3 821 01 71
nick.van.den.bleeken@inventivegroup.com<mailto:nick.van.den.bleeken@inventivegroup.com>
www.inventivedesigners.com<http://www.inventivedesigners.com>



________________________________

Inventive Designers' Email Disclaimer:
http://www.inventivedesigners.com/email-disclaimer