Re: [WebCrypto Key Discovery] Algorithm names in named keys

On Fri, Mar 1, 2013 at 7:44 AM, Mark Watson <> wrote:
> Hi Nick,
> In WebCrypto, keys are associated with a very specific algorithm, such as
> RSAES-PKCS1-v1_5. When you pre-provision named keys for a specific origin,
> you should pre-provision their attributes - including this specific
> algorithm - as well.
> Now, since the pre-provisioning mechanism is out-of-scope of the
> specification, you can implement this however you like. If you want to
> expose multiple named keys that - under the covers - are derived from the
> same secret keying material then you are free to do that (although I cannot
> comment on the wisdom of that from a security perspective).
> I think it is an open issue whether getKeysByName should be able to return
> multiple values. At one point the idea was that you could specify wildcard
> names. Without wildcards we'd imagined that getKeysByName should return a
> single value. This could be another reason to return multiple.
> ...Mark


Using the same keying material with multiple algorithms should be a
security non-goal, because it only leads to cryptographic pain.

The provisioning of a NamedKey (out of spec) should also include
provisioning the associated algorithm.

Received on Friday, 1 March 2013 18:28:33 UTC