Re: ISSUE-9 [was Re: ISSUE-30: Key import/export?] from Harry Halpin on 2013-03-04 (public-webcrypto@w3.org from March 2013)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 04 Mar 2013 19:43:03 +0100
To: Ryan Sleevi <sleevi@google.com>
CC: Mark Watson <watsonm@netflix.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <5134EB37.3050006@w3.org>

On 03/04/2013 07:22 PM, Ryan Sleevi wrote:
>> To re-iterate, I'm not asking about export/import in terms of the WebIDL as
>> currently written.
>>
>>   I'm asking about the notion that it is feasible developers may want to
>> read/write key material outside the browser. In which case, there's a
>> privacy angle that needs to be addressed.
>>
>> I'm pretty sure that's where the worries underlying ISSUE-9 come from, and
>> ISSUE-30.
> We addressed ISSUE-9 - long ago - by saying it would not, beyond what
> Mark's draft says. This was the entire crux of key discovery.

Key Discovery only addresses symmetric pre-provisioned keys last time I 
checked.  We have not formally closed ISSUE-9 or the import or export of 
keys outside of the browser to my extent except in that very limited case.

We can deal with ISSUE-9 and ISSUE-30 by moving them to the Web 
Discovery product. That is not closing them. That is moving the feature 
to a different product.

>> If we want to say "import/export" is single-session and ephemeral, that's
>> fine although that eliminates a number of use-cases. When I brought up the
>> fact that all keys are ephemeral at the last telecon, it seemed folks in the
>> WG were surprised and wanted further discussion.
> That's what it has said from the beginning. Key import/export has
> always been separate from key discovery - the latter being potential
> issues for ISSUE-9/30, but having absolutely nothing to do with the
> import / export operations as they've ever been written.

I'm saying "Key Discovery" is only symmetric keys. The issue is still 
open and I don't think has been adequately discussed, but I do 
sympathize with just closing it as many in the WG are not actively 
paying attention.  People need to understand that by closing these, 
we're limiting ourselves to pre-provisioned symmetric keys and ephemeral 
keys. I understand many in the WG are not paying that active attention, 
so I'm bringing this up.  When most people say "import/export" they 
imagine that it means importing and exporting outside the browser as 
well I imagine.

    cheers,
        harry

Received on Monday, 4 March 2013 18:43:12 UTC