Re: ISSUE-9 [was Re: ISSUE-30: Key import/export?] from Harry Halpin on 2013-03-04 (public-webcrypto@w3.org from March 2013)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 04 Mar 2013 19:53:08 +0100
To: Ryan Sleevi <sleevi@google.com>
CC: Mark Watson <watsonm@netflix.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <5134ED94.2010806@w3.org>

On 03/04/2013 07:44 PM, Ryan Sleevi wrote:
> On Mon, Mar 4, 2013 at 10:43 AM, Harry Halpin <hhalpin@w3.org> wrote:
>> On 03/04/2013 07:22 PM, Ryan Sleevi wrote:
>>>> To re-iterate, I'm not asking about export/import in terms of the WebIDL
>>>> as
>>>> currently written.
>>>>
>>>>    I'm asking about the notion that it is feasible developers may want to
>>>> read/write key material outside the browser. In which case, there's a
>>>> privacy angle that needs to be addressed.
>>>>
>>>> I'm pretty sure that's where the worries underlying ISSUE-9 come from,
>>>> and
>>>> ISSUE-30.
>>> We addressed ISSUE-9 - long ago - by saying it would not, beyond what
>>> Mark's draft says. This was the entire crux of key discovery.
>>
>> Key Discovery only addresses symmetric pre-provisioned keys last time I
>> checked.  We have not formally closed ISSUE-9 or the import or export of
>> keys outside of the browser to my extent except in that very limited case.
>>
>> We can deal with ISSUE-9 and ISSUE-30 by moving them to the Web Discovery
>> product. That is not closing them. That is moving the feature to a different
>> product.
>>
>>
>>
>>>> If we want to say "import/export" is single-session and ephemeral, that's
>>>> fine although that eliminates a number of use-cases. When I brought up
>>>> the
>>>> fact that all keys are ephemeral at the last telecon, it seemed folks in
>>>> the
>>>> WG were surprised and wanted further discussion.
>>> That's what it has said from the beginning. Key import/export has
>>> always been separate from key discovery - the latter being potential
>>> issues for ISSUE-9/30, but having absolutely nothing to do with the
>>> import / export operations as they've ever been written.
>>
>> I'm saying "Key Discovery" is only symmetric keys.
> That is not the proposal.

Then where is the WebIDL that deals with import/export into the 
non-browser filesystem?

>
>> The issue is still open
>> and I don't think has been adequately discussed, but I do sympathize with
>> just closing it as many in the WG are not actively paying attention.  People
>> need to understand that by closing these, we're limiting ourselves to
>> pre-provisioned symmetric keys and ephemeral keys.
> No, we are not.

OK, then how do you handle the import and export of key material outside 
the browser in a case that isn't pre-provisioned symmetic keys.

I don't see anything in either the API or Key Discovery draft. And *if* 
there is something, my privacy concerns hold.
>
>> I understand many in the
>> WG are not paying that active attention, so I'm bringing this up.  When most
>> people say "import/export" they imagine that it means importing and
>> exporting outside the browser as well I imagine.
>>
>>     cheers,
>>         harry
>>

Received on Monday, 4 March 2013 18:53:17 UTC