Re: Key export and an opaque KeyFormat

Vijay,

Keys support structured clone. Just use the existing web storage
mechanisms. Until the user clears storage, it works.

This avoids any privacy concerns with accidental key resurrection through
throwing opaque blobs at the user until one sticks (thus indicating they
previously generated said blob, thus acting as a super cookie).

No exporting is required for object cloning. This was a key point that has
been repeatedly explained and a well understood concept from the Storage
APIs and from Workers, which both use Clonability.
 On Mar 19, 2013 11:39 PM, "Vijay Bharadwaj" <Vijay.Bharadwaj@microsoft.com>
wrote:

>  It seems to me that the current API has little support for an origin
> which wants to generate a key and then use it for multiple sessions. The
> only way I can see in the API of doing this is to use exportKey and store
> the key in the clear. This is not an appealing prospect. It also means that
> if an origin wants to persist a key in this way for its own later use then
> it has no choice but to make it exportable.****
>
> ** **
>
> So I would like to propose adding a value “opaqueLocal” to enum KeyFormat.
> The behavior of this format would be as follows: the result of calling
> exportKey with this KeyFormat would be a durable key reference that would
> be bound to the particular machine (and possibly UA). The contents of this
> reference are opaque to the caller – it may be just a key name that refers
> to a local key store, or it could be the entire key object wrapped with a
> key held by the UA. Calling importKey on this result will work on the same
> machine and UA, but fail on all other machines. Also, the algorithm,
> extractable and keyUsages parameters will be ignored and the values from
> the original key object will be used.****
>
> ** **
>
> The concept is similar to BCRYPT_OPAQUE_KEY_BLOB in CNG:
> http://msdn.microsoft.com/library/windows/desktop/aa375434.aspx****
>
> ** **
>
> Thoughts?****
>