information about key storage from Mete Balcı on 2013-09-26 (public-webcrypto@w3.org from September 2013)

From: Mete Balcı <Mete.Balci@pozitron.com>
Date: Thu, 26 Sep 2013 19:43:46 +0000
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <db924c74bedf45dcac1906d75462fef7@Handel.pozitron.com>

Hello all,

Sorry for repeating this if you have discussed it before. I wonder if the nature of key storage may be an important information for the consumers of web crypto and key discovery APIs. As an example, my bank may want to provision a key:

(1) and if that key is imported through importKey, there is no way to specify the preferred storage (assuming I may have multiple ways of storing keys on my PC, e.g. software protected keystores or smartcards)
(2) and if that key is pre-provisioned by other means, the app (e.g. internet banking) cannot know if it is stored on a smartcard (I mean a hardware based key storage) or not

Directly comparing this to native mobile environments:

(1) a native app can be sure if the key is provisioned on iOS keychain which is protected by hardware encryption or on regular files encrypted by PIN (software protection)
(2) again a native app can be sure about the source of the key

I am not sure if my example provides enough evidence for its use cases, but it seems to me, even the API is agnostic to key storage, some information about the storage should be exposed to the consumers of these APIs or the consumers should be able to provide hints to underlying system which handles the storage of the keys.

Thanks.

Mete
________________________________

Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına gönderemez veya hiçbir şekilde kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz ve göndereni uyarınız. Gönderen ve POZITRON YAZILIM A.Ş., bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir. Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunamamasından, virüs içermesinden ve sisteminizde yaratabileceği zararlardan Şirketimiz sorumlu tutulamaz.

This e-mail and its attachments are private and confidential to the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient, you may not copy, forward, send or use any part of it. If you are not the intended recipient or the person who is responsible to transmit to the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and its attachments. The sender and POZITRON YAZILIM A.S. do not warrant for the accuracy, currency, integrity or correctness of the information in the message and its attachments. POZITRON YAZILIM A.S. shall have no liability with regard to the information contained in the message, its transmission, reception, storage, preservation of confidentiality, viruses or any damages caused in anyway to your computer system.

Received on Thursday, 26 September 2013 19:44:29 UTC