- From: <bugzilla@jessica.w3.org>
- Date: Wed, 30 Apr 2014 09:29:41 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25431 --- Comment #3 from Kelsey Cairns <kelsey.cairns@inria.fr> --- As the API is now, any algorithm that supports encrypt/decrypt can be used for wrap/unwrap. If we want to prevent unwrapping with RSAES, we would have to either make an exception or remove RSAES decrypt all together in which case we may as well remove RSAES entirely. Either way, decrypt on its own is still a potential oracle. Thinking out loud: I'm not a fan of complicating things in general, but if RSAES simply must be included, then making it more complicated for devs might at least be a disincentive to use it. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Wednesday, 30 April 2014 09:29:42 UTC