- From: <bugzilla@jessica.w3.org>
- Date: Thu, 15 May 2014 14:24:42 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25706 --- Comment #2 from Kelsey Cairns <kelsey.cairns@inria.fr> --- No interoperability issues with this one. The biggest concern to me is that it seems I could make an implementation that created completely non-random keys and still be API compliant. I get that we don't want to constrain implementations to anything specific, but maybe it would be reasonable to specify a lower bound on entropy? I think even a moving target is better than nothing, like "no worse than /dev/urandom." This bug is also an ease of use thing stemming from looking over the spec the other day with someone who's going to try an implementation and being asked "what do they mean?" when it came to one of the general key generation steps. I would have liked to be able to give a definitive answer from the spec, but I couldn't find one. My suggestion would be a blurb in the Terminology section along the lines of: "The phrase "generate key," when no further specification is given, is meant to allow implementers flexibility in the choice of random number generator. However an entropy source should be used that is [at least as good as.. [choose your reference, make sure there's some kind of metric for comparison]]" -- You are receiving this mail because: You are on the CC list for the bug.
Received on Thursday, 15 May 2014 14:24:43 UTC