[Bug 25721] extractable keys should be disabled by default

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721

--- Comment #9 from elijah@riseup.net ---
> The Web Service should have access to whatever the Web Service created - the
> same way it has access to Indexed DB, the same way it has access to cookies,
> the same way it has access to DOM nodes it creates.

The origin web service did not create my private keys, it requested to have
them created. This is a very important distinction. Keys are different than
cookies or local storage, they are much more like location data. Otherwise,
there is no point at all for any of the key stuff in WebCrypto: if keys were
like cookies, then the keys should always just get generated on the server and
sent to the client.

Why isn't this the model of WebCrypto? Because keys are not like cookies,
because it would be ridiculous to write an API that just said "generate keys on
the server". Once you make the decision to allow client-side key generation,
these keys suddenly become something very different than everything else
dictated by the origin, they become something that the client should be able to
control.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Friday, 16 May 2014 21:24:17 UTC