RE: How to handle invalid EC public keys from Vijay Bharadwaj on 2014-09-04 (public-webcrypto@w3.org from September 2014)

From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Date: Thu, 4 Sep 2014 18:09:51 +0000
To: Ryan Sleevi <sleevi@google.com>, Richard Barnes <rlb@ipv.sx>
CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <8b7904fff998453785405f0b342a42d4@DFM-CO1MBX15-08.exchange.corp.microsoft.com>

+1

From: Ryan Sleevi [mailto:sleevi@google.com]
Sent: Thursday, September 4, 2014 7:32 AM
To: Richard Barnes
Cc: public-webcrypto@w3.org
Subject: Re: How to handle invalid EC public keys


On Sep 4, 2014 7:11 AM, "Richard Barnes" <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote:
>
> In implementing ECDH and ECDSA, we've come across an issue that is unclear in the spec.  It's also unclear how to resolve it, so I thought I would bring it up on the list before filing a bug.
>
> In cases where an EC public key is being imported ("spki", "raw", "jwk"), it is possible for the importer to provide an elliptic curve point that is not on the curve.  It seems like there are two options for how WebCrypto should behave in such a case:
>
> 1. Reject at import, presumably with DataError.
>
> 2. Reject at sign() / deriveBits() time (since these operations cannot be completed with points not on the curve)
>
> In an ideal world, I would prefer (1), in the spirit of failing fast.  (Apparently, X9.62 also requires this, at least according to a comment in the OpenSSL source code.)  However, at least in Firefox/NSS, it is much simpler to implement (2).
>
> Either way, the spec should say something about what to do in this case.  Thoughts?
>
> Thanks,
> --Richard
>

All in favor of 1. Fail early, fail often.

Received on Thursday, 4 September 2014 18:10:31 UTC