Re: How to handle invalid EC public keys from Richard Barnes on 2014-09-05 (public-webcrypto@w3.org from September 2014)

From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 5 Sep 2014 16:03:28 -0400
To: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAL02cgSPpXT0Rxzi0C=Vz8YQKsrkWwrrRrJsSFRgkhhRHjB_Ng@mail.gmail.com>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26741


On Thu, Sep 4, 2014 at 2:09 PM, Vijay Bharadwaj <
Vijay.Bharadwaj@microsoft.com> wrote:

>  +1
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi@google.com]
> *Sent:* Thursday, September 4, 2014 7:32 AM
> *To:* Richard Barnes
> *Cc:* public-webcrypto@w3.org
> *Subject:* Re: How to handle invalid EC public keys
>
>
>
>
> On Sep 4, 2014 7:11 AM, "Richard Barnes" <rlb@ipv.sx> wrote:
> >
> > In implementing ECDH and ECDSA, we've come across an issue that is
> unclear in the spec.  It's also unclear how to resolve it, so I thought I
> would bring it up on the list before filing a bug.
> >
> > In cases where an EC public key is being imported ("spki", "raw",
> "jwk"), it is possible for the importer to provide an elliptic curve point
> that is not on the curve.  It seems like there are two options for how
> WebCrypto should behave in such a case:
> >
> > 1. Reject at import, presumably with DataError.
> >
> > 2. Reject at sign() / deriveBits() time (since these operations cannot
> be completed with points not on the curve)
> >
> > In an ideal world, I would prefer (1), in the spirit of failing fast.
>  (Apparently, X9.62 also requires this, at least according to a comment in
> the OpenSSL source code.)  However, at least in Firefox/NSS, it is much
> simpler to implement (2).
> >
> > Either way, the spec should say something about what to do in this case.
>  Thoughts?
> >
> > Thanks,
> > --Richard
> >
>
> All in favor of 1. Fail early, fail often.
>

Received on Friday, 5 September 2014 20:03:56 UTC