- From: <bugzilla@jessica.w3.org>
- Date: Thu, 25 Sep 2014 22:01:20 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721 --- Comment #34 from Tom Lowenthal <me@tomlowenthal.com> --- To be clear, I don't think that no-extractable-keys solves the JS delivery quandry, or several other web security issues. However, this isn't the WG for solving JS delivery, only crypto primitives. I'm looking forward to lots of exciting pieces combining into one giant secure/trustworth applications robot — including some other pieces which are much further from being finished. To Mark's suggestion about this being future work, I remain unsure. I think that the sensible approach is to leave extractable keys as default-disabled until other mitigations can be added to make it safer to enable them. I appreciate adding this as a use case Harry. I think that the most fruitful approach is to try to completely implement this use case — as far as this WG's work is able — while carefully noting what use case requirements this places on other WGs, and hoping that they solve those problems sensibly. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Thursday, 25 September 2014 22:01:21 UTC