[Bug 26741] Reject invalid EC public keys from bugzilla@jessica.w3.org on 2014-09-29 (public-webcrypto@w3.org from September 2014)

From: <bugzilla@jessica.w3.org>
Date: Mon, 29 Sep 2014 07:34:46 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-26741-7213-xCUTC66fC2@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26741

vijaybh@microsoft.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vijaybh@microsoft.com

--- Comment #3 from vijaybh@microsoft.com ---
Speaking for Microsoft's CNG implementations - ECC keys are validated on import
unless the caller explicitly requests that they not be. So assuming a UA used
our crypto implementation, and performed a CNG import when WebCrypto import was
called, they would know at that point if the key was invalid.

I looked up the standards just now - the NIST standards for ECDSA and ECDH
require validation of keys on import. X9.62 describes a key validation
procedure but marks it optional.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Monday, 29 September 2014 07:34:47 UTC