ISSUE-32: Section 5.2 in API draft should mention use of secure element in the context of key security

Key security

Section 5.2 in API draft should mention use of secure element in the context of key security

State:
CLOSED
Product:
Web Cryptography API
Raised by:
Asad Ali
Opened on:
2012-08-28
Description:
Initial email from Asad:

This section talks about key security from a developer’s perspective, but does not mention that key can be stored securely in a secure element such as a smart card. While developers have no guarantee that keys residing in local storage, or indexed DB are safe, secure element storage does offer this assurance. This scenario should be pointed out here.


Comments from Ryan:

Please do raise such an issue.

User agents are NOT required to implement support for secure elements or smart cards, nor (again, speaking as one implementation) if they do implement, are they likely to expose it to 'any' web origin. Thus, I don't know how well this can be promoted as a general purpose solution
- it's very much tied to particular implementations.

Also, with the above text, "local storage, or indexed DB" is a misinterpretation of the text. It's talking about device storage.
"local storage, or indexed DB" are two different APIs for storing name/value pairs (where name is typically called 'key', but for purposes of disambiguation, shall be called name). Just wanted to make sure we're on the same page.

Equally, secure element access has its own security considerations, as mentioned in 5.2, so the overall recommendation stands regardless of device storage vs secure element.

It would be helpful if you could propose some text that you think might address these concerns.

Related Actions Items:
Related emails:
  1. W3C Web Crypto WG - agenda for our call on monday 15th of april @ 20:00 UTC (from Virginie.GALINDO@gemalto.com on 2013-04-12)
  2. [W3C Web Crypto API] PROPOSAL : closing ISSUE-32 (API should mention the use of secure elements in the context of key security) (from Virginie.GALINDO@gemalto.com on 2013-04-04)
  3. [minutes] Re: W3C Web Crypto WG - monday 4th of march (from wseltzer@w3.org on 2013-03-04)
  4. Re: W3C Web Crypto WG - agenda for our call on monday 4th of march @ 20:00 UTC (today) (from rbarnes@bbn.com on 2013-03-04)
  5. Re: W3C Web Crypto WG - agenda for our call on monday 4th of march @ 20:00 UTC (today) (from watsonm@netflix.com on 2013-03-04)
  6. Re: W3C Web Crypto WG - agenda for our call on monday 4th of march @ 20:00 UTC (today) (from hhalpin@w3.org on 2013-03-04)
  7. Re: W3C Web Crypto WG - agenda for our call on monday 4th of march @ 20:00 UTC (today) (from hhalpin@w3.org on 2013-03-04)
  8. RE: W3C Web Crypto WG - agenda for our call on monday 4th of march @ 20:00 UTC (today) (from Virginie.GALINDO@gemalto.com on 2013-03-04)
  9. Re: W3C Web Crypto WG - agenda for our call on monday 4th of march @ 20:00 UTC (today) (from hhalpin@w3.org on 2013-03-04)
  10. W3C Web Crypto WG - agenda for our call on monday 4th of march @ 20:00 UTC (today) (from Virginie.GALINDO@gemalto.com on 2013-03-04)
  11. Re: W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from watsonm@netflix.com on 2013-02-04)
  12. RE: W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from Asad.Ali@gemalto.com on 2013-02-04)
  13. Re: W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from S.Durbha@cablelabs.com on 2013-02-04)
  14. W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from Virginie.GALINDO@gemalto.com on 2013-02-04)
  15. PROPOSAL: Close ISSUE-32 - API should mention the use of secure elements in the context of key security (from sleevi@google.com on 2013-01-31)
  16. RE: crypto-ISSUE-32 (Key security): Section 5.2 in API draft should mention use of secure element in the context of key security [Web Cryptography API] (from Asad.Ali@gemalto.com on 2012-08-29)
  17. Re: crypto-ISSUE-32 (Key security): Section 5.2 in API draft should mention use of secure element in the context of key security [Web Cryptography API] (from sleevi@google.com on 2012-08-28)
  18. crypto-ISSUE-32 (Key security): Section 5.2 in API draft should mention use of secure element in the context of key security [Web Cryptography API] (from sysbot+tracker@w3.org on 2012-08-28)

Related notes:

No additional notes.

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 32.html,v 1.1 2017/02/13 16:16:51 ted Exp $