This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The value of "key.extractable" for importKey() is not consistently specified by the per-algorithm "Import Key". For instance AES-KW defines it, however RSA-SSA, RSA-OAEP, RSA-ES, do not. I suggest extracting the common properties out of the per-algorithm definitions, and into the generic importKey() language. In particular, it is worth clarifying how "key.extractable" behaves for public keys. In the case of generateKey(), the extractablity of public keys is always set to true. So one might interpret likewise for importKey() unless it is indicated. That said, I found evidence in the spec that the intent is for public keys to respect the extractability set in importKey() -- since Diffie-Hellman's definition spells it out.
I suggest we move the setting of the key.extractable attribute to the importKey method procedures.
https://dvcs.w3.org/hg/webcrypto-api/rev/81b4435a540d