Is this another one where the error may be detected in a library which does not return sufficiently granular error information, so this just becomes OperationError ?

Could someone more familiar with the cryptographic libraries browsers are using (or might use) comment on whether APIs are available to check whether a supplied point is valid ?

Or might this only be discovered when you try to perform an operation with the key ?

Speaking for Microsoft's CNG implementations - ECC keys are validated on import unless the caller explicitly requests that they not be. So assuming a UA used our crypto implementation, and performed a CNG import when WebCrypto import was called, they would know at that point if the key was invalid.

I looked up the standards just now - the NIST standards for ECDSA and ECDH require validation of keys on import. X9.62 describes a key validation procedure but marks it optional.

NSS historically did not validate public keys on import, but would instead defer until their cryptographic use (which, due to API layering, was the _actual_ time that import into the cryptographic module was performed). In this case, the error would surface during the operational usage.

BoringSSL and OpenSSL both validate on input.

However, Richard recently fixed NSS (IIRC) to validate the public key on import. Richard, can you confirm?

Note that I have no clue for Safari's case, as they have a few different ECC implementations last I checked.

Import is normalized to returning DataError. Since it was Richard who asked for this, presumably he knows NSS can do this check on import. I suggest we make the change as proposed.

Agreed at f2f that we should validate EC public keys on import.

NSS does support this, and Firefox throws if you try to import an invalid key.

https://dvcs.w3.org/hg/webcrypto-api/rev/e4b4b28e81af
https://dvcs.w3.org/hg/webcrypto-api/rev/59c5870bf638