ISSUE 2: How to address pre-provisioned keys from Lu HongQian Karen on 2012-07-23 (public-webcrypto@w3.org from July 2012)

From: Lu HongQian Karen <karen.lu@gemalto.com>
Date: Tue, 24 Jul 2012 01:05:02 +0200
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <1126F161F6F1B24FABD92B850CAFBD6E017245C8604F@CROEXCFWP04.gemalto.com>

ISSUE-2: How to address pre-provisioned keys and managing ACLs

https://www.w3.org/2012/webcrypto/track/issues/2




Since the key provisioning is out of the scope, the web crypto API should be able to discover existing keys and learn how the key should be used. We can imagine that the key has various attributes, including

·         Type of the key, length, value, etc.

·         Key store location - where the key is stored, for example

o    Browser/local-storage, browser/secure-store, OS/secure-store, or smart card, etc.

·         Crypto provider name – who does crypto using this key, a hint for the browser, for example

o    Browser, or smart card



For example, for a pre-provisioned key in a smart card, it will have the smart card as the key store, and the smart card as the crypto provider. Web browsers already have ways for a user to choose which smart card and which key.



One use case is a web application letting users to sign documents using their smart cards. The signature key pair is pre-provisioned inside the smart card. The key pair, hence, has the attributes: keystore=smartcard; crypto=smartcard. The application uses the web crypto API while the browser knows to use the smart card for the signature operation instead of its own implementation.



In addition to listing available keys, it may be interesting to have API to discover browser-supported key stores and crypto providers.



What do you think?



Regards,

Karen & Asad

Gemalto

Received on Monday, 23 July 2012 23:05:31 UTC