Re: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API] from Ryan Sleevi on 2012-08-29 (public-webcrypto@w3.org from August 2012)

From: Ryan Sleevi <sleevi@google.com>
Date: Tue, 28 Aug 2012 18:10:40 -0700
To: Ali Asad <Asad.Ali@gemalto.com>
Cc: Seetharama Rao Durbha <S.Durbha@cablelabs.com>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>, Lu HongQian Karen <karen.lu@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvZ2THyaBhWiwr5KKhrgcwrsR0D5B-7S+=OqOtH95V0R1A@mail.gmail.com>

On Tue, Aug 28, 2012 at 4:28 PM, Ali Asad <Asad.Ali@gemalto.com> wrote:
> To the Editors,
>
>
>
> I suggest that we introduce a new section in Draft API document to indicate
> future planned work for key query/discovery and how it will handle
> pre-provisioned keys stored in secure elements. Here is the suggested text
> for this new section.
>
>
>
>>>>>
>
> 18. KeyDiscoverer Interface
>
>
>
> IDL:
>
> interface KeyDiscoverer : KeyOperation {
>
>       void discover();
>
>       KeyLocation location;
>
> };
>
>
>
> enum KeyLocation {
>
>      // TBD
>
> };
>
>
>
> Editorial note:
>
>
>
> The API for discovery and selection of pre-provisioned keys, for example
> those residing on secure elements such as smart cards, is not fully
> specified yet. However, once a key is selected from secure element, the
> implementing agent will ensure that all subsequent crypto operations are
> delegated to the secure element that contains this key. Additionally, the
> application will be informed that the user had selected a key from a secure
> element.

Hi Asad,

Just a quick note - I think the discussion related to key querying
(that is, previously authorized or pre-provisioned) and key discovery
(discovery of keys not explicitly granted) is too complex and the
needs not well understood enough to support adding this to the draft.

I've made note to highlight ISSUE-30, but I have concern adding this
API for FPWD.

In order to better understand what you're proposing here:
1) Can you please provide a sample of what you imagine "KeyLocation" containing.
2) Can you please provide a use case for how an application would use
"KeyLocation"
3) Can you please provide an example of how "KeyLocation" may be
implemented by all conforming user agents, in a manner that is
agnostic to the method of key storage they use?


>
>
>
> ISSUE-30: How does the application know where the key is stored ?
>
>>>>>
>
>
>
> Regards,
>
> --- Asad
>
>
>
>
>
>
>
> From: Ali Asad [mailto:Asad.Ali@gemalto.com]
> Sent: Tuesday, August 28, 2012 10:26 AM
> To: Seetharama Rao Durbha; GALINDO Virginie; Lu HongQian Karen
> Cc: public-webcrypto@w3.org
> Subject: RE: crypto-ISSUE-30 (where is the key ?): How does the application
> know where the key is stored ? [Web Cryptography API]
>
>
>
> I agree with Seetharama that once we start looking into key query API we can
> decide how best to incorporate the source information – ether in the query
> itself, or after the fact, based on user selection. But it is good to keep
> this issue 30 as a reminder that we have to do this.
>
>
>
> Since there is little time before going to first public draft, we should at
> least add some text in the draft to indicate that this will be done later. I
> will write up a description around this today and send to the group.
>
>
>
> Regards,
>
> --- asad
>
>
>
> From: Seetharama Rao Durbha [mailto:S.Durbha@cablelabs.com]
> Sent: Monday, August 27, 2012 5:57 PM
> To: GALINDO Virginie; Lu HongQian Karen; Ali Asad
> Cc: public-webcrypto@w3.org
> Subject: Re: crypto-ISSUE-30 (where is the key ?): How does the application
> know where the key is stored ? [Web Cryptography API]
>
>
>
> I am not raising another issue for 'query keys belonging to a type of
> storage' at this point – as there is no key query mechanism at this point. I
> think I heard Ryan saying that at some point in future we will have to get
> key query supported in the spec. At that point, we can add type of storage
> as another query parameter.
>
> Please let me know if my understanding is not correct.
>
>
>
> Thanks,
>
> Seetharama
>
>
>
> On 8/27/12 2:49 PM, "GALINDO Virginie" <Virginie.GALINDO@gemalto.com> wrote:
>
>
>
> Karen, Asad, and all,
>
> As per your request of todays call, I have created an issue about the
> location of the key. Feel free to amend/comment its description and agree
> with the editors to make sure it is correctly expressed in the version of
> our draft API going to the FPWD.
>
> Regards,
>
> Virginie
>
> Gemalto
>
> Chair of the Web Crypto WG
>
>
>
> -----Original Message-----
>
> From: Web Cryptography Working Group Issue Tracker
> [mailto:sysbot+tracker@w3.org]
>
> Sent: lundi 27 août 2012 22:46
>
> To: public-webcrypto@w3.org
>
> Subject: crypto-ISSUE-30 (where is the key ?): How does the application know
> where the key is stored ? [Web Cryptography API]
>
>
>
> crypto-ISSUE-30 (where is the key ?): How does the application know where
> the key is stored ? [Web Cryptography API]
>
>
>
> http://www.w3.org/2012/webcrypto/track/issues/30
>
>
>
> Raised by: Karen Lu
>
> On product: Web Cryptography API
>
>
>
> During our discussion on the 27th of august, the problem related to usage of
> keys stored in secure element has been discussed. While a previous issue
> (#11] has been already closed about the definition of a specific attribute
> for indicating if the key was stored in a specific secure element (or crypto
> providers), the problem about making sure the application is aware of the
> key location is still pending. The means for solving this specific problem
> do not need to rely on a specific attribute.
>
>
>
>
>
>
>
>

Received on Wednesday, 29 August 2012 01:11:08 UTC