Re: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API] from Ryan Sleevi on 2012-08-27 (public-webcrypto@w3.org from August 2012)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 27 Aug 2012 14:14:18 -0700
To: Mark Watson <watsonm@netflix.com>
Cc: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, Lu HongQian Karen <karen.lu@gemalto.com>, Ali Asad <Asad.Ali@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvZReJhXT15sAhzcRcNRYcskGAhPL3x2=7d+f5H-TRtVaw@mail.gmail.com>

On Mon, Aug 27, 2012 at 2:07 PM, Mark Watson <watsonm@netflix.com> wrote:
> As mentioned on the call, I think this is related to ISSUE-25. One way for an application to know where a pre-shared key is stored is for that key to have an associated unique identifier which is communicated to the application server out-of-band as well as by the client.
>
> …Mark

I would agree that for some use cases, there is some relation to
ISSUE-25. However, for the use cases described on the call, it seems
more likely also related to ISSUE-15.

For asymmetric keys, I believe it's more common that the key is
discovered via its association with a certificate, rather than any
particular innate ID. The certificate acts as an transport for
arbitrary attributes - whether they be subject/issuer name, a hash of
the SubjectPublicKeyInfo, some X.509v3 extension, etc.

Not every identifier is unique nor communicated out-of-band, but is
derived from the context and statements. This is true for
certificates, XML DSIG, TLS, and S/MIME.

Ryan

>
> On Aug 27, 2012, at 1:49 PM, GALINDO Virginie wrote:
>
>> Karen, Asad, and all,
>> As per your request of todays call, I have created an issue about the location of the key. Feel free to amend/comment its description and agree with the editors to make sure it is correctly expressed in the version of our draft API going to the FPWD.
>> Regards,
>> Virginie
>> Gemalto
>> Chair of the Web Crypto WG
>>
>> -----Original Message-----
>> From: Web Cryptography Working Group Issue Tracker [mailto:sysbot+tracker@w3.org]
>> Sent: lundi 27 août 2012 22:46
>> To: public-webcrypto@w3.org
>> Subject: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API]
>>
>> crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API]
>>
>> http://www.w3.org/2012/webcrypto/track/issues/30
>>
>> Raised by: Karen Lu
>> On product: Web Cryptography API
>>
>> During our discussion on the 27th of august, the problem related to usage of keys stored in secure element has been discussed. While a previous issue (#11] has been already closed about the definition of a specific attribute for indicating if the key was stored in a specific secure element (or crypto providers), the problem about making sure the application is aware of the key location is still pending. The means for solving this specific problem do not need to rely on a specific attribute.
>>
>>
>>
>
>

Received on Monday, 27 August 2012 21:14:47 UTC