crypto-ISSUE-41: Clean up algorithm normalization and support checks [design for Web Crypto API] from Web Cryptography Working Group Issue Tracker on 2013-04-01 (public-webcrypto@w3.org from April 2013)

From: Web Cryptography Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 01 Apr 2013 15:03:33 +0000
To: public-webcrypto@w3.org
Message-Id: <E1UMgGj-0000vJ-7F@crusher.w3.org>

crypto-ISSUE-41: Clean up algorithm normalization and support checks [design for Web Crypto API]

http://www.w3.org/2012/webcrypto/track/issues/41

Raised by: Richard Barnes
On product: design for Web Crypto API

SUMMARY:

We should move checks on algorithm support to the operations (out of the normalization) and clean up language about "registered" algorithms.

DETAILS:

The "encrypt" method and others need to verify two things about algorithm identifiers:
(1) That the algorithm is supported by the UA
(2) That the algorithm supports the requested operation

Currently, (1) is done twice, once by algorithm normalization rules and once by the operation itself, and (2) is done in in the operation.

In the algorithm normalization rules:
"""
If name does not contain a recognized algorithm name, throw an InvalidAlgorithmError exception and return from this algorithm.
"""

In encrypt():
"""
If normalizedAlgorithm does not describe a registered algorithm that supports the encrypt operation, throw a NotSupportedError and terminate the algorithm.
"""

Two problems here:

First, checking support is not properly a part of algorithm normalization. Whether an algorithm is supported by a UA is a separate question from whether its AlgorithmIdentifier is in a normal form.

Second, the check on registration status in the operation is unnecessary. The algorithm normalization rules already check that an algorithm is "recognized" by the UA, so the only thing that needs to be checked here is the algorithms support for the operation. UAs may also support unregistered algorithms, for experimentation or for early deployment while specification update is in process. Part of this support is knowing which operations are supported for those algorithms.

PROPOSAL:

Remove the following step from the algorithm normalization rules:
"""
If name does not contain a recognized algorithm name, throw an InvalidAlgorithmError exception and return from this algorithm.
"""

Make the following change to encrypt, and corresponding changes to decrypt/sign/verify/digest:
OLD:
"""
If normalizedAlgorithm does not describe a registered algorithm that supports the encrypt operation, throw a NotSupportedError and terminate the algorithm.
"""

NEW:
"""
If normalizedAlgorithm does not describe a recognized algorithm, throw an AlgorithmNotSupportedError exception and terminate the algorithm.

If normalizedAlgorithm does not describe an algorithm that supports encryption, throw an OperationNotSupportedError exception and terminate the algorithm.
"""

Received on Monday, 1 April 2013 15:03:38 UTC