[Bug 25721] New: extractable keys should be disabled by default from bugzilla@jessica.w3.org on 2014-05-15 (public-webcrypto@w3.org from May 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 15 May 2014 05:39:12 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25721-7213@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721

            Bug ID: 25721
           Summary: extractable keys should be disabled by default
           Product: Web Cryptography
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: elijah@riseup.net
                CC: public-webcrypto@w3.org

Allowing for extractable keys could provide for increased convenience, but at
the cost of trusting the origin with your key material. 

Key material, like your location, should be considered sensitive and require a
positive confirmation from the user that they want to allow a particular origin
the ability to have access to their keys.

It is hard to imagine anything more sensitive than key material. If location is
sensitive enough to warrant a confirmation from the user, surely keys are too.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 15 May 2014 05:39:14 UTC