25857 2014-05-21 18:58:55 +0000 Extractability is not always specified when importing keys (in particular public keys) 2014-09-24 18:54:20 +0000 1 1 1 Unclassified Web Cryptography Web Cryptography API Document unspecified PC Linux RESOLVED FIXED P2 normal --- 1 ericroman watsonm public-webcrypto watsonm oldest_to_newest 106596 0 ericroman 2014-05-21 18:58:55 +0000 The value of "key.extractable" for importKey() is not consistently specified by the per-algorithm "Import Key". For instance AES-KW defines it, however RSA-SSA, RSA-OAEP, RSA-ES, do not. I suggest extracting the common properties out of the per-algorithm definitions, and into the generic importKey() language. In particular, it is worth clarifying how "key.extractable" behaves for public keys. In the case of generateKey(), the extractablity of public keys is always set to true. So one might interpret likewise for importKey() unless it is indicated. That said, I found evidence in the spec that the intent is for public keys to respect the extractability set in importKey() -- since Diffie-Hellman's definition spells it out. 111953 1 watsonm 2014-09-22 17:52:07 +0000 I suggest we move the setting of the key.extractable attribute to the importKey method procedures. 112101 2 watsonm 2014-09-24 18:54:20 +0000 https://dvcs.w3.org/hg/webcrypto-api/rev/81b4435a540d