In the state machine descriptions for creating CryptoOperations - eg: createVerifier, createEncrypter, createDecrypter, etc - it should be explicitly specified that the KeyUsage for the Key should be confirmed to match the desired CryptoOperation, and if not, that an error should be thrown.
For example, createEncrypter should ensure that the KeyUsage for the associated key(s) is "encrypt", while createSigner should assert the "sign" KeyUsage.
Raised by John Lyle on http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Oct/0005.html
I propose we add the following to the procedures for each method, after the algorithm check:
"If the usages attribute of the Key object does not contain an entry with value X, throw a NOtSupportedError and terminate the algorithm."
This was apparently agreed in Shenzhen.