This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Consider the case of importing an RSA-PSS public key using JWK. WebCrypto callers can request usages of either ['verify' or [] (no usages) If empty usages are specified then it is possible to import the following JWK: { "kty": "RSA", "key_ops": ["encrypt", "decrypt", "wrapKey", "unwrapKey"], ... } The above key is for an encryption algorithm, but it is allowed to be imported for a signing algorithm because the requested usages, [], were a subset of the usages granted to the key. OK fine. However, it is NOT possible to import the following: { "kty": "RSA", "use": "enc", ... } Conceptually these represent the same kind of key, however WebCrypto enforces "use" differently from "key_ops". "use" in this case is required to be an exact match of "sig". The same situation applies to ECDH keys. I believe the key_ops behavior is the correct one, and "use" should work the same way. I feel this way because JWK allows pairing unrelated usages in key_ops (although discourages it) [1]. So it stands to reason that such a key should be importable into WebCrypto. [1] Section 4.3 of JWK spec says: "Multiple unrelated key operations SHOULD NOT be specified" ..... SHOULD NOT != MUST NOT
Moved https://github.com/w3c/webcrypto/issues/64