- From: Mark Watson <watsonm@netflix.com>
- Date: Wed, 5 Sep 2012 00:16:18 +0000
- To: Wan-Teh Chang <wtc@google.com>
- CC: Ryan Sleevi <sleevi@google.com>, "public-webcrypto@w3.org Working Group" <public-webcrypto@w3.org>, Arun Ranganathan <arun@mozilla.com>, "estark@mit.edu" <estark@mit.edu>, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>, Mitch Zollinger <mzollinger@netflix.com>
On Sep 4, 2012, at 5:10 PM, Wan-Teh Chang wrote: > On Tue, Sep 4, 2012 at 4:38 PM, Mark Watson <watsonm@netflix.com> wrote: >> >> MW> The use of pre-provisioned symmetric keys to perform device authentication. > > Can you further distill your use case to be "the use of shared > symmetric keys to perform authentication"? > > It seems that the identity attached to a shared symmetric key does not > need to be an integral part of the Web Crypto API. The application can > manage the identity-to-symmetric key mapping. I explained in the earlier threads that without some kind of identity the pre-shared symmetric key is no more useful than a random client-generated key. Also, the use of pre-shared keys raises some privacy questions which should be properly discussed. This discussion will be more fruitful if we are open about the existence of the identity, instead of trying to shuffle it off somewhere. Whether the identity should be handled in a device-specific or application-specific manner, or a standard manner, is one of our open issues. So I don't think we can or should try to get away without being explicit about the identity in the use case. …Mark > > Wan-Teh >
Received on Wednesday, 5 September 2012 00:16:57 UTC