RE: information about key storage

OK, I will check the archive and minutes better also. Thanks Ryan.

Mete

________________________________________
From: Ryan Sleevi <sleevi@google.com>
Sent: Thursday, September 26, 2013 22:51
To: Mete Balc�
Cc: public-webcrypto@w3.org
Subject: Re: information about key storage

On Thu, Sep 26, 2013 at 12:43 PM, Mete Balc� <Mete.Balci@pozitron.com> wrote:
> Hello all,
>
> Sorry for repeating this if you have discussed it before. I wonder if the
> nature of key storage may be an important information for the consumers of
> web crypto and key discovery APIs. As an example, my bank may want to
> provision a key:
>
> (1) and if that key is imported through importKey, there is no way to
> specify the preferred storage (assuming I may have multiple ways of storing
> keys on my PC, e.g. software protected keystores or smartcards)

Correct. The draft specifically calls this out. No guarantees are or
can be provided.

> (2) and if that key is pre-provisioned by other means, the app (e.g.
> internet banking) cannot know if it is stored on a smartcard (I mean a
> hardware based key storage) or not

Correct.

>
> Directly comparing this to native mobile environments:
>
> (1) a native app can be sure if the key is provisioned on iOS keychain which
> is protected by hardware encryption or on regular files encrypted by PIN
> (software protection)
> (2) again a native app can be sure about the source of the key
>
> I am not sure if my example provides enough evidence for its use cases, but
> it seems to me, even the API is agnostic to key storage, some information
> about the storage should be exposed to the consumers of these APIs or the
> consumers should be able to provide hints to underlying system which handles
> the storage of the keys.
>
> Thanks.
>
> Mete

Our charter specifically called this as out of scope for this effort.
There have been significant discussions about it in the past, both on
the list and the face-to-face, in terms of both how this information
is actionable and what security guarantees it can or cannot
realistically provide.

> ________________________________
>
> Bu e-posta mesaj� ve ekleri g�nderildi�i ki�i ya da kuruma �zeldir ve
> gizlidir. Ayr�ca hukuken de gizli olabilir. Hi�bir �ekilde ���nc� ki�ilere
> a�klanamaz ve yay�nlanamaz. Mesaj�n yetkili al�c�s� de�ilseniz hi�bir
> k�sm�n� kopyalayamaz, ba�kas�na g�nderemez veya hi�bir �ekilde
> kullanamazs�n�z. E�er mesaj�n yetkili al�c�s� veya yetkili al�c�s�na
> iletmekten sorumlu ki�i siz de�ilseniz, l�tfen mesaj� sisteminizden siliniz
> ve g�ndereni uyar�n�z. G�nderen ve POZITRON YAZILIM A.�., bu mesaj�n
> i�erdi�i bilgilerin do�rulu�u, b�t�nl��� ve g�ncelli�i konusunda bir garanti
> vermemektedir. Mesaj�n i�eri�inden, iletilmesinden, al�nmas�ndan,
> saklanmas�ndan, gizlili�inin korunamamas�ndan, vir�s i�ermesinden ve
> sisteminizde yaratabilece�i zararlardan �irketimiz sorumlu tutulamaz.
>
> This e-mail and its attachments are private and confidential to the
> exclusive use of the individual or entity to whom it is addressed. It may
> also be legally confidential. Any disclosure, distribution or other
> dissemination of this message to any third party is strictly prohibited. If
> you are not the intended recipient, you may not copy, forward, send or use
> any part of it. If you are not the intended recipient or the person who is
> responsible to transmit to the intended recipient, please contact the sender
> by reply e-mail and destroy all copies of the original message and its
> attachments. The sender and POZITRON YAZILIM A.S. do not warrant for the
> accuracy, currency, integrity or correctness of the information in the
> message and its attachments. POZITRON YAZILIM A.S. shall have no liability
> with regard to the information contained in the message, its transmission,
> reception, storage, preservation of confidentiality, viruses or any damages
> caused in anyway to your computer system.

You should consider removing use disclaimers from messages posted to a
public W3C list.
________________________________
________________________________


Bu e-posta mesaj� ve ekleri g�nderildi�i ki�i ya da kuruma �zeldir ve gizlidir. Ayr�ca hukuken de gizli olabilir. Hi�bir �ekilde ���nc� ki�ilere a�klanamaz ve yay�nlanamaz. Mesaj�n yetkili al�c�s� de�ilseniz hi�bir k�sm�n� kopyalayamaz, ba�kas�na g�nderemez veya hi�bir �ekilde kullanamazs�n�z. E�er mesaj�n yetkili al�c�s� veya yetkili al�c�s�na iletmekten sorumlu ki�i siz de�ilseniz, l�tfen mesaj� sisteminizden siliniz ve g�ndereni uyar�n�z. G�nderen ve POZITRON YAZILIM A.�., bu mesaj�n i�erdi�i bilgilerin do�rulu�u, b�t�nl��� ve g�ncelli�i konusunda bir garanti vermemektedir. Mesaj�n i�eri�inden, iletilmesinden, al�nmas�ndan, saklanmas�ndan, gizlili�inin korunamamas�ndan, vir�s i�ermesinden ve sisteminizde yaratabilece�i zararlardan �irketimiz sorumlu tutulamaz.

This e-mail and its attachments are private and confidential to the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient, you may not copy, forward, send or use any part of it. If you are not the intended recipient or the person who is responsible to transmit to the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and its attachments. The sender and POZITRON YAZILIM A.S. do not warrant for the accuracy, currency, integrity or correctness of the information in the message and its attachments. POZITRON YAZILIM A.S. shall have no liability with regard to the information contained in the message, its transmission, reception, storage, preservation of confidentiality, viruses or any damages caused in anyway to your computer system.

Received on Thursday, 26 September 2013 19:57:18 UTC