Closed vgalindo closed 8 years ago
vgalindo
commented
8 years ago This remark demonstrates that the statement about the multiple versus single domain key usage is not clearly stated. The report should state that : "There is a need for multiple domain key usage, but that this work will be treated later or when the CG will be a WG." (I need to find the appropriate location for such statement)
sbahloul
commented
8 years ago @vgalindo proposes to add it after "Single Origin Policy: one main matter of interest of the hardware-based secure services community group members is how to protect key usage considering the special use case where the credentials are used outside their issuing origin. For example: Suppose that a domain foo.com issues a key. Because the key is not accessible by Javascript API from another domain, we have to design a secure system where the domain bar.com is allowed to use this key."
Section 2: Problem Statement Text: In this document, we assume that: • pre-existing keys and X509 certificates are under the full control of the end-user • any API issued key MUST only be managed and used by its own origin Question: Isn’t second bullet contrary to the goals of this document?