You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This draft could address the key discovery mechanism, and leave the process to provision keys to implementations. Specifically, identifier or name based discovery could be a good candidate to accommodate different scales, and is also aligned with the current WebCrypto spec on the key discovery.
A small managed network may share a common and small set of keys pushed by an admin periodically via a secure channel. When stored as key-value pairs, where a name is mapped to a set of encryption keys, the set of encryption keys can retrieved with the given name or id if such a mapping exists, and trial decryption can be used if the set contains more than one key. A fail-to-decrypt error can be declared when no encryption key set is present, the set is empty or the decryption fails with the retrieved key set.
In a more advanced form, the encryption key store can be servicified, not necessarily co-located on the same device, and use appropriate authentication techniques. This approach can be extended to support flexible key rotation and also origin-specific keys if needed.
No description provided.
The text was updated successfully, but these errors were encountered: