Browser based Client Configuration
This configuration applies to browser-based clients on platforms that support HTML5, the Web Cryptography API, and the WebCrypto Key Discovery API. Examples include CE set-top boxes that include WebKit- or Chromium-based browsers.
Due to browser security policies, it is not possible to make use of HTTP traffic on a web page delivered over HTTPS. As a result a decision must be made regarding the delivery of the initial web page containing the JavaScript MSL stack and the data used to authenticate remote entities. If the initial web page is delivered over an untrusted HTTP channel the MSL stack and authentication data may be modified by a third party. In some cases the MSL stack and authentication data may also be modified by the client user.
In addition to preventing the exposure or unauthorized use of keys by JavaScript, the keys must also be protected by the trusted implementation against exposure or unauthorized use.
The pre-shared keys and model group keys entity authentication schemes will be supported. The keys will be made available to JavaScript via the WebCrypto Key Discovery API. The key ID values will be identical and uniquely identify the entity.
All user authentication schemes will be supported. The exact scheme used will depend upon the desired sign-up and sign-in user experience.
The JSON Web Encryption key ladder or JSON Web Key key ladder key exchange schemes will be used. The initial key exchange will use the pre-shared keys or model group keys wrapping key. Each subsequent key exchange will use the previously returned wrapping key.