ISSUE-17/ISSUE-25: Add Editor's Note about the WIP status regarding device and
authorRyan Sleevi <sleevi@google.com>
Mon, 03 Dec 2012 17:17:11 -0800
changeset 10 eee85dc99669
parent 9 4c6e6e5e4454
child 11 ff7eebf82a4f
ISSUE-17/ISSUE-25: Add Editor's Note about the WIP status regarding device and
implementation-specific forms of key storage and discovery as ongoing matters
of discussion.
spec/Overview-WebCryptoAPI.xml
spec/Overview.html
--- a/spec/Overview-WebCryptoAPI.xml	Mon Dec 03 17:17:03 2012 -0800
+++ b/spec/Overview-WebCryptoAPI.xml	Mon Dec 03 17:17:11 2012 -0800
@@ -286,27 +286,6 @@
           </p>
         </div>
 
-        <div id="out-of-band-keys" class="section">
-          <h3>Out-of-Band Key Provisioning</h3>
-          <p>
-            Web applications may wish to use keys that have been provisioned through means outside
-            the scope of this API. This may include keys that are provisioned through
-            platform-specific native APIs, stored in secure elements such as smart cards or trusted
-            platform modules (TPMs), or individually bound to devices at time of manufacturing.
-            Such keys may, for example, be used to assist in identifying a client to a specific
-            web service. User agents may choose to expose such keys to web applications after
-            implementing appropriate security and privacy mitigations, such as gaining user consent
-            or other out-of-band authorization.
-          </p>
-          <p>
-            In this scenario, a web application discovers a pre-provisioned key based on its
-            attributes and uses it to perform authorized cryptographic operations as part of a
-            protocol with a server. The server may utilize knowledge obtained out-of-band regarding
-            the key's provisioning to make access control and policy decisions, such as inferring
-            the identity of the user and/or device and customizing its responses based on that.
-          </p>
-        </div>
-
       </div>
       
       <div id='conformance' class='section'>
@@ -1816,6 +1795,49 @@
         </p>
       </div>
 
+      <div id="key-discovery" class="section">
+        <h2>Key Discovery</h2>
+        <p class="norm">This section is non-normative.</p>
+        <div class="ednote">
+          <p>
+            The Working Group is actively discussing means of discovering <code><a href="#dfn-Key">Key</a></code>
+            objects that are not not directly created by the application via
+            <code><a href="#Crypto-method-createKeyGenerator">createKeyGenerator</a></code>, or allowing
+            web applications to dicate how and where the cryptographic keying material associated with
+            <code>Key</code> objects is stored. Examples of such <code>Key</code> objects or interfaces that
+            may be exposed include:
+          </p>
+          <ul>
+            <li>
+              Named keys that have been pre-provisioned for a particular device or origin
+              (e.g.: device specific keys).
+            </li>
+            <li>
+              Keys that are stored in secure elements (e.g.: smart cards, TPMs), particularly
+              those that may be inserted or removed at any time.
+            </li>
+            <li>
+              Keys that are associated with X.509 certificates matching some criteria.
+            </li>
+            <li>
+              Keys derived from material associated with a particular origin (e.g.:
+              derived from exported TLS keying material [<a href="#RFC5705">RFC5705</a>] or
+              origin bound certificates [<a href="#draft-tls-obc">DRAFT-TLS-OBC</a>]).
+            </li>
+          </ul>
+          <p>
+            There is currently no consensus within the Web Cryptography Working Group about how
+            and where such interfaces should be specified, nor is there consensus with regards
+            various proposals to address specific use cases.
+          </p>
+          <p>
+            Such features bring a variety of concerns, most notably unique concerns regarding
+            privacy, security, and user interaction, that may be best addressed through separate
+            specifications that expand on sources for generating or storing <code>Key</code> objects.
+          </p>
+        </div>
+      </div>
+
       <div id="algorithms" class="section">
         <h2>Algorithms</h2>
         <div id="recommended-algorithms" class="section">
@@ -3274,6 +3296,16 @@
         <div id="informative-references" class="section">
           <h3>Informative References</h3>
           <dl>
+            <dt id="draft-TLS-OBC">draft-balfanz-tls-obc-01</dt>
+            <dd>
+              <cite><a href="http://tools.ietf.org/html/draft-balfanz-tls-obc-01">TLS Origin-Bound
+              Certificates</a></cite>, D. Balfanz, D. Smetters, M. Upadhyay, A. Barth. IETF.
+            </dd>
+            <dt id="RFC5705">RFC 5705</dt>
+            <dd>
+              <cite><a href="http://tools.ietf.org/html/rfc5705">Keying Material Exporters for
+              Transport Layer Security (TLS)</a></cite>, E. Rescorla. IETF.
+            </dd>
             <dt id="PKCS11">PKCS11</dt>
             <dd>
               <cite><a href="http://www.rsa.com/rsalabs/node.asp?id=2133">PKCS #11: Cryptographic
--- a/spec/Overview.html	Mon Dec 03 17:17:03 2012 -0800
+++ b/spec/Overview.html	Mon Dec 03 17:17:11 2012 -0800
@@ -44,7 +44,7 @@
 communications.
       </p>
   
-      <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 10 further editorial notes in the document.</p></div>
+      <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 11 further editorial notes in the document.</p></div>
     </div>
 
     <div class="section">
@@ -124,7 +124,7 @@
 
     <div id="toc">
       <h2>Table of Contents</h2>
-      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li><li><a href="#out-of-band-keys">2.8. Out-of-Band Key Provisioning</a></li></ul></li><li><a href="#conformance">3. Conformance</a></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#security">5. Security considerations</a><ul><li><a href="#security-implementers">5.1. Security considerations for implementers</a></li><li><a href="#security-developers">5.2. Security considerations for developers</a></li></ul></li><li><a href="#privacy">6. Privacy considerations</a></li><li><a href="#dependencies">7. Dependencies</a></li><li><a href="#terminology">8. Terminology</a></li><li><a href="#RandomSource-interface">9. RandomSource interface</a><ul><li><a href="#RandomSource-description">9.1. Description</a></li><li><a href="#RandomSource-interface-methods">9.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">9.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">10. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">10.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-interface">11. Key interface</a><ul><li><a href="#key-interface-description">11.1. Description</a></li><li><a href="#key-interface-members">11.2. Key interface members</a></li><li><a href="#key-interface-clone">11.3. Structured clone algorithm</a></li></ul></li><li><a href="#cryptooperation-interface">12. CryptoOperation interface</a><ul><li><a href="#CryptoOperation-states">12.1. CryptoOperation states</a></li><li><a href="#cryptooperation-task-source">12.2. The CryptoOperation Task Source</a></li><li><a href="#cryptooperation-events">12.3. Event Handler Attributes</a></li><li><a href="#CryptoOperation-attributes">12.4. Attributes</a></li><li><a href="#CryptoOperation-methods">12.5. Methods and Parameters</a><ul><li><a href="#CryptoOperation-method-init">12.5.1. The init method</a></li><li><a href="#CryptoOperation-method-processData">12.5.2. The processData(ArrayBufferView buffer) method</a></li><li><a href="#CryptoOperation-method-complete">12.5.3. The complete() method</a></li><li><a href="#CryptoOperation-method-abort">12.5.4. The abort() method</a></li></ul></li></ul></li><li><a href="#KeyOperation-interface">13. KeyOperation interface</a></li><li><a href="#KeyGenerator-interface">14. KeyGenerator interface</a></li><li><a href="#KeyDeriver-interface">15. KeyDeriver interface</a></li><li><a href="#KeyImporter-interface">16. KeyImporter interface</a></li><li><a href="#KeyExporter-interface">17. KeyExporter interface</a></li><li><a href="#crypto-interface">18. Crypto interface</a><ul><li><a href="#crypto-interface-methods">18.1. Methods and Parameters</a><ul><li><a href="#Crypto-method-createEncrypter">18.1.1. The createEncrypter method</a></li><li><a href="#Crypto-method-createDecrypter">18.1.2. The createDecrypter method</a></li><li><a href="#Crypto-method-createSigner">18.1.3. The createSigner method</a></li><li><a href="#Crypto-method-createVerifier">18.1.4. The createVerifier method</a></li><li><a href="#Crypto-method-createDigester">18.1.5. The createDigester method</a></li><li><a href="#Crypto-method-createKeyGenerator">18.1.6. The createKeyGenerator method</a></li><li><a href="#Crypto-method-createKeyDeriver">18.1.7. The createKeyDeriver method</a></li><li><a href="#Crypto-method-createKeyImporter">18.1.8. The createKeyImporter method</a></li><li><a href="#Crypto-method-createKeyExporter">18.1.9. The createKeyExporter method</a></li></ul></li></ul></li><li><a href="#WorkerCrypto-interface">19. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">19.1. Description</a></li></ul></li><li><a href="#big-integer">20. BigInteger</a></li><li><a href="#keypair">21. KeyPair</a></li><li><a href="#named-curve">22. NamedCurve</a></li><li><a href="#ec-point">23. ECPoint</a></li><li><a href="#algorithms">24. Algorithms</a><ul><li><a href="#recommended-algorithms">24.1. Recommended algorithms</a></li><li><a href="#defining-an-algorithm">24.2. Defining an algorithm</a><ul><li><a href="#recognized-algorithm-name">24.2.1. Recognized algorithm name</a></li><li><a href="#supported-operations">24.2.2. Supported operations</a></li><li><a href="#algorithm-specific-params">24.2.3. Algorithm-specific parameters</a></li><li><a href="#algorithm-result">24.2.4. Algorithm results</a></li><li><a href="#algorithm-alias">24.2.5. Algorithm aliases</a></li></ul></li><li><a href="#rsaes-pkcs1">24.3. RSAES-PKCS1-v1_5</a><ul><li><a href="#rsaes-pkcs1-description">24.3.1. Description</a></li><li><a href="#rsaes-pkcs1-registration">24.3.2. Registration</a></li><li><a href="#RsaKeyGenParams-dictionary">24.3.3. RsaKeyGenParams dictionary</a></li><li><a href="#rsaes-pkcs1-operations">24.3.4. Operations</a></li></ul></li><li><a href="#rsassa-pkcs1">24.4. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">24.4.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">24.4.2. Registration</a></li><li><a href="#RsaSsaParams-dictionary">24.4.3. RsaSsaParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">24.4.4. Operations</a></li></ul></li><li><a href="#rsa-pss">24.5. RSA-PSS</a><ul><li><a href="#rsa-pss-description">24.5.1. Description</a></li><li><a href="#rsa-pss-registration">24.5.2. Registration</a></li><li><a href="#rsa-pss-params">24.5.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">24.5.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">24.6. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">24.6.1. Description</a></li><li><a href="#rsa-oaep-registration">24.6.2. Registration</a></li><li><a href="#rsa-oaep-params">24.6.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">24.6.4. Operations</a></li></ul></li><li><a href="#ecdsa">24.7. ECDSA</a><ul><li><a href="#ecdsa-description">24.7.1. Description</a></li><li><a href="#ecdsa-registration">24.7.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">24.7.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">24.7.4. EcKeyGenParams dictionary</a></li><li><a href="#ecdsa-operations">24.7.5. Operations</a></li></ul></li><li><a href="#ecdh">24.8. ECDH</a><ul><li><a href="#ecdh-description">24.8.1. Description</a></li><li><a href="#ecdh-registration">24.8.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">24.8.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">24.8.4. Operations</a></li></ul></li><li><a href="#aes-ctr">24.9. AES-CTR</a><ul><li><a href="#aes-ctr-description">24.9.1. Description</a></li><li><a href="#aes-ctr-registration">24.9.2. Registration</a></li><li><a href="#aes-ctr-params">24.9.3. AesCtrParams dictionary</a></li><li><a href="#aes-keygen-params">24.9.4. AesKeyGenParams dictionary</a></li><li><a href="#aes-ctr-operations">24.9.5. Operations</a></li></ul></li><li><a href="#aes-cbc">24.10. AES-CBC</a><ul><li><a href="#aes-cbc-description">24.10.1. Description</a></li><li><a href="#aes-cbc-registration">24.10.2. Registration</a></li><li><a href="#aes-cbc-params">24.10.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">24.10.4. Operations</a></li></ul></li><li><a href="#aes-gcm">24.11. AES-GCM</a><ul><li><a href="#aes-gcm-description">24.11.1. Description</a></li><li><a href="#aes-gcm-registration">24.11.2. Registration</a></li><li><a href="#aes-gcm-params">24.11.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">24.11.4. Operations</a></li></ul></li><li><a href="#hmac">24.12. HMAC</a><ul><li><a href="#hmac-description">24.12.1. Description</a></li><li><a href="#hmac-registration">24.12.2. Registration</a></li><li><a href="#hmac-params">24.12.3. HmacParams dictionary</a></li><li><a href="#hmac-operations">24.12.4. Operations</a></li></ul></li><li><a href="#dh">24.13. Diffie-Hellman</a><ul><li><a href="#dh-description">24.13.1. Description</a></li><li><a href="#dh-registration">24.13.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">24.13.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">24.13.4. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-operations">24.13.5. Operations</a></li></ul></li><li><a href="#sha">24.14. SHA</a><ul><li><a href="#sha-description">24.14.1. Description</a></li><li><a href="#sha-registration">24.14.2. Registration</a></li><li><a href="#sha-operations">24.14.3. Operations</a></li></ul></li><li><a href="#pbkdf2">24.15. PBKDF2</a><ul><li><a href="#pbkdf2-description">24.15.1. Description</a></li><li><a href="#pbkdf2-registration">24.15.2. Registration</a></li><li><a href="#pbkdf2-params">24.15.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">24.15.4. Operations</a></li></ul></li></ul></li><li><a href="#algorithm-normalizing-rules">25. Algorithm normalizing rules</a></li><li><a href="#examples-section">26. JavaScript Example Code</a><ul><li><a href="#examples-signing">26.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">26.2. Symmetric Encryption</a></li></ul></li><li><a href="#acknowledgements-section">27. Acknowledgements</a></li><li><a href="#references">28. References</a><ul><li><a href="#normative-references">28.1. Normative References</a></li><li><a href="#informative-references">28.2. Informative References</a></li></ul></li></ul></div>
+      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#security">5. Security considerations</a><ul><li><a href="#security-implementers">5.1. Security considerations for implementers</a></li><li><a href="#security-developers">5.2. Security considerations for developers</a></li></ul></li><li><a href="#privacy">6. Privacy considerations</a></li><li><a href="#dependencies">7. Dependencies</a></li><li><a href="#terminology">8. Terminology</a></li><li><a href="#RandomSource-interface">9. RandomSource interface</a><ul><li><a href="#RandomSource-description">9.1. Description</a></li><li><a href="#RandomSource-interface-methods">9.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">9.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">10. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">10.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-interface">11. Key interface</a><ul><li><a href="#key-interface-description">11.1. Description</a></li><li><a href="#key-interface-members">11.2. Key interface members</a></li><li><a href="#key-interface-clone">11.3. Structured clone algorithm</a></li></ul></li><li><a href="#cryptooperation-interface">12. CryptoOperation interface</a><ul><li><a href="#CryptoOperation-states">12.1. CryptoOperation states</a></li><li><a href="#cryptooperation-task-source">12.2. The CryptoOperation Task Source</a></li><li><a href="#cryptooperation-events">12.3. Event Handler Attributes</a></li><li><a href="#CryptoOperation-attributes">12.4. Attributes</a></li><li><a href="#CryptoOperation-methods">12.5. Methods and Parameters</a><ul><li><a href="#CryptoOperation-method-init">12.5.1. The init method</a></li><li><a href="#CryptoOperation-method-processData">12.5.2. The processData(ArrayBufferView buffer) method</a></li><li><a href="#CryptoOperation-method-complete">12.5.3. The complete() method</a></li><li><a href="#CryptoOperation-method-abort">12.5.4. The abort() method</a></li></ul></li></ul></li><li><a href="#KeyOperation-interface">13. KeyOperation interface</a></li><li><a href="#KeyGenerator-interface">14. KeyGenerator interface</a></li><li><a href="#KeyDeriver-interface">15. KeyDeriver interface</a></li><li><a href="#KeyImporter-interface">16. KeyImporter interface</a></li><li><a href="#KeyExporter-interface">17. KeyExporter interface</a></li><li><a href="#crypto-interface">18. Crypto interface</a><ul><li><a href="#crypto-interface-methods">18.1. Methods and Parameters</a><ul><li><a href="#Crypto-method-createEncrypter">18.1.1. The createEncrypter method</a></li><li><a href="#Crypto-method-createDecrypter">18.1.2. The createDecrypter method</a></li><li><a href="#Crypto-method-createSigner">18.1.3. The createSigner method</a></li><li><a href="#Crypto-method-createVerifier">18.1.4. The createVerifier method</a></li><li><a href="#Crypto-method-createDigester">18.1.5. The createDigester method</a></li><li><a href="#Crypto-method-createKeyGenerator">18.1.6. The createKeyGenerator method</a></li><li><a href="#Crypto-method-createKeyDeriver">18.1.7. The createKeyDeriver method</a></li><li><a href="#Crypto-method-createKeyImporter">18.1.8. The createKeyImporter method</a></li><li><a href="#Crypto-method-createKeyExporter">18.1.9. The createKeyExporter method</a></li></ul></li></ul></li><li><a href="#WorkerCrypto-interface">19. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">19.1. Description</a></li></ul></li><li><a href="#big-integer">20. BigInteger</a></li><li><a href="#keypair">21. KeyPair</a></li><li><a href="#named-curve">22. NamedCurve</a></li><li><a href="#ec-point">23. ECPoint</a></li><li><a href="#key-discovery">24. Key Discovery</a></li><li><a href="#algorithms">25. Algorithms</a><ul><li><a href="#recommended-algorithms">25.1. Recommended algorithms</a></li><li><a href="#defining-an-algorithm">25.2. Defining an algorithm</a><ul><li><a href="#recognized-algorithm-name">25.2.1. Recognized algorithm name</a></li><li><a href="#supported-operations">25.2.2. Supported operations</a></li><li><a href="#algorithm-specific-params">25.2.3. Algorithm-specific parameters</a></li><li><a href="#algorithm-result">25.2.4. Algorithm results</a></li><li><a href="#algorithm-alias">25.2.5. Algorithm aliases</a></li></ul></li><li><a href="#rsaes-pkcs1">25.3. RSAES-PKCS1-v1_5</a><ul><li><a href="#rsaes-pkcs1-description">25.3.1. Description</a></li><li><a href="#rsaes-pkcs1-registration">25.3.2. Registration</a></li><li><a href="#RsaKeyGenParams-dictionary">25.3.3. RsaKeyGenParams dictionary</a></li><li><a href="#rsaes-pkcs1-operations">25.3.4. Operations</a></li></ul></li><li><a href="#rsassa-pkcs1">25.4. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">25.4.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">25.4.2. Registration</a></li><li><a href="#RsaSsaParams-dictionary">25.4.3. RsaSsaParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">25.4.4. Operations</a></li></ul></li><li><a href="#rsa-pss">25.5. RSA-PSS</a><ul><li><a href="#rsa-pss-description">25.5.1. Description</a></li><li><a href="#rsa-pss-registration">25.5.2. Registration</a></li><li><a href="#rsa-pss-params">25.5.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">25.5.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">25.6. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">25.6.1. Description</a></li><li><a href="#rsa-oaep-registration">25.6.2. Registration</a></li><li><a href="#rsa-oaep-params">25.6.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">25.6.4. Operations</a></li></ul></li><li><a href="#ecdsa">25.7. ECDSA</a><ul><li><a href="#ecdsa-description">25.7.1. Description</a></li><li><a href="#ecdsa-registration">25.7.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">25.7.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">25.7.4. EcKeyGenParams dictionary</a></li><li><a href="#ecdsa-operations">25.7.5. Operations</a></li></ul></li><li><a href="#ecdh">25.8. ECDH</a><ul><li><a href="#ecdh-description">25.8.1. Description</a></li><li><a href="#ecdh-registration">25.8.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">25.8.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">25.8.4. Operations</a></li></ul></li><li><a href="#aes-ctr">25.9. AES-CTR</a><ul><li><a href="#aes-ctr-description">25.9.1. Description</a></li><li><a href="#aes-ctr-registration">25.9.2. Registration</a></li><li><a href="#aes-ctr-params">25.9.3. AesCtrParams dictionary</a></li><li><a href="#aes-keygen-params">25.9.4. AesKeyGenParams dictionary</a></li><li><a href="#aes-ctr-operations">25.9.5. Operations</a></li></ul></li><li><a href="#aes-cbc">25.10. AES-CBC</a><ul><li><a href="#aes-cbc-description">25.10.1. Description</a></li><li><a href="#aes-cbc-registration">25.10.2. Registration</a></li><li><a href="#aes-cbc-params">25.10.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">25.10.4. Operations</a></li></ul></li><li><a href="#aes-gcm">25.11. AES-GCM</a><ul><li><a href="#aes-gcm-description">25.11.1. Description</a></li><li><a href="#aes-gcm-registration">25.11.2. Registration</a></li><li><a href="#aes-gcm-params">25.11.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">25.11.4. Operations</a></li></ul></li><li><a href="#hmac">25.12. HMAC</a><ul><li><a href="#hmac-description">25.12.1. Description</a></li><li><a href="#hmac-registration">25.12.2. Registration</a></li><li><a href="#hmac-params">25.12.3. HmacParams dictionary</a></li><li><a href="#hmac-operations">25.12.4. Operations</a></li></ul></li><li><a href="#dh">25.13. Diffie-Hellman</a><ul><li><a href="#dh-description">25.13.1. Description</a></li><li><a href="#dh-registration">25.13.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">25.13.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">25.13.4. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-operations">25.13.5. Operations</a></li></ul></li><li><a href="#sha">25.14. SHA</a><ul><li><a href="#sha-description">25.14.1. Description</a></li><li><a href="#sha-registration">25.14.2. Registration</a></li><li><a href="#sha-operations">25.14.3. Operations</a></li></ul></li><li><a href="#pbkdf2">25.15. PBKDF2</a><ul><li><a href="#pbkdf2-description">25.15.1. Description</a></li><li><a href="#pbkdf2-registration">25.15.2. Registration</a></li><li><a href="#pbkdf2-params">25.15.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">25.15.4. Operations</a></li></ul></li></ul></li><li><a href="#algorithm-normalizing-rules">26. Algorithm normalizing rules</a></li><li><a href="#examples-section">27. JavaScript Example Code</a><ul><li><a href="#examples-signing">27.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">27.2. Symmetric Encryption</a></li></ul></li><li><a href="#acknowledgements-section">28. Acknowledgements</a></li><li><a href="#references">29. References</a><ul><li><a href="#normative-references">29.1. Normative References</a></li><li><a href="#informative-references">29.2. Informative References</a></li></ul></li></ul></div>
     </div>
 
     <div id="sections">
@@ -282,27 +282,6 @@
           </p>
         </div>
 
-        <div id="out-of-band-keys" class="section">
-          <h3>2.8. Out-of-Band Key Provisioning</h3>
-          <p>
-            Web applications may wish to use keys that have been provisioned through means outside
-            the scope of this API. This may include keys that are provisioned through
-            platform-specific native APIs, stored in secure elements such as smart cards or trusted
-            platform modules (TPMs), or individually bound to devices at time of manufacturing.
-            Such keys may, for example, be used to assist in identifying a client to a specific
-            web service. User agents may choose to expose such keys to web applications after
-            implementing appropriate security and privacy mitigations, such as gaining user consent
-            or other out-of-band authorization.
-          </p>
-          <p>
-            In this scenario, a web application discovers a pre-provisioned key based on its
-            attributes and uses it to perform authorized cryptographic operations as part of a
-            protocol with a server. The server may utilize knowledge obtained out-of-band regarding
-            the key's provisioning to make access control and policy decisions, such as inferring
-            the identity of the user and/or device and customizing its responses based on that.
-          </p>
-        </div>
-
       </div>
       
       <div id="conformance" class="section">
@@ -1812,10 +1791,53 @@
         </p>
       </div>
 
+      <div id="key-discovery" class="section">
+        <h2>24. Key Discovery</h2>
+        <p class="norm">This section is non-normative.</p>
+        <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+          <p>
+            The Working Group is actively discussing means of discovering <code><a href="#dfn-Key">Key</a></code>
+            objects that are not not directly created by the application via
+            <code><a href="#Crypto-method-createKeyGenerator">createKeyGenerator</a></code>, or allowing
+            web applications to dicate how and where the cryptographic keying material associated with
+            <code>Key</code> objects is stored. Examples of such <code>Key</code> objects or interfaces that
+            may be exposed include:
+          </p>
+          <ul>
+            <li>
+              Named keys that have been pre-provisioned for a particular device or origin
+              (e.g.: device specific keys).
+            </li>
+            <li>
+              Keys that are stored in secure elements (e.g.: smart cards, TPMs), particularly
+              those that may be inserted or removed at any time.
+            </li>
+            <li>
+              Keys that are associated with X.509 certificates matching some criteria.
+            </li>
+            <li>
+              Keys derived from material associated with a particular origin (e.g.:
+              derived from exported TLS keying material [<a href="#RFC5705">RFC5705</a>] or
+              origin bound certificates [<a href="#draft-tls-obc">DRAFT-TLS-OBC</a>]).
+            </li>
+          </ul>
+          <p>
+            There is currently no consensus within the Web Cryptography Working Group about how
+            and where such interfaces should be specified, nor is there consensus with regards
+            various proposals to address specific use cases.
+          </p>
+          <p>
+            Such features bring a variety of concerns, most notably unique concerns regarding
+            privacy, security, and user interaction, that may be best addressed through separate
+            specifications that expand on sources for generating or storing <code>Key</code> objects.
+          </p>
+        </div>
+      </div>
+
       <div id="algorithms" class="section">
-        <h2>24. Algorithms</h2>
+        <h2>25. Algorithms</h2>
         <div id="recommended-algorithms" class="section">
-          <h3>24.1. Recommended algorithms</h3>
+          <h3>25.1. Recommended algorithms</h3>
           <p class="norm">This section is non-normative</p>
           <p>
             As the API is meant to be extensible in order to keep up with future developments within
@@ -1838,7 +1860,7 @@
           </p>
         </div>
         <div id="defining-an-algorithm" class="section">
-          <h3>24.2. Defining an algorithm</h3>
+          <h3>25.2. Defining an algorithm</h3>
           <p>
             Each algorithm that is to be exposed via the Web Cryptography API
             <span class="RFC2119">SHOULD</span> be registered via the Web Cryptography working group,
@@ -1847,7 +1869,7 @@
             <span class="RFC2119">MUST</span> be processed as if the sections had been defined.
           </p>
           <div id="recognized-algorithm-name" class="section">
-            <h4>24.2.1. Recognized algorithm name</h4>
+            <h4>25.2.1. Recognized algorithm name</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> have a canonical name
               for which applications can refer to the algorithm. The canonical name
@@ -1858,14 +1880,14 @@
             </p>
           </div>
           <div id="supported-operations" class="section">
-            <h4>24.2.2. Supported operations</h4>
+            <h4>25.2.2. Supported operations</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> define the operations
               that it supports.
             </p>
           </div>
           <div id="algorithm-specific-params" class="section">
-            <h4>24.2.3. Algorithm-specific parameters</h4>
+            <h4>25.2.3. Algorithm-specific parameters</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> define the expected
               contents of the <a href="#dfn-Algorithm-params"><code>params</code></a> member of
@@ -1880,7 +1902,7 @@
             </p>
           </div>
           <div id="algorithm-result" class="section">
-            <h4>24.2.4. Algorithm results</h4>
+            <h4>25.2.4. Algorithm results</h4>
             <p>
               Each registered algorithm <span class="RFC2119">MUST</span> define the contents
               of the <a href="#dfn-CryptoOperation-result"><code>result</code></a> attribute of the
@@ -1890,7 +1912,7 @@
             </p>
           </div>
           <div id="algorithm-alias" class="section">
-            <h4>24.2.5. <dfn id="dfn-algorithm-alias">Algorithm aliases</dfn></h4>
+            <h4>25.2.5. <dfn id="dfn-algorithm-alias">Algorithm aliases</dfn></h4>
             <p>
               Each registered algorithm <span class="RFC2119">MAY</span> define one or more aliases
               that may define a fully normalized <a href="#dfn-Algorithm">Algorithm</a> object.
@@ -1913,9 +1935,9 @@
         </div>
 
         <div id="rsaes-pkcs1" class="section">
-          <h3>24.3. RSAES-PKCS1-v1_5</h3>
+          <h3>25.3. RSAES-PKCS1-v1_5</h3>
           <div id="rsaes-pkcs1-description" class="section">
-            <h4>24.3.1. Description</h4>
+            <h4>25.3.1. Description</h4>
             <p>
               The <code>"RSAES-PKCS1-v1_5"</code> algorithm identifier is used to perform encryption
               and decryption ordering to the RSAES-PKCS1-v1_5 algorithm specified in
@@ -1923,7 +1945,7 @@
             </p>
           </div>
           <div id="rsaes-pkcs1-registration" class="section">
-            <h4>24.3.2. Registration</h4>
+            <h4>25.3.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSAES-PKCS1-v1_5"</code>.
@@ -1956,7 +1978,7 @@
             </table>
           </div>
           <div id="RsaKeyGenParams-dictionary" class="section">
-            <h4>24.3.3. RsaKeyGenParams dictionary</h4>
+            <h4>25.3.3. RsaKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaKeyGenParams">RsaKeyGenParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The length, in bits, of the RSA modulus</span>
@@ -1967,7 +1989,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsaes-pkcs1-operations" class="section">
-            <h4>24.3.4. Operations</h4>
+            <h4>25.3.4. Operations</h4>
             <dl>
               <dt>Encrypt</dt>
               <dd>
@@ -2097,9 +2119,9 @@
         </div>
 
         <div id="rsassa-pkcs1" class="section">
-          <h3>24.4. RSASSA-PKCS1-v1_5</h3>
+          <h3>25.4. RSASSA-PKCS1-v1_5</h3>
           <div id="rsassa-pkcs1-description" class="section">
-            <h4>24.4.1. Description</h4>
+            <h4>25.4.1. Description</h4>
             <p>
               The <code>"RSASSA-PKCS1-v1_5"</code> algorithm identifier is used to perform
               signing and verification using the RSASSA-PKCS1-v1_5 algorithm specified in
@@ -2107,7 +2129,7 @@
             </p>
           </div>
           <div id="rsassa-pkcs1-registration" class="section">
-            <h4>24.4.2. Registration</h4>
+            <h4>25.4.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSASSA-PKCS1-v1_5"</code>.
@@ -2140,7 +2162,7 @@
             </table>
           </div>
           <div id="RsaSsaParams-dictionary" class="section">
-            <h4>24.4.3. RsaSsaParams dictionary</h4>
+            <h4>25.4.3. RsaSsaParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaSsaParams">RsaSsaParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash algorithm to use</span> 
@@ -2149,7 +2171,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsassa-pkcs1-operations" class="section">
-            <h4>24.4.4. Operations</h4>
+            <h4>25.4.4. Operations</h4>
             <ul>
               <li>Sign</li>
               <li>Verify</li>
@@ -2159,9 +2181,9 @@
         </div>
 
         <div id="rsa-pss" class="section">
-          <h3>24.5. RSA-PSS</h3>
+          <h3>25.5. RSA-PSS</h3>
           <div id="rsa-pss-description" class="section">
-            <h4>24.5.1. Description</h4>
+            <h4>25.5.1. Description</h4>
             <p>
               The <code>"RSA-PSS"</code> algorithm identifier is used to perform signing
               and verification using the RSASSA-PSS algorithm specified in
@@ -2169,7 +2191,7 @@
             </p>
           </div>
           <div id="rsa-pss-registration" class="section">
-            <h4>24.5.2. Registration</h4>
+            <h4>25.5.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSA-PSS"</code>.
@@ -2202,7 +2224,7 @@
             </table>
           </div>
           <div id="rsa-pss-params" class="section">
-            <h4>24.5.3. RsaPssParams dictionary</h4>
+            <h4>25.5.3. RsaPssParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaPssParams">RsaPssParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash function to apply to the message</span>
@@ -2215,7 +2237,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsa-pss-operations" class="section">
-            <h4>24.5.4. Operations</h4>
+            <h4>25.5.4. Operations</h4>
             <ul>
               <li>Sign</li>
               <li>Verify</li>
@@ -2225,9 +2247,9 @@
         </div>
 
         <div id="rsa-oaep" class="section">
-          <h3>24.6. RSA-OAEP</h3>
+          <h3>25.6. RSA-OAEP</h3>
           <div id="rsa-oaep-description" class="section">
-            <h4>24.6.1. Description</h4>
+            <h4>25.6.1. Description</h4>
             <p>
               The <code>"RSA-OAEP"</code> algorithm identifier is used to perform encryption
               and decryption ordering to the RSAES-OAEP algorithm specified in
@@ -2235,7 +2257,7 @@
             </p>
           </div>
           <div id="rsa-oaep-registration" class="section">
-            <h4>24.6.2. Registration</h4>
+            <h4>25.6.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"RSA-OAEP"</code>.
@@ -2269,7 +2291,7 @@
           </div>
 
           <div id="rsa-oaep-params" class="section">
-            <h4>24.6.3. RsaOaepParams dictionary</h4>
+            <h4>25.6.3. RsaOaepParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-RsaOaepParams">RsaOaepParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash function to apply to the message</span>
@@ -2282,7 +2304,7 @@
             </code></pre></div></div>
           </div>
           <div id="rsa-oaep-operations" class="section">
-            <h4>24.6.4. Operations</h4>
+            <h4>25.6.4. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -2292,9 +2314,9 @@
         </div>
 
         <div id="ecdsa" class="section">
-          <h3>24.7. ECDSA</h3>
+          <h3>25.7. ECDSA</h3>
           <div id="ecdsa-description" class="section">
-            <h4>24.7.1. Description</h4>
+            <h4>25.7.1. Description</h4>
             <p>
               The <code>"ECDSA"</code> algorithm identifier is used to perform signing
               and verification using the ECDSA algorithm specified in
@@ -2302,7 +2324,7 @@
             </p>
           </div>
           <div id="ecdsa-registration" class="section">
-            <h4>24.7.2. Registration</h4>
+            <h4>25.7.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"ECDSA"</code>.
@@ -2336,7 +2358,7 @@
             </table>
           </div>
           <div id="EcdsaParams-dictionary" class="section">
-            <h4>24.7.3. EcdsaParams dictionary</h4>
+            <h4>25.7.3. EcdsaParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-EcdsaParams">EcdsaParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The hash algorithm to use</span>
@@ -2345,7 +2367,7 @@
             </code></pre></div></div>
           </div>
           <div id="EcKeyGenParams-dictionary" class="section">
-            <h4>24.7.4. EcKeyGenParams dictionary</h4>
+            <h4>25.7.4. EcKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-EcKeyGenParams">EcKeyGenParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// A named curve</span>
@@ -2354,7 +2376,7 @@
             </code></pre></div></div>
           </div>
           <div id="ecdsa-operations" class="section">
-            <h4>24.7.5. Operations</h4>
+            <h4>25.7.5. Operations</h4>
             <dl>
               <dt>Sign</dt>
               <dd>
@@ -2480,16 +2502,16 @@
         </div>
 
         <div id="ecdh" class="section">
-          <h3>24.8. ECDH</h3>
+          <h3>25.8. ECDH</h3>
           <div id="ecdh-description" class="section">
-            <h4>24.8.1. Description</h4>
+            <h4>25.8.1. Description</h4>
             <p>
               This describes using Elliptic Curve Diffie-Hellman (ECDH) for key generation and key agreement, as
               specified by <a href="#X9.63">X9.63</a>.
             </p>
           </div>
           <div id="ecdh-registration" class="section">
-            <h4>24.8.2. Registration</h4>
+            <h4>25.8.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"ECDH"</code>.
@@ -2517,7 +2539,7 @@
             </table>
           </div>
           <div id="dh-EcdhKeyDeriveParams" class="section">
-            <h4>24.8.3. EcdhKeyDeriveParams dictionary</h4>
+            <h4>25.8.3. EcdhKeyDeriveParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-EcdhKeyDeriveParams">EcdhKeyDeriveParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The peer's EC public key.</span>
@@ -2526,7 +2548,7 @@
             </code></pre></div></div>
           </div>
           <div id="ecdh-operations" class="section">
-            <h4>24.8.4. Operations</h4>
+            <h4>25.8.4. Operations</h4>
             <ul>
               <li>Generate Key</li>
               <li>Derive Key</li>
@@ -2545,14 +2567,14 @@
         </div>
 
         <div id="aes-ctr" class="section">
-          <h3>24.9. AES-CTR</h3>
+          <h3>25.9. AES-CTR</h3>
           <div id="aes-ctr-description" class="section">
-            <h4>24.9.1. Description</h4>
+            <h4>25.9.1. Description</h4>
             <p>
             </p>
           </div>
           <div id="aes-ctr-registration" class="section">
-            <h4>24.9.2. Registration</h4>
+            <h4>25.9.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"AES-CTR"</code>.
@@ -2586,7 +2608,7 @@
           </div>
 
           <div id="aes-ctr-params" class="section">
-            <h4>24.9.3. AesCtrParams dictionary</h4>
+            <h4>25.9.3. AesCtrParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesCtrParams">AesCtrParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The initial value of the counter block. counter <span class="RFC2119">MUST</span> be 16 bytes
@@ -2604,7 +2626,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-keygen-params" class="section">
-            <h4>24.9.4. AesKeyGenParams dictionary</h4>
+            <h4>25.9.4. AesKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesKeyGenParams">AesKeyGenParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The length, in bits, of the key.</span>
@@ -2613,7 +2635,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-ctr-operations" class="section">
-            <h4>24.9.5. Operations</h4>
+            <h4>25.9.5. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -2623,12 +2645,12 @@
         </div>
 
         <div id="aes-cbc" class="section">
-          <h3>24.10. AES-CBC</h3>
+          <h3>25.10. AES-CBC</h3>
           <div id="aes-cbc-description" class="section">
-            <h4>24.10.1. Description</h4>
+            <h4>25.10.1. Description</h4>
           </div>
           <div id="aes-cbc-registration" class="section">
-            <h4>24.10.2. Registration</h4>
+            <h4>25.10.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"AES-CBC"</code>.
@@ -2661,7 +2683,7 @@
             </table>
           </div>
           <div id="aes-cbc-params" class="section">
-            <h4>24.10.3. AesCbcParams dictionary</h4>
+            <h4>25.10.3. AesCbcParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesCbcParams">AesCbcParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The initialization vector. <span class="RFC2119">MUST</span> be 16 bytes.</span>
@@ -2670,7 +2692,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-cbc-operations" class="section">
-            <h4>24.10.4. Operations</h4>
+            <h4>25.10.4. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -2680,12 +2702,12 @@
         </div>
 
         <div id="aes-gcm" class="section">
-          <h3>24.11. AES-GCM</h3>
+          <h3>25.11. AES-GCM</h3>
           <div id="aes-gcm-description" class="section">
-            <h4>24.11.1. Description</h4>
+            <h4>25.11.1. Description</h4>
           </div>
           <div id="aes-gcm-registration" class="section">
-             <h4>24.11.2. Registration</h4>
+             <h4>25.11.2. Registration</h4>
              <p>
                The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
                this algorithm is <code>"AES-GCM"</code>.
@@ -2718,7 +2740,7 @@
              </table>
            </div>
           <div id="aes-gcm-params" class="section">
-            <h4>24.11.3. AesGcmParams dictionary</h4>
+            <h4>25.11.3. AesGcmParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-AesGcmParams">AesGcmParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The initialization vector to use. May be up to 2^56 bytes long.</span>
@@ -2731,7 +2753,7 @@
             </code></pre></div></div>
           </div>
           <div id="aes-gcm-operations" class="section">
-            <h4>24.11.4. Operations</h4>
+            <h4>25.11.4. Operations</h4>
             <ul>
               <li>Encrypt</li>
               <li>Decrypt</li>
@@ -2741,12 +2763,12 @@
         </div>
 
         <div id="hmac" class="section">
-          <h3>24.12. HMAC</h3>
+          <h3>25.12. HMAC</h3>
           <div id="hmac-description" class="section">
-            <h4>24.12.1. Description</h4>
+            <h4>25.12.1. Description</h4>
           </div>
           <div id="hmac-registration" class="section">
-            <h4>24.12.2. Registration</h4>
+            <h4>25.12.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"HMAC"</code>.
@@ -2779,7 +2801,7 @@
             </table>
           </div>
           <div id="hmac-params" class="section">
-            <h4>24.12.3. HmacParams dictionary</h4>
+            <h4>25.12.3. HmacParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-HmacParams">HmacParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The inner hash function to use.</span>
@@ -2788,7 +2810,7 @@
             </code></pre></div></div>
           </div>
           <div id="hmac-operations" class="section">
-            <h4>24.12.4. Operations</h4>
+            <h4>25.12.4. Operations</h4>
             <ul>
               <li>Sign</li>
               <li>Verify</li>
@@ -2797,16 +2819,16 @@
           </div>
         </div>
         <div id="dh" class="section">
-          <h3>24.13. Diffie-Hellman</h3>
+          <h3>25.13. Diffie-Hellman</h3>
           <div id="dh-description" class="section">
-            <h4>24.13.1. Description</h4>
+            <h4>25.13.1. Description</h4>
             <p>
               This describes using Diffie-Hellman for key generation and key agreement, as specified
               by <a href="#PKCS3">PKCS #3</a>.
             </p>
           </div>
           <div id="dh-registration" class="section">
-            <h4>24.13.2. Registration</h4>
+            <h4>25.13.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"DH"</code>.
@@ -2834,7 +2856,7 @@
             </table>
           </div>
           <div id="dh-DhKeyGenParams" class="section">
-            <h4>24.13.3. DhKeyGenParams dictionary</h4>
+            <h4>25.13.3. DhKeyGenParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-DhKeyGenParams">DhKeyGenParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The prime p.</span>
@@ -2845,7 +2867,7 @@
             </code></pre></div></div>
           </div>
           <div id="dh-DhKeyDeriveParams" class="section">
-            <h4>24.13.4. DhKeyDeriveParams dictionary</h4>
+            <h4>25.13.4. DhKeyDeriveParams dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-DhKeyDeriveParams">DhKeyDeriveParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   <span class="comment">// The peer's public value.</span>
@@ -2854,7 +2876,7 @@
             </code></pre></div></div>
           </div>
           <div id="dh-operations" class="section">
-            <h4>24.13.5. Operations</h4>
+            <h4>25.13.5. Operations</h4>
             <ul>
               <li>Generate Key</li>
               <li>Derive Key</li>
@@ -2862,16 +2884,16 @@
           </div>
         </div>
         <div id="sha" class="section">
-          <h3>24.14. SHA</h3>
+          <h3>25.14. SHA</h3>
           <div id="sha-description" class="section">
-            <h4>24.14.1. Description</h4>
+            <h4>25.14.1. Description</h4>
             <p>
               This describes the SHA-1 and SHA-2 families, as specified by
               [<a href="#FIPS180-4">FIPS 180-4</a>].
             </p>
           </div>
           <div id="sha-registration" class="section">
-            <h4>24.14.2. Registration</h4>
+            <h4>25.14.2. Registration</h4>
             <p>
               The following algorithms are added as <a href="#recognized-algorithm-name">
               recognized algorithm names</a>:
@@ -2906,19 +2928,19 @@
             </table>
           </div>
           <div id="sha-operations" class="section">
-            <h4>24.14.3. Operations</h4>
+            <h4>25.14.3. Operations</h4>
             <ul>
               <li>Digest</li>
             </ul>
           </div>
         </div>
         <div id="pbkdf2" class="section">
-          <h3>24.15. PBKDF2</h3>
+          <h3>25.15. PBKDF2</h3>
           <div id="pbkdf2-description" class="section">
-            <h4>24.15.1. Description</h4>
+            <h4>25.15.1. Description</h4>
           </div>
           <div id="pbkdf2-registration" class="section">
-            <h4>24.15.2. Registration</h4>
+            <h4>25.15.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"PBKDF2"</code>.
@@ -2941,7 +2963,7 @@
             </table>
           </div>
           <div id="pbkdf2-params" class="section">
-            <h4>24.15.3. Pbkdf2Params dictionary</h4>
+            <h4>25.15.3. Pbkdf2Params dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-Pbkdf2Params">Pbkdf2Params</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   ArrayBufferView salt;
@@ -2960,7 +2982,7 @@
             </div>
           </div>
           <div id="pbkdf2-operations" class="section">
-            <h4>24.15.4. Operations</h4>
+            <h4>25.15.4. Operations</h4>
             <ul>
               <li>Derive Key</li>
             </ul>
@@ -2969,7 +2991,7 @@
       </div>
  
       <div id="algorithm-normalizing-rules" class="section">
-        <h2>25. Algorithm normalizing rules</h2>
+        <h2>26. Algorithm normalizing rules</h2>
         <p>
           The <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> typedef
           permits algorithms to be specified as either a <code>dictionary</code> or a DOMString.
@@ -3039,9 +3061,9 @@
         </ol>
       </div>
       <div id="examples-section" class="section">
-        <h2>26. JavaScript Example Code</h2>
+        <h2>27. JavaScript Example Code</h2>
         <div id="examples-signing" class="section">
-          <h3>26.1. Generate a signing key pair, sign some data</h3>
+          <h3>27.1. Generate a signing key pair, sign some data</h3>
         
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">ECMAScript</span></div><div class="blockContent"><pre class="code"><code class="es-code">
 var publicExponent = new Uint8Array([0x01, 0x00, 0x01]); 
@@ -3110,7 +3132,7 @@
         </code></pre></div></div>
         </div>
         <div id="examples-symmetric-encryption" class="section">
-          <h3>26.2. Symmetric Encryption</h3>
+          <h3>27.2. Symmetric Encryption</h3>
         <div class="block"><div class="blockTitleDiv"><span class="blockTitle">ECMAScript</span></div><div class="blockContent"><pre class="code"><code class="es-code">
 var clearDataArrayBufferView = convertPlainTextToArrayBufferView("Plain Text Data");
 <span class="comment">// TODO: create example utility function that converts text -&gt; ArrayBufferView</span>
@@ -3172,7 +3194,7 @@
       </div>
     </div>
       <div id="acknowledgements-section" class="section">
-        <h2>27. Acknowledgements</h2>
+        <h2>28. Acknowledgements</h2>
         <p>
           The editors would like to thank Adam Barth, Ali Asad, Arun Ranganathan, Brian Smith,
           Brian Warner, Channy Yun, Kai Engert, Mark Watson, Vijay Bharadwaj, Virginie Galindo,
@@ -3193,9 +3215,9 @@
         </p>
       </div>
       <div id="references" class="section">
-         <h2>28. References</h2>
+         <h2>29. References</h2>
          <div id="normative-references" class="section">
-           <h3>28.1. Normative References</h3>
+           <h3>29.1. Normative References</h3>
            <dl>
              <dt id="RFC2119">RFC2119</dt>
              <dd>
@@ -3268,8 +3290,18 @@
            </dl>
         </div>
         <div id="informative-references" class="section">
-          <h3>28.2. Informative References</h3>
+          <h3>29.2. Informative References</h3>
           <dl>
+            <dt id="draft-TLS-OBC">draft-balfanz-tls-obc-01</dt>
+            <dd>
+              <cite><a href="http://tools.ietf.org/html/draft-balfanz-tls-obc-01">TLS Origin-Bound
+              Certificates</a></cite>, D. Balfanz, D. Smetters, M. Upadhyay, A. Barth. IETF.
+            </dd>
+            <dt id="RFC5705">RFC 5705</dt>
+            <dd>
+              <cite><a href="http://tools.ietf.org/html/rfc5705">Keying Material Exporters for
+              Transport Layer Security (TLS)</a></cite>, E. Rescorla. IETF.
+            </dd>
             <dt id="PKCS11">PKCS11</dt>
             <dd>
               <cite><a href="http://www.rsa.com/rsalabs/node.asp?id=2133">PKCS #11: Cryptographic