Add candidate CR
authorMark Watson <watsonm@netflix.com>
Thu, 06 Nov 2014 17:25:56 -0800
changeset 286 373d379a48c4
parent 285 aef5eac2cd5d
child 287 6694484cc545
Add candidate CR
spec/Overview-201411-CR.html
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/spec/Overview-201411-CR.html	Thu Nov 06 17:25:56 2014 -0800
@@ -0,0 +1,18025 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <title>Web Cryptography API</title>
+
+    <link rel="stylesheet" href="webcrypto.css" type="text/css" />
+    <script src="section-links.js" type="application/ecmascript"></script>
+    <script src="dfn.js" type="application/ecmascript"></script>
+    <!--[if IE]>
+        <style type='text/css'>
+        .ignore {
+        -ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=50)";
+        filter: alpha(opacity=50);
+        }
+        </style>
+        <![endif]-->
+
+    
+  <link rel="stylesheet" href="//www.w3.org/StyleSheets/TR/W3C-CR" type="text/css" /></head>
+
+  <body>
+    <div class="head"><div><a href="http://www.w3.org/"><img src="//www.w3.org/Icons/w3c_home" width="72" height="48" alt="W3C" /></a></div><h1>Web Cryptography API</h1><h2>W3C Candidate Recommendation <em>NaN @@ view</em></h2><dl><dt>This Version:</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html</a></dd><dt>Latest Published Version:</dt><dd><a href="http://www.w3.org/TR/WebCryptoAPI/">http://www.w3.org/TR/WebCryptoAPI/</a></dd><dt>Latest Editor’s Draft:</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html</a></dd><dt>Previous Version(s):</dt><dd><a href="https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html">https://dvcs.w3.org/hg/webcrypto-api/raw-file/0fe9b34c13fb/spec/Overview.html</a></dd><dt>Editors:</dt><dd><a href="http://www.google.com/">Ryan Sleevi</a>, Google, Inc. &lt;sleevi@google.com&gt;</dd><dd><a href="http://www.netflix.com/">Mark Watson</a>, Netflix &lt;watsonm@netflix.com&gt;</dd><dt>Participate:</dt><dd><p>Send feedback to <a href="mailto:public-webcrypto@w3.org?subject=%5BWebCryptoAPI%5D">public-webcrypto@w3.org</a> (<a href="http://lists.w3.org/Archives/Public/public-webcrypto/">archives</a>), or <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=Web%20Cryptography&amp;component=Web%20Cryptography%20API%20Document">file a bug</a> 
+    (see <a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=Web%20Cryptography&amp;component=Web%20Cryptography%20API%20Document&amp;resolution=---">existing bugs</a>).</p></dd></dl><p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> &copy; view <a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>&reg;</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.org/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p></div><hr />
+
+    <div class="section">
+      <h2>Abstract</h2>
+      <p>
+        This specification describes a JavaScript API for performing basic
+        cryptographic operations in web applications, such as hashing,
+        signature generation and verification, and encryption and decryption.
+        Additionally, it describes an API for applications to generate and/or
+        manage the keying material necessary to perform these operations. 
+        Uses for this API range from user or service authentication, document
+        or code signing, and the confidentiality and integrity of
+        communications.
+      </p>
+  
+      
+    </div>
+
+    <div class="section">
+      <h2>Status of this Document</h2>
+      <p><em>
+        This section describes the status of this document at the time of
+        its publication.  Other documents may supersede this document. A list
+        of current W3C publications and the latest revision of this technical
+        report can be found in the <a href="http://www.w3.org/TR/">W3C technical
+          reports index</a> at http://www.w3.org/TR/.
+      </em></p><p>
+        This document is the NaN @@ view <b>Candidate Recommendation</b> of the
+        <cite>Web Cryptography API</cite> specification.
+      
+      Please send comments about this document to
+      <a href="mailto:public-webcrypto-comments@w3.org">public-webcrypto-comments@w3.org</a>
+      (<a href="http://lists.w3.org/Archives/Public/public-webcrypto-comments/">archived</a>).
+    </p>
+
+      <p>
+        This document is produced by the <a href="http://www.w3.org/2012/webcrypto/">Web Cryptography
+        <acronym title="Working Group">WG</acronym></a> of the <acronym title="World Wide Web Consortium">W3C</acronym>.
+      </p>
+
+      <p class="XXX">
+        Implementors should be aware that this specification is not stable.
+        <strong>Implementors who are not taking part in the discussions are likely to find the
+        specification changing out from under them in incompatible ways.</strong> Vendors interested
+        in implementing this specification before it eventually reaches the Candidate Recommendation
+        stage should join the mailing lists that follow and take part in the discussions.
+      </p>
+      <p>
+        The Web Cryptography Working Group invites discussion and feedback on this draft document by
+        web developers, companies, standardization bodies or forums interested in deployment of secure
+        services with web applications. Specifically, Web Cryptography Working Group is looking for
+        feedback on:
+      </p>
+      <ul>
+        <li>developer convenience for managing keys and algorithms;</li>
+        <li>comments on open issues the WG is currently dealing with, highlighted in this working draft;</li>
+        <li>potential missing functionalities to deploy secure web applications.</li>
+      </ul>
+      <p>
+        Previous discussion of this specification has taken place on three other
+        mailing lists: <a href="mailto:whatwg@whatwg.org">whatwg@whatwg.org</a>
+        (<a href="http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031741.html">archive</a>)
+        , <a href="mailto:public-websecurity@w3.org">public-websecurity@w3.org</a>
+        (<a href="http://lists.w3.org/Archives/Public/public-web-security/2011Jun/0000.html">archive</a>), and 
+        <a href="mailto:public-identity@w3.org">public-identity@w3.org</a> (<a href="https://www.w3.org/Search/Mail/Public/search?type-index=public-identity&amp;index-type=t&amp;keywords=DOMCrypt&amp;search=Search">archive</a>).
+        Ongoing discussion will be on the <a href="mailto:public-webcrypto@w3.org">public-webcrypto@w3.org</a>
+        mailing list.
+      </p>
+      
+      <p>
+        Web content and browser developers are encouraged to review this draft. Please send comments
+        to <a href="mailto:public-webcrypto-comments@w3.org">public-webcrypto-comments@w3.org</a>,
+        the <acronym title="World Wide Web Consortium">W3C</acronym>'s public email list for issues
+        related to Web Cryptography. <a href="http://lists.w3.org/Archives/Public/public-webcrypto-comments/">Archives</a> of the
+        public list and <a href="http://lists.w3.org/Archives/Public/public-webcrypto/">archives</a>
+        of the member's-only list are available.
+      </p>
+      <p>
+        Changes made to this document can be found in the
+        <a href="https://dvcs.w3.org/hg/webcrypto-api/file/tip/spec/">W3C public Mercurial server</a>.
+      </p>
+
+      <p>
+          Publication as a Candidate Recommendation does not imply endorsement by the
+          W3C Membership.  This is a draft document and may be updated, replaced
+          or obsoleted by other documents at any time. It is inappropriate to cite
+          this document as other than work in progress.
+        </p><p>
+      This document was produced by a group operating under the
+      <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February
+        2004 W3C Patent Policy</a>. W3C maintains a
+      <a href="http://www.w3.org/2004/01/pp-impl/54174/status">public list of
+        any patent disclosures</a> made in connection with the deliverables of
+      the group; that page also includes instructions for disclosing a patent.
+      An individual who has actual knowledge of a patent which the individual
+      believes contains
+      <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
+        Claim(s)</a> must disclose the information in accordance with
+      <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
+        6 of the W3C Patent Policy</a>.
+    </p>
+    </div>
+
+    <div id="toc">
+      <h2>Table of Contents</h2>
+      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a><ul><li><a href="#extensibility">3.1. Extensibility</a></li></ul></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#concepts">5. Concepts</a><ul><li><a href="#concepts-underlying-implementation">5.1. Underlying Cryptographic Implementation</a></li><li><a href="#concepts-key-storage">5.2. Key Storage</a></li></ul></li><li><a href="#security-consideration">6. Security considerations</a><ul><li><a href="#security-implementers">6.1. Security considerations for implementers</a></li><li><a href="#security-developers">6.2. Security considerations for authors</a></li><li><a href="#security-users">6.3. Security considerations for users</a></li></ul></li><li><a href="#privacy">7. Privacy considerations</a></li><li><a href="#dependencies">8. Dependencies</a></li><li><a href="#terminology">9. Terminology</a></li><li><a href="#crypto-interface">10. Crypto interface</a><ul><li><a href="#Crypto-description">10.1. Description</a></li><li><a href="#Crypto-interface-methods">10.2. Methods and Parameters</a><ul><li><a href="#Crypto-method-getRandomValues">10.2.1. The getRandomValues method</a></li></ul></li><li><a href="#Crypto-interface-attributes">10.3. Attributes</a><ul><li><a href="#Crypto-attribute-subtle">10.3.1. The subtle attribute</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">11. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">11.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-algorithm-dictionary">12. KeyAlgorithm dictionary</a><ul><li><a href="#key-algorithm-dictionary-description">12.1. Description</a></li><li><a href="#key-algorithm-dictionary-members">12.2. KeyAlgorithm dictionary members</a></li></ul></li><li><a href="#cryptokey-interface">13. CryptoKey interface</a><ul><li><a href="#cryptokey-interface-description">13.1. Description</a></li><li><a href="#cryptokey-interface-types">13.2. Key interface data types</a></li><li><a href="#cryptokey-interface-internal-slots">13.3. CryptoKey internal slots</a></li><li><a href="#cryptokey-interface-members">13.4. CryptoKey interface members</a></li><li><a href="#cryptokey-interface-clone">13.5. Structured clone algorithm</a></li></ul></li><li><a href="#subtlecrypto-interface">14. SubtleCrypto interface</a><ul><li><a href="#subtlecrypto-interface-description">14.1. Description</a></li><li><a href="#subtlecrypto-interface-datatypes">14.2. Data Types</a></li><li><a href="#subtlecrypto-interface-methods">14.3. Methods and Parameters</a><ul><li><a href="#SubtleCrypto-method-encrypt">14.3.1. The encrypt method</a></li><li><a href="#SubtleCrypto-method-decrypt">14.3.2. The decrypt method</a></li><li><a href="#SubtleCrypto-method-sign">14.3.3. The sign method</a></li><li><a href="#SubtleCrypto-method-verify">14.3.4. The verify method</a></li><li><a href="#SubtleCrypto-method-digest">14.3.5. The digest method</a></li><li><a href="#SubtleCrypto-method-generateKey">14.3.6. The generateKey method</a></li><li><a href="#SubtleCrypto-method-deriveKey">14.3.7. The deriveKey method</a></li><li><a href="#SubtleCrypto-method-deriveBits">14.3.8. The deriveBits method</a></li><li><a href="#SubtleCrypto-method-importKey">14.3.9. The importKey method</a></li><li><a href="#SubtleCrypto-method-exportKey">14.3.10. The exportKey method</a></li><li><a href="#SubtleCrypto-method-wrapKey">14.3.11. The wrapKey method</a></li><li><a href="#SubtleCrypto-method-unwrapKey">14.3.12. The unwrapKey method</a></li></ul></li><li><a href="#SubtleCrypto-Exceptions">14.4. Exceptions</a></li></ul></li><li><a href="#JsonWebKey-dictionary">15. JsonWebKey dictionary</a></li><li><a href="#big-integer">16. BigInteger</a></li><li><a href="#keypair">17. CryptoKeyPair dictionary</a></li><li><a href="#algorithms">18. Algorithms</a><ul><li><a href="#algorithms-section-overview">18.1. Overview</a></li><li><a href="#algorithm-concepts">18.2. Concepts</a><ul><li><a href="#algorithm-concepts-naming">18.2.1. Naming</a></li><li><a href="#algorithm-concepts-operations">18.2.2. Supported Operations</a></li><li><a href="#algorithm-concepts-normalization">18.2.3. Normalization</a></li></ul></li><li><a href="#algorithm-conventions">18.3. Specification Conventions</a></li><li><a href="#algorithm-normalization">18.4. Algorithm Normalization</a><ul><li><a href="#algorithm-normalization-description">18.4.1. Description</a></li><li><a href="#algorithm-normalization-internal">18.4.2. Internal State Objects</a></li><li><a href="#algorithm-normalization-define-an-algorithm">18.4.3. Defining an Algorithm</a></li><li><a href="#algorithm-normalization-normalize-an-algorithm">18.4.4. Normalizing an algorithm</a></li></ul></li><li><a href="#algorithm-recommendations">18.5. Recommendations</a><ul><li><a href="#algorithm-recommendations-authors">18.5.1. For Authors</a></li><li><a href="#algorithm-recommendations-implementers">18.5.2. For Implementers</a></li></ul></li></ul></li><li><a href="#algorithm-overview">19. Algorithm Overview</a></li><li><a href="#rsassa-pkcs1">20. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">20.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">20.2. Registration</a></li><li><a href="#RsaKeyGenParams-dictionary">20.3. RsaKeyGenParams dictionary</a></li><li><a href="#RsaHashedKeyGenParams-dictionary">20.4. RsaHashedKeyGenParams dictionary</a></li><li><a href="#RsaKeyAlgorithm-dictionary">20.5. RsaKeyAlgorithm dictionary</a></li><li><a href="#RsaHashedKeyAlgorithm-dictionary">20.6. RsaHashedKeyAlgorithm dictionary</a></li><li><a href="#RsaHashedImportParams-dictionary">20.7. RsaHashedImportParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">20.8. Operations</a></li></ul></li><li><a href="#rsa-pss">21. RSA-PSS</a><ul><li><a href="#rsa-pss-description">21.1. Description</a></li><li><a href="#rsa-pss-registration">21.2. Registration</a></li><li><a href="#RsaPssParams-dictionary">21.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">21.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">22. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">22.1. Description</a></li><li><a href="#rsa-oaep-registration">22.2. Registration</a></li><li><a href="#rsa-oaep-params">22.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">22.4. Operations</a></li></ul></li><li><a href="#ecdsa">23. ECDSA</a><ul><li><a href="#ecdsa-description">23.1. Description</a></li><li><a href="#ecdsa-registration">23.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">23.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">23.4. EcKeyGenParams dictionary</a></li><li><a href="#EcKeyAlgorithm-dictionary">23.5. EcKeyAlgorithm dictionary</a></li><li><a href="#EcKeyImportParams-dictionary">23.6. EcKeyImportParams dictionary</a></li><li><a href="#ecdsa-operations">23.7. Operations</a></li></ul></li><li><a href="#ecdh">24. ECDH</a><ul><li><a href="#ecdh-description">24.1. Description</a></li><li><a href="#ecdh-registration">24.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">24.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">24.4. Operations</a></li></ul></li><li><a href="#aes-ctr">25. AES-CTR</a><ul><li><a href="#aes-ctr-description">25.1. Description</a></li><li><a href="#aes-ctr-registration">25.2. Registration</a></li><li><a href="#aes-ctr-params">25.3. AesCtrParams dictionary</a></li><li><a href="#AesKeyAlgorithm-dictionary">25.4. </a></li><li><a href="#aes-keygen-params">25.5. AesKeyGenParams dictionary</a></li><li><a href="#aes-derivedkey-params">25.6. AesDerivedKeyParams dictionary</a></li><li><a href="#aes-ctr-operations">25.7. Operations</a></li></ul></li><li><a href="#aes-cbc">26. AES-CBC</a><ul><li><a href="#aes-cbc-description">26.1. Description</a></li><li><a href="#aes-cbc-registration">26.2. Registration</a></li><li><a href="#aes-cbc-params">26.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">26.4. Operations</a></li></ul></li><li><a href="#aes-cmac">27. AES-CMAC</a><ul><li><a href="#aes-cmac-description">27.1. Description</a></li><li><a href="#aes-cmac-registration">27.2. Registration</a></li><li><a href="#aes-cmac-params">27.3. AesCmacParams dictionary</a></li><li><a href="#aes-cmac-operations">27.4. Operations</a></li></ul></li><li><a href="#aes-gcm">28. AES-GCM</a><ul><li><a href="#aes-gcm-description">28.1. Description</a></li><li><a href="#aes-gcm-registration">28.2. Registration</a></li><li><a href="#aes-gcm-params">28.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">28.4. Operations</a></li></ul></li><li><a href="#aes-cfb">29. AES-CFB</a><ul><li><a href="#aes-cfb-description">29.1. Description</a></li><li><a href="#aes-cfb-registration">29.2. Registration</a></li><li><a href="#aes-cfb-params">29.3. AesCfbParams dictionary</a></li><li><a href="#aes-cfb-operations">29.4. Operations</a></li></ul></li><li><a href="#aes-kw">30. AES-KW</a><ul><li><a href="#aes-kw-description">30.1. Description</a></li><li><a href="#aes-kw-registration">30.2. Registration</a></li><li><a href="#aes-kw-operations">30.3. Operations</a></li></ul></li><li><a href="#hmac">31. HMAC</a><ul><li><a href="#hmac-description">31.1. Description</a></li><li><a href="#hmac-registration">31.2. Registration</a></li><li><a href="#hmac-importparams">31.3. HmacImportParams dictionary</a></li><li><a href="#HmacKeyAlgorithm-dictionary">31.4. HmacKeyAlgorithm dictionary</a></li><li><a href="#hmac-keygen-params">31.5. HmacKeyGenParams dictionary</a></li><li><a href="#hmac-operations">31.6. Operations</a></li></ul></li><li><a href="#dh">32. Diffie-Hellman</a><ul><li><a href="#dh-description">32.1. Description</a></li><li><a href="#dh-registration">32.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">32.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyAlgorithm">32.4. DhKeyAlgorithm dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">32.5. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-DhImportKeyParams">32.6. DhImportKeyParams dictionary</a></li><li><a href="#dh-operations">32.7. Operations</a></li></ul></li><li><a href="#sha">33. SHA</a><ul><li><a href="#sha-description">33.1. Description</a></li><li><a href="#sha-registration">33.2. Registration</a></li><li><a href="#sha-operations">33.3. Operations</a></li></ul></li><li><a href="#concatkdf">34. Concat KDF</a><ul><li><a href="#concatkdf-description">34.1. Description</a></li><li><a href="#concatkdf-registration">34.2. Registration</a></li><li><a href="#concat-params">34.3. ConcatParams dictionary</a></li><li><a href="#concat-operations">34.4. Operations</a></li></ul></li><li><a href="#hkdf-ctr">35. HKDF-CTR</a><ul><li><a href="#hkdf-ctr-description">35.1. Description</a></li><li><a href="#hkdf-ctr-registration">35.2. Registration</a></li><li><a href="#hkdf-ctr-params">35.3. HkdfCtrParams dictionary</a></li><li><a href="#hkdf2-ctr-operations">35.4. Operations</a></li></ul></li><li><a href="#pbkdf2">36. PBKDF2</a><ul><li><a href="#pbkdf2-description">36.1. Description</a></li><li><a href="#pbkdf2-registration">36.2. Registration</a></li><li><a href="#pbkdf2-params">36.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">36.4. Operations</a></li></ul></li><li><a href="#examples-section">37. JavaScript Example Code</a><ul><li><a href="#examples-signing">37.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">37.2. Symmetric Encryption</a></li></ul></li><li><a href="#iana-section">38. IANA Considerations</a><ul><li><a href="#iana-section-jws-jwa">38.1. JSON Web Signature and Encryption Algorithms Registration</a></li><li><a href="#iana-section-jwk">38.2. JSON Web Key Parameters Registration</a></li></ul></li><li><a href="#acknowledgements-section">39. Acknowledgements</a></li><li><a href="#references">40. References</a><ul><li><a href="#normative-references">40.1. Normative References</a></li><li><a href="#informative-references">40.2. Informative References</a></li></ul></li></ul><ul><li><a href="#jwk-mapping">A. Mapping between JSON Web Key / JSON Web Algorithm</a><ul><li><a href="#jwk-mapping-alg">A.1. Algorithm mappings</a></li><li><a href="#jwk-mapping-usage">A.2. Usage mapping</a></li></ul></li><li><a href="#spki-mapping">B. Mapping between Algorithm and SubjectPublicKeyInfo</a></li><li><a href="#pkcs8-mapping">C. Mapping between Algorithm and PKCS#8 PrivateKeyInfo</a></li></ul></div>
+    </div>
+
+    <div id="sections">
+      <div id="introduction" class="section">
+        <h2>1. Introduction</h2>
+        <p class="norm">This section is non-normative.</p>
+        <p>
+          The Web Cryptography API defines a low-level interface to interacting with cryptographic
+          key material that is managed or exposed by user agents. The API itself is agnostic of
+          the underlying implementation of key storage, but provides a common set of interfaces
+          that allow rich web applications to perform operations such as signature generation and
+          verification, hashing and verification, encryption and decryption, without requiring
+          access to the raw keying material.
+        </p>
+        <p>
+          Cryptographic transformations are exposed via the
+          <a href="#dfn-SubtleCrypto">SubtleCrypto</a> interface, which defines a common set
+          of methods and events for dealing with initialization, processing data, and completing
+          the operation to yield the final output. In addition to operations such as signature
+          generation and verification, hashing and verification, and encryption and decryption,
+          the API provides interfaces for key generation, key derivation, key import and export,
+          and key discovery.
+        </p>
+      </div>
+
+      <div id="use-cases" class="section">
+        <h2>2. Use Cases</h2>
+        <p class="norm">This section is non-normative</p>
+        <div id="multifactor-authentication" class="section">
+          <h3>2.1. Multi-factor Authentication</h3>
+          <p>
+            A web application may wish to extend or replace existing username/password based
+            authentication schemes with authentication methods based on proving that the user has
+            access to some secret keying material. Rather than using transport-layer authentication,
+            such as TLS client certificates, the web application may wish to provide a rich user
+            experience by providing authentication within the application itself.
+          </p>
+          <p>
+            Using the Web Cryptography API, such an application could locate suitable client keys,
+            which may have been previously generated via the user agent or pre-provisioned
+            out-of-band by the web application. It could then perform cryptographic operations such
+            as decrypting an authentication challenge followed by signing an authentication response.
+          </p>
+          <p>
+            Further, the authentication data could be further enhanced by binding the authentication
+            to the TLS session that the client is authenticating over, by deriving a key based on
+            properties of the underlying transport.
+          </p>
+          <p>
+            If a user did not already have a key associated with their account, the web application
+            could direct the user agent to either generate a new key or to re-use an existing key of
+            the user's choosing. 
+          </p>
+        </div>
+
+        <div id="protected-document" class="section">
+          <h3>2.2. Protected Document Exchange</h3>
+          <p>
+            When exchanging documents that may contain sensitive or personal information, a
+            web application may wish to ensure that only certain users can view the documents, even
+            after they have been securely received, such as over TLS. One way that a web application
+            can do so is by encrypting the documents with a secret key, and then wrapping that key
+            with the public keys associated with authorized users.
+          </p>
+          <p>
+            When a user agent navigates to such a web application, the application may send the
+            encrypted form of the document. The user agent is then instructed to unwrap the encryption
+            key, using the user's private key, and from there, decrypt and display the document.
+          </p>
+        </div>
+
+        <div id="cloud-storage" class="section">
+          <h3>2.3. Cloud Storage</h3>
+          <p>
+            When storing data with remote service providers, users may wish to protect the
+            confidentiality of their documents and data prior to uploading them. The Web
+            Cryptography API allows an application to have a user select a private or secret key,
+            to either derive encryption keys from the selected key or to directly encrypt documents
+            using this key, and then to upload the transformed/encrypted data to the service provider
+            using existing APIs.
+          </p>
+          <p>
+            This use case is similar to the <a href="#protected-document">Protected Document
+            Exchange</a> use case because Cloud Storage can be considered as a user exchanging
+            protected data with himself in the future.
+          </p>
+        </div>
+
+        <div id="document-signing" class="section">
+          <h3>2.4. Document Signing</h3>
+          <p>
+            A web application may wish to accept electronic signatures on documents, in lieu of
+            requiring physical signatures. An authorized signature may use a key that was
+            pre-provisioned out-of-band by the web application, or it may be using a key that the
+            client generated specifically for the web application.
+          </p>
+          <p>
+            The web application must be able to locate any appropriate keys for signatures, then
+            direct the user to perform a signing operation over some data, as proof that they accept
+            the document.
+          </p>
+        </div>
+
+        <div id="data-integrity-protection" class="section">
+          <h3>2.5. Data Integrity Protection</h3>
+          <p>
+            When caching data locally, an application may wish to ensure that this data cannot be
+            modified in an offline attack. In such a case, the server may sign the data that it
+            intends the client to cache, with a private key held by the server. The web application
+            that subsequently uses this cached data may contain a public key that enables it to
+            validate that the cache contents have not been modified by anyone else.
+          </p>
+        </div>
+
+        <div id="secure-messaging" class="section">
+          <h3>2.6. Secure Messaging</h3>
+          <p>
+            In addition to a number of web applications already offering chat based services, the
+            rise of WebSockets and RTCWEB allows a great degree of flexibility in inter-user-agent
+            messaging. While TLS/DTLS may be used to protect messages to web applications, users
+            may wish to directly secure messages using schemes such as off-the-record (OTR) messaging.
+          </p>
+          <p>
+            The Web Cryptography API enables OTR, by allowing key agreement to be performed so that
+            the two parties can negotiate shared encryption keys and message authentication code (MAC)
+            keys, to allow encryption and decryption of messages, and to prevent tampering of
+            messages through the MACs.
+          </p>
+        </div>
+
+        <div id="jose" class="section">
+          <h3>2.7. Javascript Object Signing and Encryption (JOSE)</h3>
+          <p>
+            A web application wishes to make use of the structures and format of
+            messages defined by the IETF Javascript Object Signing and Encryption
+            (JOSE) Working Group. The web application wishes to manipulate public
+            keys encoded in the JSON key format (JWK), messages that have been
+            integrity protected using digital signatures or MACs (JWS), or that
+            have been encrypted (JWE).
+          </p>
+        </div>
+
+      </div>
+      
+      <div id="conformance" class="section">
+        <h2>3. Conformance</h2>
+        <p>
+          As well as sections marked as non-normative, all authoring guidelines, diagrams,
+          examples, and notes in this specification are non-normative. Everything else in
+          this specification is normative.
+        </p>
+        <p>
+          The keywords <span class="RFC2119">MUST</span>,
+          <span class="RFC2119">MUST NOT</span>,
+          <span class="RFC2119">REQUIRED</span>,
+          <span class="RFC2119">SHALL</span>,
+          <span class="RFC2119">SHALL NOT</span>,
+          <span class="RFC2119">RECOMMENDED</span>,
+          <span class="RFC2119">MAY</span>,
+          <span class="RFC2119">OPTIONAL</span>,
+          in this specification are to be interpreted as described in 
+          <cite><a href="http://www.ietf.org/rfc/rfc2119">Key words for use in RFCs to
+          Indicate Requirement Levels</a></cite> [<a href="#RFC2119">RFC2119</a>].
+        </p>
+        <p>
+          The following conformance classes are defined by this specification:
+        </p>
+        <dl>
+          <dt><dfn id="dfn-conforming-implementation">conforming user agent</dfn></dt>
+          <dd>
+            <p>
+              A user agent is considered to be a
+              <a class="dfnref" href="#dfn-conforming-implementation">conforming user agent</a>
+              if it satisfies all of the <span class="RFC2119">MUST</span>-,
+              <span class="RFC2119">REQUIRED</span>- and <span class="RFC2119">SHALL</span>-level
+              criteria in this specification that apply to implementations. This specification
+              uses both the terms "conforming user agent" and "user agent" to refer to this
+              product class.
+            </p>
+          </dd>         
+        </dl>
+        <p>
+          Conformance requirements phrased as algorithms or specific steps may be implemented in any
+          manner, so long as the end result is equivalent. (In particular, the algorithms defined in
+          this specification are intended to be easy to follow, and not intended to be performant.)
+        </p>
+        <p>
+          User agents that use ECMAScript to implement the APIs defined in this specification
+          <span class="RFC2119">MUST</span> implement them in a manner consistent with the
+          ECMAScript Bindings defined in the Web IDL specification [<a href="#WebIDL">WebIDL</a>]
+          as this specification uses that specification and terminology.
+        </p>
+        <p>
+          Unless otherwise stated, string comparisons are done in a
+          <a href="#case-sensitive">case-sensitive</a> manner. String literals in this specification
+           written in monospace font like <code>"this"</code> do not include the enclosing quotes.
+        </p>
+        <div id="extensibility" class="section">
+          <h3>3.1. Extensibility</h3>
+          <p>
+            Vendor-specific proprietary extensions to this specification are strongly discouraged.
+            Authors must not use such extensions, as doing so reduces interoperability and fragments 
+            the user base, allowing only users of specific user agents to access the content in 
+            question.
+          </p>
+          <p>
+            If vendor-specific extensions are needed, the members should be prefixed by 
+            vendor-specific strings to prevent clashes with future versions of this specification. 
+            Extensions must be defined so that the use of extensions neither contradicts nor causes 
+            the non-conformance of functionality defined in the specification.
+          </p>
+          <p>
+            When vendor-neutral extensions to this specification are needed, either this 
+            specification can be updated accordingly, or an extension specification can be written 
+            that overrides the requirements in this specification. When someone applying this 
+            specification to their activities decides that they will recognize the requirements of 
+            such an extension specification, it becomes an
+            <dfn id="dfn-applicable-specification">applicable specification</dfn> for the purposes 
+            of conformance requirements in this specification. Applicable specifications defined
+            by the W3C WebCrypto Working Group are listed in the table below.
+          </p>
+          <table>
+            <tbody>
+              <tr>
+                <td>Specification</td>
+                <td>Reference</td>
+              </tr>
+            </tbody>
+          </table>
+          <div class="note"><div class="noteHeader">Note</div>
+            Readers are advised to consult the errata to this specification for updates to the table
+            above.
+          </div>
+        </div>
+      </div>
+
+      <div id="scope" class="section">
+        <h2>4. Scope</h2>
+        <p class="norm">This section is non-normative.</p>
+        <div class="section" id="scope-abstraction">
+          <h3>4.1. Level of abstraction</h3>
+          <p>
+            The specification attempts to focus on the common functionality and features between
+            various platform-specific or standardized cryptographic APIs, and avoid features and
+            functionality that are specific to one or two implementations. As such this API allows
+            key generation, management, and exchange with a level of abstraction that avoids
+            developers needing to care about the implementation of the underlying key storage. The
+            API is focused specifically around CryptoKey objects, as an abstraction for the
+            underlying raw cryptographic keying material. The intent behind this is to allow an API
+            that is generic enough to allow conforming user agents to expose keys that are stored
+            and managed directly by the user agent, that may be stored or managed using isolated
+            storage APIs such as per-user key stores provided by some operating systems, or within
+            key storage devices such as secure elements, while allowing rich web applications to
+            manipulate the keys and without requiring the web application be aware of the nature of
+            the underlying key storage.
+          </p>
+        </div>
+        <div class="section" id="scope-algorithms">
+          <h3>4.2. Cryptographic algorithms</h3>
+          <p>
+            Because the underlying cryptographic implementations will vary between conforming user
+            agents, and may be subject to local policy, including but not limited to concerns such
+            as government or industry regulation, security best practices, intellectual property
+            concerns, and constrained operational environments, this specification does not dictate
+            a mandatory set of algorithms that <span class="RFC2119">MUST</span> be implemented.
+            Instead, it defines a common set of bindings that can be used in an
+            algorithm-independent manner, a common framework for discovering if a user agent or key
+            handle supports the underlying algorithm, and a set of conformance requirements for the
+            behaviours of individual algorithms, if implemented.
+          </p>
+        </div>
+        <div class="section" id="scope-operations">
+          <h3>4.3. Operations</h3>
+          <p>
+            Although the API does not expose the notion of cryptographic providers or modules, each
+            key is internally bound to a cryptographic provider or module, so web applications can
+            rest assured that the right cryptographic provider or module will be used to perform
+            cryptographic operations involving that key.
+          </p>
+        </div>
+        <div class="section" id="scope-out-of-scope">
+          <h3>4.4. Out of scope</h3>
+          <p>
+            This API, while allowing applications to generate, retrieve, and manipulate keying
+            material, does not specifically address the provisioning of keys in particular types of
+            key storage, such as secure elements or smart cards. This is due to such provisioning
+            operations often being burdened with vendor-specific details that make defining a
+            vendor-agnostic interface an unsuitably unbounded task. Additionally, this API does not
+            deal with or address the discovery of cryptographic modules, as such concepts are
+            dependent upon the underlying user agent and are not concepts that are portable between
+            common operating systems, cryptographic libraries, and implementations.
+          </p>
+        </div>
+      </div>
+
+
+      <div class="section" id="concepts">
+        <h2>5. Concepts</h2>
+        <p class="norm">This section is non-normative.</p>
+        <div class="section" id="concepts-underlying-implementation">
+          <h3>5.1. Underlying Cryptographic Implementation</h3>
+          <p>
+            This specification assumes, but does not require, that conforming user agents do not
+            and will not be directly implementing cryptographic operations within the user agent
+            itself. Historically, many user agents have deferred cryptographic operations, such as
+            those used within TLS, to existing APIs that are available as part of the underlying
+            operating system or to third-party modules that are managed independently of the user
+            agent.
+          </p>
+          <p>
+            The <a href="#dfn-CryptoKey">CryptoKey</a> object represents the bridge between the
+            JavaScript execution environment and these underlying libraries, through the use of the
+            internal slot named [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]]. The handle
+            represents an opaque type that is implementation specific, which may not be represented
+            within a JavaScript type, nor is it ever exposed to script authors. In this way, the
+            <a href="#dfn-CryptoKey">CryptoKey</a> object is the conceptual equivalent to the
+            JavaScript executing environment as the
+            [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] is to the underlying cryptographic
+            implementation.
+          </p>
+          <p>
+            These APIs are traditionally built around a notion of cryptographic providers, an
+            abstraction for a specific implementation of a set of algorithms. The operating system
+            or library may come with a default provider, and users are frequently allowed to add
+            additional providers, reconfigure the set of enabled algorithms, or otherwise customize
+            how cryptographic services are provided.
+          </p>
+          <p>
+            While it is assumed that most user agents will be interacting with a cryptographic
+            provider that is implemented purely in software, it is not required by this
+            specification. As a result, the capabilities of some implementations may be limited by
+            the capabilities of the underlying hardware, and, depending on how the user has
+            configured the underlying cryptographic library, this may be entirely opaque to the
+            User Agent.
+          </p>
+        </div>
+        <div class="section" id="concepts-key-storage">
+          <h3>5.2. Key Storage</h3>
+          <p>
+            This specification does not explicitly provide any new storage mechanisms for
+            <a href="#dfn-CryptoKey">CryptoKey</a> objects. Instead, by allowing the
+            <a href="#dfn-CryptoKey">CryptoKey</a> to be used with the structured clone algorithm,
+            any existing or future web storage mechanisms that support storing structured clonable
+            objects can be used to store <a href="#dfn-CryptoKey">CryptoKey</a> objects.
+          </p>
+          <p>
+            In practice, it is expected that most authors will make use of the
+            <a href="#IndexedDB">Indexed Database API</a>, which allows associative storage of
+            key/value pairs, where the key is some string identifier meaningful to the application,
+            and the value is a <a href="#dfn-CryptoKey">CryptoKey</a> object. This allows the
+            storage and retrieval of key material, without ever exposing that key material to the
+            application or the JavaScript environment. Additionally, this allows authors
+            the full flexibility to store any additional metadata with the
+            <a href="#dfn-CryptoKey">CryptoKey</a> itself.
+          </p>
+        </div>
+      </div>
+
+      <div id="security-consideration" class="section">
+        <h2>6. Security considerations</h2>
+        <p class="norm">This section is non-normative.</p>
+        <div id="security-implementers" class="section">
+          <h2>6.1. Security considerations for implementers</h2>
+          <p>
+            By not providing an explicit storage mechanism, this specification assumes that
+            <a href="#dfn-CryptoKey">CryptoKey</a> objects are scoped to the current execution
+            environment and any storage mechanisms available to that environment (e.g.
+            <a href="#IndexedDB">Indexed Database API</a>). Application authors rely upon this for
+            the security of their applications; two origins with the same
+            <a href="#dfn-CryptoKey">CryptoKey</a> object have full access to the underlying key,
+            and as such, messages from these applications cannot be distinguished, and messages sent
+            to these applications can be fully recovered. Implementors should ensure that no
+            <a href="#dfn-CryptoKey">CryptoKey</a> objects are shared between two origins unless
+            the author has explicitly chosen to share (e.g., such as through the use of postMessage)
+          </p>
+          <p>
+            A number of algorithms specified within this specification perform computationally
+            intensive work, such as the generation of significantly large prime numbers, or through
+            repeated iterations of a particular operation. As such, hostile applications may attempt
+            to misuse this API and attempt to cause significant amount of work to be performed by
+            an implementation, denying access or services to other applications that are executing.
+            Implementations should take steps to mitigate these risks, such as limiting the amount
+            of operations an implementation performs concurrently, requiring user consent for
+            operations that may be known to be disruptive for the executing environment, or defining
+            device-specific limits on attributes such as key sizes or iteration counts.
+          </p>
+        </div>
+        <div id="security-developers" class="section">
+          <h2>6.2. Security considerations for authors</h2>
+          <p>
+            This specification includes descriptions for a variety of cryptographic operations, some
+            of which have known weaknesses when used inappropriately. Application developers must
+            take care and review appropriate and current cryptographic literature, to understand and
+            mitigate such issues. In general, application developers are <strong>strongly</strong>
+            discouraged from inventing new cryptographic protocols; as with all applications, users
+            of this specification will be best served through the use of existing protocols, of
+            which this specification provides the necessary building blocks to implement.
+          </p>
+          <p>
+            In order to use the APIs defined in this specification to provide any meaningful
+            cryptographic assurances, authors must be familiar with existing threats to web
+            applications, as well as the underlying security model employed. Conceptually, issues
+            such as script injection are the equivalent to remote code execution in other operating
+            environments, and allowing hostile script to be injected may allow for the exfiltration
+            of keys or data. Script injection may come from other applications, for which the
+            judicious use of Content Security Policy may mitigate, or it may come from hostile
+            network intermediaries, for which the use of Transport Layer Security may mitigate.
+          </p>
+          <p>
+            This specification does not define any specific mechanisms for the storage of
+            cryptographic keys. By default, unless specific effort is taken by the author to persist
+            keys, such as through the use of the <a href="#IndexedDB">Indexed Database API</a>, keys
+            created with this API will only be valid for the duration of the current page (e.g.
+            until a navigation event). Authors that wish to use the same key across different pages
+            or multiple browsing sessions must employ existing web storage technologies. Authors
+            should be aware of the security assumptions of these technologies, such as the
+            same-origin security model; that is, any application that shares the same scheme, host,
+            and port have access to the same storage partition, even if other information, such as
+            the path, may differ. Authors may explicitly choose to relax this security through the
+            use of inter-origin sharing, such as <code>postMessage</code>.
+          </p>
+          <p>
+            Authors should be aware that this specification places no normative requirements on
+            implementations as to how the underlying cryptographic key material is stored. The only
+            requirement is that key material is not exposed to script, except through the use of the
+            <a href="#dfn-SubtleCrypto-method-exportKey">exportKey</a> and <a href="#dfn-SubtleCrypto-method-wrapKey">wrapKey</a> operations. In particular, it does
+            not guarantee that the underlying cryptographic key material will not be persisted to
+            disk, possibly unencrypted, nor that it will be inaccessible to users or other
+            applications running with the same privileges as the User Agent. Any application or user
+            that has access to the device storage may be able to recover the key material, even
+            through scripts may be prohibited.
+          </p>
+          <p>
+            This specification places no normative requirements on how implementations handle key
+            material once all references to it go away. That is, conforming user agents are not
+            required to zeroize key material, and it may still be accessible on device storage or
+            device memory, even after all references to the <a href="#dfn-CryptoKey">CryptoKey</a>
+            have gone away.
+          </p>
+          <p>
+            Applications may share a <a href="#dfn-CryptoKey">CryptoKey</a> object across security
+            boundaries, such as origins, through the use of the structured clone algorithm and APIs
+            such as <code>postMessage</code>. While access to the underlying cryptographic key
+            material may be restricted, based upon the <a href="#dfn-CryptoKey-extractable">extractable</a>
+            attribute, once a key is shared with a destination origin, the source origin can not
+            later restrict or revoke access to the key. As such, authors must be careful to ensure
+            they trust the destination origin to take the same mitigations against hostile script
+            that the source origin employs. Further, in the event of script injection on the source
+            origin, attackers may post the key to an origin under attacker control. Any time that
+            the user agent visits the attacker's origin, the user agent may be directed to perform
+            cryptographic operations using that key, such as the decryption of existing messages
+            or the creation of new, fraudulent messages.
+          </p>
+          <p>
+            Authors should be aware that users may, at any time, choose to clear the storage
+            associated with an origin, potentially destroying keys. Applications that are meant to
+            provide long-term storage, such as on the server, should consider techniques such as
+            key escrow to prevent such data from being inaccessible. Authors should not presume
+            that keys will be available indefinitely.
+          </p>
+        </div>
+        <div class="section" id="security-users">
+          <h3>6.3. Security considerations for users</h3>
+          <p>
+            Users of applications that employ the APIs defined in this specification should be aware
+            that these applications will have full access to all messages exchanged, regardless of
+            the cryptography employed. That is, for messages that are encrypted, applications that
+            use these APIs will have full access to the decrypted message as well.
+          </p>
+        </div>
+      </div>
+
+      <div id="privacy" class="section">
+        <h2>7. Privacy considerations</h2>
+        <p class="norm">This section is non-normative.</p>
+        <dl>
+          <dt>Fingerprinting</dt>
+          <dd>
+            By exposing additional APIs that reflect capabilities of the underlying platform, this
+            specification may allow malicious applications to determine or distinguish different
+            user agents or devices.
+          </dd>
+          <dt>Super-cookies</dt>
+          <dd>
+            This specification does not provide any means for malicious applications to create
+            identifiers that outlive existing web storage technologies. However, care must be taken
+            when introducing future revisions to this API or additional cryptographic capabilities,
+            such as those that are hardware backed (e.g.: smart cards or Trusted Platform Modules).
+            Considering that such storage is designed to prevent any two users from having the same
+            underlying key data, such APIs may represent a real risk of being used as a permanent
+            identifier against the user's wishes.
+          </dd>
+        </dl>
+      </div>
+
+      <div id="dependencies" class="section">
+        <h3>8. Dependencies</h3>
+        <p>This specification relies on underlying specifications.</p>
+        <dl>
+          <dt>DOM</dt>
+          <dd>
+            <p>
+              A <a href="#dfn-conforming-implementation">conforming user agent</a> MUST support at
+              least the subset of the functionality defined in DOM4 that this specification relies
+              upon; in particular, it MUST support <code>Promises</code> and
+              <dfn id="dfn-DOMException">DOMException</dfn>.
+              [<a href="#DOM4">DOM4</a>]
+            </p>
+          </dd>
+          <dt>HTML</dt>
+          <dd>
+            <p>
+              A <a href="#dfn-conforming-implementation">conforming user agent</a> MUST support at
+              least the subset of the functionality defined in HTML that this specification relies
+              upon; in particular, it MUST support the
+              <a href="#dfn-ArrayBufferView">ArrayBufferView</a> typedef and the
+              <a href="#dfn-structured-clone">structured clone</a> algorithm.
+              [<a href="#HTML">HTML</a>]
+            </p>
+          </dd>
+          <dt>Web IDL</dt>
+          <dd>
+            <p>
+              A <a href="#dfn-conforming-implementation">conforming user agent</a> MUST be a
+              conforming implementation of the IDL fragments in this specification, as described in
+              the Web IDL specification. [<a href="#WebIDL">WebIDL</a>]
+            </p>
+          </dd>
+        </dl>
+      </div>
+   
+      <div id="terminology" class="section">
+        <h2>9. Terminology</h2>
+        <p>
+          The terms and algorithms
+          <dfn id="dfn-ArrayBuffer">ArrayBuffer</dfn>,
+          <dfn id="dfn-ArrayBufferView">ArrayBufferView</dfn>, and
+          <dfn id="structured-clone">structured clone</dfn>,
+          are defined by the HTML specification [<a href="#HTML">HTML</a>].
+        </p>
+        <p>
+          The terms <dfn id="dfn-DOMString">DOMString</dfn> and
+          <dfn id="BufferSource">BufferSource</dfn> are defined in [<cite><a href="#WebIDL">WebIDL</a></cite>].
+        </p>
+        <p>
+          An <dfn id="dfn-octet-string">octet string</dfn> is an ordered sequence of zero or more
+          integers, each in the range 0 to 255 inclusive.
+        </p>
+        <p>
+          Comparing two strings in a <dfn id="case-sensitive">case-sensitive</dfn>
+          manner means comparing them exactly, code point for code point.
+        </p>
+        <p>
+          Comparing two strings in a <dfn id="case-insensitive">ASCII case-insensitive</dfn> manner
+          means comparing them exactly, code point for code point, except that the codepoints in
+          the range U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and
+          the corresponding codepoints in the range U+0061 .. U+007A
+          (i.e. LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are also considered to match.
+        </p>
+        <p>
+          When this specification says to <dfn id="terminate-the-algorithm">terminate the
+          algorithm</dfn>, the user agent must terminate the algorithm after finishing the step it
+          is on. The algorithm referred to is the set of specification-defined processing steps,
+          rather than the underlying cryptographic algorithm that may be in the midst of processing.
+        </p>
+        <p>
+          When this specification says to <dfn id="concept-parse-an-asn1-structure">parse an ASN.1
+          structure</dfn>, the user agent must perform the following steps:
+        </p>
+        <ol>
+          <li>
+            <p>
+              Let <var>data</var> be a sequence of bytes to be parsed.
+            </p>
+          </li>
+          <li>
+            <p>
+              Let <var>structure</var> be the ASN.1 structure to be parsed.
+            </p>
+          </li>
+          <li>
+            <p>
+              Let <var>exactData</var> be an optional boolean value. If it is not supplied,
+              let it be initialized to <code>true</code>.
+            </p>
+          </li>
+          <li>
+            <p>
+              Parse <var>data</var> according to the Distinguished Encoding Rules of
+              <a href="#X690">X.690 (11/08)</a>, using <var>structure</var> as the ASN.1 structure
+              to be decoded.
+            </p>
+          </li>
+          <li>
+            <p>
+              If <var>exactData</var> was specified, and all of the bytes of <var>data</var> were
+              not consumed during the parsing phase, then
+              <a href="#concept-throw">throw</a> a
+              <a href="#dfn-DataError"><code>DataError</code></a>.
+            </p>
+          </li>
+          <li>
+            <p>
+              Return the parsed ASN.1 structure.
+            </p>
+          </li>
+        </ol>
+        <p>
+          When this specification says to <dfn id="concept-parse-a-spki">parse a
+          subjectPublicKeyInfo</dfn>, the user agent must
+          <a href="#concept-parse-an-asn1-structure">parse an ASN.1 structure</a>, with
+          <var>data</var> set to the sequence of bytes to be parsed, <var>structure</var> as the
+          ASN.1 structure of subjectPublicKeyInfo, as specified in <a href="#RFC5280">RFC 5280</a>,
+          and <var>exactData</var> set to <code>true</code>.
+        </p>
+        <p>
+          When this specification says to <dfn id="concept-parse-a-privateKeyInfo">parse a
+          PrivateKeyInfo</dfn>, the user agent must <a href="#concept-parse-an-asn1-structure">parse
+          an ASN.1 structure</a> with <var>data</var> set to the sequence of bytes to be parsed,
+          <var>structure</var> as the ASN.1 structure of PrivateKeyInfo, as specified in
+          <a href="#RFC5208">RFC 5208</a>, and <var>exactData</var> set to <code>true</code>.
+        </p>
+        <p>
+          When this specification says to <dfn id="concept-parse-a-jwk">parse a JWK</dfn>, the user
+          agent must run the following steps:
+        </p>
+        <ol>
+          <li>
+            <p>
+              Let <var>data</var> be the sequence of bytes to be parsed.
+            </p>
+          </li>
+          <li>
+            <p>
+              Let <var>json</var> be the Unicode string that results from interpreting
+              <var>data</var> according to UTF-8.
+            </p>
+          </li>
+          <li>
+            <p>
+              Convert <var>json</var> to UTF-16.
+            </p>
+          </li>
+          <li>
+            <p>
+              Let <var>result</var> be the object literal that results from executing the
+              <code>JSON.parse</code> internal function, with <code>text</code>
+              argument set to a JavaScript String containing <var>json</var>.
+            </p>
+          </li>
+          <li>
+            <p>
+              Let <var>key</var> be the result of converting <var>result</var> to the IDL dictionary
+              type of <a href="#dfn-JsonWebKey">JsonWebKey</a>.
+            </p>
+          </li>
+          <li>
+            <p>
+              If the <code>"kty"</code> field of <var>key</var> is not defined, then <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+            </p>
+          </li>
+          <li>
+            <p>
+              Return <var>key</var>.
+            </p>
+          </li>
+        </ol>
+        <p>
+          When this specification says to <dfn id="concept-clone-BufferSource">clone the
+          data</dfn> of a <a href="http://heycam.github.io/WebIDL/#common-BufferSource">BufferSource</a> object
+          <var>data</var>, the user agent must run the following steps:
+        </p>
+        <dl class="switch">
+          <dt>
+            If <var>data</var> is an <code>ArrayBuffer</code>:
+          </dt>
+          <dd>
+            Return the result of invoking the <code>ArrayBuffer.prototype.slice</code> method on
+            <var>data</var>, with the <var>start</var> value set to the integer 0, and the
+            <var>end</var> value set to the value of the [[ArrayBufferByteLength]] internal slot
+            of <var>data</var>.
+          </dd>
+          <dt>
+            If <var>data</var> is an <code>ArrayBufferView</code>:
+          </dt>
+          <dd>
+            <ol>
+              <li>
+                <p>
+                  Let <var>buffer</var> be the value of the [[ViewedArrayBuffer]] internal slot
+                  of <var>data</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>start</var> be the value of the [[ByteOffset]] internal slot of
+                  <var>data</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>end</var> be the value of the [[ByteLength]] internal slot of
+                  <var>data</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>relativeEnd</var> be <var>start</var>+<var>end</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return the result of invoking the <code>ArrayBuffer.prototype.slice</code> method
+                  on <var>buffer</var>, with the <var>start</var> value set to <var>start</var> and
+                  the <var>end</var> value set to <var>relativeEnd</var>.
+                </p>
+              </li>
+            </ol>
+          </dd>
+        </dl>
+        <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+          <p>
+            The above definition makes heavy use of directly accessing the internal slot values,
+            defined in <a href="#ECMA-262">ECMA262</a>. The motivation for this is to avoid issues
+            that might arise with authors defining custom getters/setters on such objects. However,
+            it has the downside of avoiding the error control statements defined in the
+            <code>%TypedArray%.prototype</code> getters and <code>ArrayBuffer.prototype</code>
+            getters, which would be desirable.
+          </p>
+          <p>
+            It is assumed that the Web IDL conversion rules will perform the necessary type checks,
+            and that as a result of these checks, it is guaranteed that the internal slots will
+            always have valid values for the above algorithm. However, that assumption may not be
+            safe to make.
+          </p>
+        </div>
+        <p>
+          When this specification states to supply the <dfn id="concept-contents-of-arraybuffer">
+          contents of an ArrayBuffer</dfn> named <var>data</var> to an underlying cryptographic
+          implementation, the User Agent shall supply a contiguous sequence of bytes that is equal
+          to the contents of the Data Block value of the [[ArrayBufferData]] internal slot of
+          <var>data</var>, and whose length in bytes is equal to the [[ArrayBufferByteLength]]
+          internal slot of <var>data</var>.
+        </p>
+        <p>
+          When this specification says to calculate the <dfn id="concept-usage-intersection">usage
+          intersection</dfn> of two sequences, <var>a</var> and <var>b</var> the result shall be a
+          sequence containing each <a href="#dfn-RecognizedKeyUsage">recognized key usage value</a>
+          that appears in both <var>a</var> and <var>b</var>, in the order listed in the list of
+          <a href="#dfn-RecognizedKeyUsage">recognized key usage values</a>, where a value is said
+          to appear in a sequence if an element of the sequence exists that is a case-sensitive string
+          match for that value.
+        </p>
+        <p>
+          When this specification says to calculate the <dfn id="concept-normalized-usages">
+          normalized value of a usages list</dfn>, <var>usages</var> the result shall be the
+          <a href="#concept-usage-intersection">usage intersection</a> of <var>usages</var> and a
+          sequence containing all <a href="#dfn-RecognizedKeyUsage">recognized key usage values</a>.
+        </p>
+        <p>
+          When this specification refers to the <dfn id="concept-cached-object">cached ECMAScript
+          object</dfn> associated with an internal slot [[<var>slot</var>]] of <var>object</var>,
+          the user agent must run the following steps:
+        </p>
+        <ol>
+          <li>
+            <dl class="switch">
+              <dt>
+                If the [[<var>slot</var>_cached]] internal slot of <var>object</var> is undefined:
+              </dt>
+              <dd>
+                Set the [[<var>slot</var>_cached]] internal slot of <var>object</var> to the result
+                of performing type conversion to an ECMAScript object as defined in
+                [<a href="#WebIDL">WebIDL</a>] to the contents of the [[<var>slot</var>]]
+                internal slot of <var>object</var>.
+              </dd>
+            </dl>
+          </li>
+          <li>
+            Return the contents of the [[<var>slot</var>_cached]] internal slot of <var>object</var>.
+          </li>
+        </ol>
+      </div>
+      
+      <div id="crypto-interface" class="section">
+        <h2>10. Crypto interface</h2>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+[NoInterfaceObject]
+interface <dfn id="dfn-GlobalCrypto">GlobalCrypto</dfn> {
+  readonly attribute <a href="#dfn-Crypto">Crypto</a> crypto;
+};
+
+Window implements GlobalCrypto;
+WorkerGlobalScope implements GlobalCrypto;        
+        
+[Exposed=(Window,Worker)]
+interface <dfn id="dfn-Crypto">Crypto</dfn> {
+  readonly attribute <a href="#dfn-SubtleCrypto">SubtleCrypto</a> subtle;
+  ArrayBufferView <a href="#dfn-Crypto-method-getRandomValues">getRandomValues</a>(ArrayBufferView array);
+};
+        </code></pre></div></div>
+
+        <div id="Crypto-description" class="section">
+          <h3>10.1. Description</h3>
+          <p>
+            The <a href="#dfn-Crypto">Crypto</a> interface represents an interface to
+            general purpose cryptographic functionality including a
+            cryptographically strong pseudo-random number generator seeded with truly random values.
+          </p>
+          <div class="note"><div class="noteHeader">Note</div>
+            Implementations should generate cryptographically random values using
+            well-established cryptographic pseudo-random number generators seeded with high-quality
+            entropy, such as from an operating-system entropy source (e.g., "/dev/urandom"). This
+            specification provides no lower-bound on the information theoretic entropy present in
+            cryptographically random values, but implementations should make a best effort to provide
+            as much entropy as practicable.
+          </div>
+          <div class="note"><div class="noteHeader">Note</div>
+            This interface defines a synchronous method for obtaining cryptographically random
+            values. While some devices and implementations may support truly random cryptographic
+            number generators or provide interfaces that block when there is insufficient entropy,
+            implementations are discouraged from using these sources when implementing
+            getRandomValues, both for performance and to avoid depleting the system of entropy.
+            Instead, these sources should be used to seed a cryptographic pseudo-random number
+            generator that can then return suitable values efficiently.
+          </div>
+        </div>
+        <div id="Crypto-interface-methods" class="section">
+          <h3>10.2. Methods and Parameters</h3>
+          <div id="Crypto-method-getRandomValues" class="section">
+            <h4>10.2.1. The getRandomValues method</h4>
+            <p>
+              The <dfn id="dfn-Crypto-method-getRandomValues"><code>getRandomValues</code></dfn>
+              method generates cryptographically random values. It must act as follows:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  If <var>array</var> is not of an integer type (i.e., Int8Array, Uint8Array,
+                  Int16Array, Uint16Array, Int32Array, or Uint32Array), <a href="#concept-throw">throw</a> a
+                  <code>TypeMismatchError</code> and
+                  <a href="#terminate-the-algorithm">terminate the algorithm</a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <code>byteLength</code> of <var>array</var> is greater than 65536, <a href="#concept-throw">throw</a> a
+                  <code>QuotaExceededError</code> and
+                  <a href="#terminate-the-algorithm">terminate the algorithm</a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Overwrite all elements of <var>array</var> with cryptographically random values of
+                  the appropriate type.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>array</var>.
+                </p>
+              </li>
+            </ol>
+            <div class="note"><div class="noteHeader">Note</div>
+              <p>
+                Do not generate keys using the <code>getRandomValues</code> method. Use the
+                <a href="#dfn-SubtleCrypto-method-generateKey"><code>generateKey</code></a> method
+                instead.
+              </p>
+            </div>
+          </div>
+        </div>
+        <div id="Crypto-interface-attributes" class="section">
+          <h3>10.3. Attributes</h3>
+          <div id="Crypto-attribute-subtle" class="section">
+            <h4>10.3.1. The subtle attribute</h4>
+            <p>
+              The <dfn id="dfn-Crypto-attribute-subtle"><code>subtle</code></dfn> attribute provides
+              an instance of the <a href="#dfn-SubtleCrypto">SubtleCrypto</a> interface which provides
+              low-level cryptographic primitives and algorithms.
+            </p>
+          </div>
+        </div>
+      </div>
+
+      <div id="algorithm-dictionary" class="section">
+        <h2>11. Algorithm dictionary</h2>
+        <p>
+          The Algorithm object is a dictionary object [<cite><a href="#WebIDL">WebIDL</a></cite>]
+          which is used to specify an algorithm and any additional parameters required to fully
+          specify the desired operation.
+        </p>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+typedef (object or DOMString) <dfn id="dfn-AlgorithmIdentifier">AlgorithmIdentifier</dfn>;
+
+typedef <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> <dfn id="dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</dfn>;
+
+dictionary <dfn id="dfn-Algorithm">Algorithm</dfn> {
+  required DOMString <a href="#dfn-Algorithm-name">name</a>;
+};
+        </code></pre></div></div>
+        <div id="algorithm-dictionary-members" class="section">
+          <h3>11.1. <a href="#dfn-Algorithm">Algorithm</a> Dictionary Members</h3>
+          <dl>
+            <dt id="dfn-Algorithm-name">
+              <code>name</code>
+            </dt>
+            <dd>
+              The name of the <a href="#algorithms">registered algorithm</a> to use.
+            </dd>
+          </dl>
+        </div>
+      </div>
+
+      <div id="key-algorithm-dictionary" class="section">
+        <h2>12. KeyAlgorithm dictionary</h2>
+        <p>
+          The KeyAlgorithm dictionary represents information about the contents of a given
+          <a href="#dfn-CryptoKey">CryptoKey</a> object.
+        </p>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-KeyAlgorithm">KeyAlgorithm</dfn> {
+  required DOMString <a href="#dfn-KeyAlgorithm-name">name</a>
+};
+        </code></pre></div></div>
+        <div id="key-algorithm-dictionary-description" class="section">
+          <h3>12.1. Description</h3>
+          <p class="norm">This section is non-normative</p>
+          <p>
+            The <a href="#dfn-KeyAlgorithm">KeyAlgorithm</a> dictionary is provided to aid in
+            documenting how fixed, public properties of a <a href="#dfn-CryptoKey">CryptoKey</a>
+            are reflected back to an application. The actual dictionary type is never exposed
+            to applications.
+          </p>
+        </div>
+        <div id="key-algorithm-dictionary-members" class="section">
+          <h3>12.2. KeyAlgorithm dictionary members</h3>
+          <dl>
+            <dt id="dfn-KeyAlgorithm-name">name</dt>
+            <dd>
+              The name of the algorithm used to generate the <a href="#dfn-CryptoKey">CryptoKey</a>
+            </dd>
+          </dl>
+        </div>
+      </div>
+          
+      <div id="cryptokey-interface" class="section">
+        <h2>13. CryptoKey interface</h2>
+        <p>
+          The CryptoKey object represents an opaque reference to keying material that is managed by
+          the user agent.
+        </p>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+enum <a href="#dfn-KeyType">KeyType</a> { "public", "private", "secret" };
+
+enum <a href="#dfn-KeyUsage">KeyUsage</a> { "encrypt", "decrypt", "sign", "verify", "deriveKey", "deriveBits", "wrapKey", "unwrapKey" };
+
+[Exposed=(Window,Worker)]
+interface <dfn id="dfn-CryptoKey">CryptoKey</dfn> {
+  readonly attribute <a href="#dfn-KeyType">KeyType</a> <a href="#dfn-CryptoKey-type">type</a>;
+  readonly attribute boolean <a href="#dfn-CryptoKey-extractable">extractable</a>;
+  readonly attribute object <a href="#dfn-CryptoKey-algorithm">algorithm</a>;
+  readonly attribute object <a href="#dfn-CryptoKey-usages">usages</a>;
+};
+        </code></pre></div></div>
+        <div id="cryptokey-interface-description" class="section">
+          <h3>13.1. Description</h3>
+          <p class="norm">This section is non-normative</p>
+          <p>
+            This specification provides a uniform interface for many different kinds of keying
+            material managed by the user agent. This may include keys that have been generated by
+            the user agent, derived from other keys by the user agent, imported to the user agent
+            through user actions or using this API, pre-provisioned within software or hardware to
+            which the user agent has access or made available to the user agent in other ways. The
+            term key refers broadly to any keying material including actual keys for cryptographic
+            operations and secret values obtained within key derivation or exchange operations.
+          </p>
+          <p>
+            The CryptoKey object is not required to directly interface with the underlying key
+            storage mechanism, and may instead simply be a reference for the user agent to
+            understand how to obtain the keying material when needed, eg. when performing a
+            cryptographic operation.
+          </p>
+        </div>
+
+        <div id="cryptokey-interface-types" class="section">
+          <h3>13.2. Key interface data types</h3>
+          <dl>
+            <dt id="dfn-KeyType"><code>KeyType</code></dt>
+            <dd>
+              The type of a key. The <dfn id="dfn-RecognizedKeyType">recognized key type values</dfn>
+              are <code>"public"</code>, <code>"private"</code> and <code>"secret"</code>.
+              Opaque keying material, including that used for symmetric algorithms, is represented by
+              <code>"secret"</code>, while keys used as part of asymmetric algorithms composed of
+              public/private keypairs will be either <code>"public"</code> or <code>"private"</code>.
+            </dd>
+            <dt id="dfn-KeyUsage"><code>KeyUsage</code></dt>
+            <dd>
+              A type of operation that may be performed using a key. The
+              <dfn id="dfn-RecognizedKeyUsage">recognized key usage values</dfn> are
+              <code>"encrypt"</code>,
+              <code>"decrypt"</code>,
+              <code>"sign"</code>,
+              <code>"verify"</code>,
+              <code>"deriveKey"</code>,
+              <code>"deriveBits"</code>,
+              <code>"wrapKey"</code> and
+              <code>"unwrapKey"</code>.
+            </dd>
+          </dl>
+        </div>
+        
+        <div id="cryptokey-interface-internal-slots" class="section">
+          <h3>13.3. CryptoKey internal slots</h3>
+          <p>
+            Every <code>CryptoKey</code> object has a set of internal slots that store information
+            about the key. These slots are not exposed as part of this specification; they
+            represent internal state that an implementation uses to implement this specification.
+            The notational convention used in [<a href="#ECMA-262">ECMA-262</a>] is re-used here; internal
+            slots are identified by names enclosed in double square brackets [[ ]].
+          </p>
+          <p>
+            All <code>CryptoKey</code> objects have internal slots named
+            [[<dfn id="dfn-CryptoKey-slot-type">type</dfn>]],
+            [[<dfn id="dfn-CryptoKey-slot-extractable">extractable</dfn>]],
+            [[<dfn id="dfn-CryptoKey-slot-algorithm">algorithm</dfn>]],
+            [[<dfn id="dfn-CryptoKey-slot-algorithm_cached">algorithm_cached</dfn>]],
+            [[<dfn id="dfn-CryptoKey-slot-usages">usages</dfn>]],
+            [[<dfn id="dfn-CryptoKey-slot-usages_cached">usages_cached</dfn>]], and
+            [[<dfn id="dfn-CryptoKey-slot-handle">handle</dfn>]].
+          </p>
+          <p>
+            The contents of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal
+            slot shall be, or be derived from, a <a href="#dfn-KeyAlgorithm">KeyAlgorithm</a>.
+            The contents of the [[<a href="#dfn-CryptoKey-slot-algorithm">usages</a>]] internal
+            slot shall be of type Sequence&lt;KeyUsage&gt;.
+          </p>
+          <p class="note">
+            The [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] slot is an opaque type that
+            contains whatever data the underlying cryptographic implementation uses to represent a
+            logical key. Different cryptographic implementations may use different types, ranging
+            from opaque identifiers represented as integers, pointer types, or structures that
+            provide identifying information. These handles are never exposed to applications.
+          </p>
+        </div>
+
+        <div id="cryptokey-interface-members" class="section">
+          <h3>13.4. CryptoKey interface members</h3>
+          <dl>
+            <dt id="dfn-CryptoKey-type"><code>type</code></dt>
+            <dd>
+              Reflects the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot,
+              which contains the type of the underlying key.
+            </dd>
+            <dt id="dfn-CryptoKey-extractable"><code>extractable</code></dt>
+            <dd>
+              Reflects the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal
+              slot, which indicates whether or not the raw keying material may be exported by the
+              application.
+            </dd>
+            <dt id="dfn-CryptoKey-algorithm"><code>algorithm</code></dt>
+            <dd>
+              Returns the <a href="#concept-cached-object">cached ECMAScript object</a>
+              associated with the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot.
+            </dd>
+            <dt id="dfn-CryptoKey-usages"><code>usages</code></dt>
+            <dd>
+              Returns the <a href="#concept-cached-object">cached ECMAScript object</a>
+              associated with the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot,
+              which indicates which cryptographic operations are permissible to be used with this key.
+            </dd>
+          </dl>
+        </div>
+
+        <div id="cryptokey-interface-clone" class="section">
+          <h3>13.5. Structured clone algorithm</h3>
+          <p>
+            When a user agent is required to obtain a <a href="#dfn-structured-clone">structured clone</a>
+            of a <a href="#dfn-CryptoKey">CryptoKey</a> object, it must run the following steps.
+          </p>
+          <ol>
+            <li>
+              Let <var>input</var> and <var>memory</var> be the corresponding inputs defined by the
+              <a href="#dfn-structured-clone">internal structured cloning algorithm</a>, where
+              <var>input</var> represents a <a href="#dfn-CryptoKey">CryptoKey</a> object to be
+              cloned.
+            </li>
+            <li>
+              Let <var>output</var> be a newly constructed <a href="#dfn-CryptoKey">CryptoKey</a>
+              object.
+            </li>
+            <li>
+              Let the [[<a href="#dfn-CryptoKey-slot-type">type</a>]], <a href="#dfn-CryptoKey-slot-extractable">[[extractable]]</a>, <a href="#dfn-CryptoKey-slot-algorithm">[[algorithm]]</a>, and <a href="#dfn-CryptoKey-slot-usages">[[usages]]</a> internal slots of <var>output</var>
+              be set to the result of invoking the internal structured clone algorithm recursively
+              on the corresponding internal slots of <var>input</var>, with the slot contents as the
+              new "<var>input</var>" argument and <var>memory</var> as the new "<var>memory</var>"
+              argument.
+            </li>
+            <li>
+              Let the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+              <var>output</var> refer to the same cryptographic key data represented by the
+              [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of <var>input</var>.
+            </li>
+          </ol>
+          <div class="note"><div class="noteHeader">Note</div>
+            <strong>Implementation Note:</strong> When performing the structured clone algorithm in
+            order to serialize a <code>CryptoKey</code> object, implementations must not allow the
+            object to be deserialized as a different type. This is normatively required by the
+            definition of structured clone, but it merits specific attention, as such
+            deserialization may expose the contents of the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot, which in some
+            implementations may contain cryptographic key data that should not be exposed to
+            applications.
+          </div>
+        </div>
+      </div>
+
+      <div id="subtlecrypto-interface" class="section">
+        <h2>14. SubtleCrypto interface</h2>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+enum <a href="#dfn-KeyFormat"><code>KeyFormat</code></a> { "raw", "spki", "pkcs8", "jwk" };
+
+[Exposed=(Window,Worker)]
+interface <dfn id="dfn-SubtleCrypto">SubtleCrypto</dfn> {
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-encrypt">encrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                       <a href="#dfn-CryptoKey">CryptoKey</a> key,
+                       BufferSource data);
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-decrypt">decrypt</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                       <a href="#dfn-CryptoKey">CryptoKey</a> key,
+                       BufferSource data);
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-sign">sign</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                    <a href="#dfn-CryptoKey">CryptoKey</a> key,
+                    BufferSource data);
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-verify">verify</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                      <a href="#dfn-CryptoKey">CryptoKey</a> key,
+                      BufferSource signature,
+                      BufferSource data);
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-digest">digest</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                      BufferSource data);
+
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-generateKey">generateKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                          boolean extractable,
+                          sequence&lt;<a href="#dfn-KeyUsage">KeyUsage</a>&gt; keyUsages );
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-deriveKey">deriveKey</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                         <a href="#dfn-CryptoKey">CryptoKey</a> baseKey,
+                         <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> derivedKeyType,
+                         boolean extractable,
+                         sequence&lt;<a href="#dfn-KeyUsage">KeyUsage</a>&gt; keyUsages );
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-deriveBits">deriveBits</a>(<a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                          <a href="#dfn-CryptoKey">CryptoKey</a> baseKey,
+                          unsigned long length);
+  
+  <span class="comment">// TBD: <a href="https://www.w3.org/2012/webcrypto/track/issues/35">ISSUE-35</a></span>
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-importKey">importKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format,
+                         (BufferSource or JsonWebKey) keyData,
+                         <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> algorithm,
+                         boolean extractable,
+                         sequence&lt;<a href="#dfn-KeyUsage">KeyUsage</a>&gt; keyUsages );
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-exportKey">exportKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format, <a href="#dfn-CryptoKey">CryptoKey</a> key);
+
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-wrapKey">wrapKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format,
+                       <a href="#dfn-CryptoKey">CryptoKey</a> key,
+                       <a href="#dfn-CryptoKey">CryptoKey</a> wrappingKey,
+                       <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> wrapAlgorithm);
+  Promise&lt;any&gt; <a href="#dfn-SubtleCrypto-method-unwrapKey">unwrapKey</a>(<a href="#dfn-KeyFormat">KeyFormat</a> format,
+                         BufferSource wrappedKey,
+                         <a href="#dfn-CryptoKey">CryptoKey</a> unwrappingKey,
+                         <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> unwrapAlgorithm,
+                         <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> unwrappedKeyAlgorithm,
+                         boolean extractable,
+                         sequence&lt;<a href="#dfn-KeyUsage">KeyUsage</a>&gt; keyUsages );
+};
+        </code></pre></div></div>
+        <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+          <ul>
+            <li>
+              <a href="https://www.w3.org/2012/webcrypto/track/issues/35">ISSUE-35</a>:
+              The specification for wrapKey/unwrapKey does not specify how authors that do not trust
+              the execution environment may indicate required attributes for keys that are
+              unwrapped. An example is unwrapping a key with a non-extractable key, marking
+              the newly unwrapped key as non extractable, and then further indicating that all
+              keys unwrapped with the newly unwrapped key are also non-extractable.
+            </li>
+          </ul>
+        </div>
+        <div id="subtlecrypto-interface-description" class="section">
+          <h3>14.1. Description</h3>
+          <p class="norm">This section is non-normative.</p>
+          <p>
+            The <a href="#dfn-SubtleCrypto">SubtleCrypto</a> interface provides a set of
+            methods for dealing with low-level cryptographic primitives and algorithms. It is
+            named <code>SubtleCrypto</code> to reflect the fact that many of these algorithms
+            have subtle usage requirements in order to provide the required algorithmic
+            security guarantees.
+          </p>
+          <p>
+            For example, the direct use of an unauthenticated encryption scheme, such as
+            <a href="#aes-ctr">AES in counter mode</a>, gives potential attackers the ability to
+            manipulate bits in the output by manipulating bits in the input, compromising the
+            integrity of the message. However, AES-CTR can be used securely in combination
+            with other cryptographic primitives, such as message authentication codes, to ensure
+            the integrity of the protected message, but only when the message authentication
+            code is constructed over the encrypted message and IV.
+          </p>
+          <p>
+            Developers making use of the SubtleCrypto interface are expected to be aware of the
+            security concerns associated with both the design and implementation of the various
+            algorithms provided. The raw algorithms are provided in order to allow developers
+            maximum flexibility in implementing a variety of protocols and applications, each of
+            which may represent the composition and security parameters in a unique manner that
+            necessitate the use of the raw algorithms.
+          </p>
+        </div>
+
+        <div id="subtlecrypto-interface-datatypes" class="section">
+          <h3>14.2. Data Types</h3>
+          <dl>
+            <dt id="dfn-KeyFormat"><code>KeyFormat</code></dt>
+            <dd>
+              Specifies a serialization format for a key. The <dfn id="dfn-RecognizedKeyFormats">recognized key format values</dfn> are:
+              <dl>
+                <dt><code>"raw"</code></dt>
+                <dd>An unformatted sequence of bytes. Intended for secret keys.</dd>
+                <dt><code>"pkcs8"</code></dt>
+                <dd>The DER encoding of the PrivateKeyInfo structure from <a href="#RFC5208">RFC 5208</a>.</dd>
+                <dt><code>"spki"</code></dt>
+                <dd>The DER encoding of the SubjectPublicKeyInfo structure from <a href="#RFC5280">RFC 5280</a>.</dd>
+                <dt><code>"jwk"</code></dt>
+                <dd>The key is a <a href="#dfn-JsonWebKey">JsonWebKey</a> dictionary encoded as a JavaScript object</dd>
+              </dl>
+            </dd>
+          </dl>
+        </div>
+
+        <div id="subtlecrypto-interface-methods" class="section">
+          <h3>14.3. Methods and Parameters</h3>
+          <div class="note"><div class="noteHeader">Note</div>
+            <p>
+              All errors are reported asynchronously by rejecting the returned
+              Promise. This includes Web IDL type mapping errors.
+            </p>
+          </div>
+          <div id="SubtleCrypto-method-encrypt" class="section">
+            <h4>14.3.1. The encrypt method</h4>
+            <p>
+              The <dfn id="dfn-SubtleCrypto-method-encrypt"><code>encrypt</code></dfn>
+              method returns a new Promise object that will encrypt data using
+              the specified 
+              <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
+              the supplied <a href="#dfn-CryptoKey"><code>CryptoKey</code></a>. It must act
+              as follows:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var> and <var>key</var> be the
+                  <code>algorithm</code> and <code>key</code> parameters
+                  passed to the <a href="#dfn-SubtleCrypto-method-encrypt">encrypt</a> method,
+                  respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>data</var> be the result of <a href="#concept-clone-BufferSource">
+                  cloning the data</a> of the <code>data</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-encrypt">encrypt</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"encrypt"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>key</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>key</var> does not contain an entry that is <code>"encrypt"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>ciphertext</var> be the result of performing the encrypt
+                  operation specified by <var>normalizedAlgorithm</var> using <var>algorithm</var>
+                  and <var>key</var> and with <var>data</var> as <var>plaintext</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with <var>ciphertext</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-decrypt" class="section">
+            <h4>14.3.2. The decrypt method</h4>
+            <p>
+              The <dfn id="dfn-SubtleCrypto-method-decrypt"><code>decrypt</code></dfn>
+              method returns a new Promise object that will decrypt data using the specified
+              <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with
+              the supplied <a href="#dfn-CryptoKey"><code>CryptoKey</code></a>. It must act
+              as follows:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var> and <var>key</var> be the
+                  <code>algorithm</code> and <code>key</code>parameters
+                  passed to the <a href="#dfn-SubtleCrypto-method-decrypt">decrypt</a> method,
+                  respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>data</var> be the result of <a href="#concept-clone-BufferSource">
+                  cloning the data</a> of the <code>data</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-decrypt">decrypt</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"decrypt"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>key</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>key</var> does not contain an entry that is <code>"decrypt"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>plaintext</var> be the result of performing the decrypt
+                  operation specified by <var>normalizedAlgorithm</var> using <var>key</var>
+                  and <var>algorithm</var>
+                  and with <var>data</var> as <var>ciphertext</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>plaintext</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-sign" class="section">
+            <h4>14.3.3. The sign method</h4>
+            <p>
+              The <dfn id="dfn-SubtleCrypto-method-sign"><code>sign</code></dfn> method returns a
+              new Promise object that will sign data using the specified <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with the supplied
+              <a href="#dfn-CryptoKey"><code>CryptoKey</code></a>. It must act as follows:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var> and <var>key</var> be the
+                  <code>algorithm</code> and <code>key</code> parameters
+                  passed to the <a href="#dfn-SubtleCrypto-method-sign">sign</a> method,
+                  respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>data</var> be the result of <a href="#concept-clone-BufferSource">
+                  cloning the data</a> of the <code>data</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-sign">sign</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"sign"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>key</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>key</var> does not contain an entry that is <code>"sign"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the result of performing the sign operation
+                  specified by <var>normalizedAlgorithm</var> using <var>key</var> and
+                  <var>algorithm</var> and with <var>data</var> as <var>message</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-verify" class="section">
+            <h4>14.3.4. The verify method</h4>
+            <p>
+              The <dfn id="dfn-SubtleCrypto-method-verify"><code>verify</code></dfn> method returns
+              a new Promise object that will verify data using the specified <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a> with the supplied
+              <a href="#dfn-CryptoKey"><code>CryptoKey</code></a>. It must act as follows:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var> and <var>key</var>
+                  be the <code>algorithm</code> and <code>key</code> parameters passed to the
+                  <a href="#dfn-SubtleCrypto-method-verify">verify</a> method, respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>signature</var> be the result of <a href="#concept-clone-BufferSource">
+                  cloning the data</a> of the <code>signature</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-verify">verify</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"verify"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>data</var> be the result of <a href="#concept-clone-BufferSource">
+                  cloning the data</a> of the <code>data</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-verify">verify</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>key</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>key</var> does not contain an entry that is <code>"verify"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the result of performing the verify operation
+                  specified by <var>normalizedAlgorithm</var> using <var>key</var>,
+                  <var>algorithm</var> and
+                  <var>signature</var> and with <var>data</var> as <var>message</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-digest" class="section">
+            <h4>14.3.5. The digest method</h4>
+            <p>
+              The <dfn id="dfn-SubtleCrypto-method-digest"><code>digest</code></dfn> method returns
+              a new Promise object that will digest data using the specified
+              <a href="#dfn-AlgorithmIdentifier"><code>AlgorithmIdentifier</code></a>.
+              It must act as follows:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var> be the <code>algorithm</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-digest">digest</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>data</var> be the result of <a href="#concept-clone-BufferSource">
+                  cloning the data</a> of the <code>data</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-digest">digest</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"digest"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the result of performing the digest
+                  operation specified by <var>normalizedAlgorithm</var> using
+                  <var>algorithm</var>, with <var>data</var>
+                  as <var>message</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-generateKey" class="section">
+            <h4>14.3.6. The generateKey method</h4>
+             <p>
+              When invoked, <dfn id="dfn-SubtleCrypto-method-generateKey">
+              <code>generateKey</code></dfn> <span class="RFC2119">MUST</span> perform the
+              following steps:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var>, <var>extractable</var> and <var>usages</var>
+                  be the <code>algorithm</code>, <code>extractable</code> and <code>keyUsages</code>
+                  parameters passed to the
+                  <a href="#dfn-SubtleCrypto-method-generateKey">generateKey</a> method,
+                  respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"generateKey"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the result of executing the generate key operation
+                  specified by <var>normalizedAlgorithm</var> using
+                  <var>algorithm</var>, <var>extractable</var> and <var>usages</var>.
+                </p>
+              </li>
+              <li>
+                <dl class="switch">
+                  <dt>If <var>result</var> is a <a href="#dfn-CryptoKey">CryptoKey</a> object:</dt>
+                  <dd>
+                    <p>
+                      If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                      <var>result</var> is <code>"secret"</code> or <code>"private"</code> and
+                      <var>usages</var> is empty, then <a href="#concept-throw">throw</a> a <a href="#dfn-SyntaxError">SyntaxError</a>.
+                    </p>                  
+                  </dd>
+                  <dt>If <var>result</var> is a <a href="#dfn-CryptoKeyPair">CryptoKeyPair</a> object:</dt>
+                  <dd>
+                    <p>
+                      If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of the
+                      <a href="#dfn-CryptoKeyPair-privateKey">privateKey</a> attribute of
+                      <var>result</var> is the empty sequence, then
+                      <a href="#concept-throw">throw</a> a <a href="#dfn-SyntaxError">SyntaxError</a>.
+                    </p>
+                  </dd>
+                </dl>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+          
+          <div id="SubtleCrypto-method-deriveKey" class="section">
+            <h4>14.3.7. The deriveKey method</h4>
+            <p>
+              When invoked, <dfn id="dfn-SubtleCrypto-method-deriveKey"><code>deriveKey</code></dfn>
+              <span class="RFC2119">MUST</span> perform the following steps:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var>, <var>baseKey</var>, <var>derivedKeyType</var>,
+                  <var>extractable</var> and <var>usages</var> be the <code>algorithm</code>,
+                  <code>baseKey</code>, <code>derivedKeyType</code>, <code>extractable</code> and
+                  <code>keyUsages</code> parameters passed to the <a href="#dfn-SubtleCrypto-method-deriveKey">deriveKey</a> method, respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"deriveBits"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedDerivedKeyAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>derivedKeyType</var> and <code>op</code> set to
+                  <code>"importKey"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedDerivedKeyAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> does not identify a <a href="#algorithms">registered algorithm</a> that supports the derive bits
+                  operation, then <a href="#concept-throw">throw</a> a  <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                </p>
+              </li>             
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedDerivedKeyAlgorithm</var> does not identify a
+                  <a href="#algorithms">registered algorithm</a> that supports the get key length
+                  operation, then <a href="#concept-throw">throw</a> a
+                  <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>baseKey</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>baseKey</var> does not contain an entry that is <code>"deriveKey"</code>,
+                  then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>length</var> be the result of executing the get key length
+                  algorithm specified by <var>normalizedDerivedKeyAlgorithm</var> using
+                  <var>derivedKeyType</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>secret</var> be the result of executing the derive bits operation
+                  specified by <var>normalizedAlgorithm</var> using
+                  <var>key</var>, <var>algorithm</var> and <var>length</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the result of executing the import key operation
+                  specified by <var>normalizedDerivedKeyAlgorithm</var> using <code>"raw"</code> as
+                  <var>format</var>, <var>secret</var> as <var>keyData</var>,
+                  <var>derivedKeyType</var> as <var>algorithm</var> and using
+                  <var>extractable</var> and <var>usages</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                  <var>result</var> is <code>"secret"</code> or <code>"private"</code> and
+                  <var>usages</var> is empty, then <a href="#concept-throw">throw</a> a <a href="#dfn-SyntaxError">SyntaxError</a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-deriveBits" class="section">
+            <h4>14.3.8. The deriveBits method</h4>
+            <p>
+              When invoked, <dfn id="dfn-SubtleCrypto-method-deriveBits"><code>deriveBits</code></dfn>
+              <span class="RFC2119">MUST</span> perform the following steps:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>algorithm</var>, <var>baseKey</var> and <var>length</var>,
+                  be the <code>algorithm</code>,
+                  <code>baseKey</code> and <code>length</code>
+                  parameters passed to the
+                  <a href="#dfn-SubtleCrypto-method-deriveBits">deriveBits</a> method,
+                  respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"deriveBits"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise object.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>baseKey</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>baseKey</var> does not contain an entry that is <code>"deriveBits"</code>,
+                  then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be a new <a href="#dfn-ArrayBuffer">ArrayBuffer</a>
+                  containing the result of executing the derive bits operation
+                  specified by <var>normalizedAlgorithm</var> using <var>baseKey</var>,
+                  <var>algorithm</var> and <var>length</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-importKey" class="section">
+            <h4>14.3.9. The <a href="#dfn-SubtleCrypto-method-importKey">importKey</a> method</h4>
+            <p>                  
+              When invoked, the <dfn id="dfn-SubtleCrypto-method-importKey"><code>importKey</code></dfn> method <span class="RFC2119">MUST</span> perform the following steps:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>format</var>, <var>algorithm</var>, <var>extractable</var> and
+                  <var>usages</var>, be the <code>format</code>, <code>algorithm</code>,
+                  <code>extractable</code> and <code>keyUsages</code> parameters passed to the <a href="#dfn-SubtleCrypto-method-importKey">importKey</a> method, respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"importKey"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <dl class="switch">
+                  <dt>
+                    If <var>format</var> is equal to the string <code>"raw"</code>,
+                    <code>"pkcs8"</code>, or <code>"spki"</code>:
+                  </dt>
+                  <dd>
+                    <ol>
+                      <li>
+                        <p>
+                          If the <code>keyData</code> parameter passed to the
+                          <a href="#dfn-SubtleCrypto-method-importKey">importKey</a> method is a
+                          JsonWebKey dictionary, <a href="#concept-throw">throw</a> a
+                          <a href="#dfn-TypeError"><code>TypeError</code></a>.
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          Let <var>keyData</var> be the result of
+                          <a href="#concept-clone-BufferSource">cloning the data</a> of the
+                          <code>keyData</code> parameter passed to the
+                          <a href="#dfn-SubtleCrypto-method-importKey">importKey</a> method.
+                        </p>
+                      </li>
+                    </ol>
+                  </dd>
+                  <dt>
+                    If <var>format</var> is equal to the string <code>"jwk"</code>:
+                  </dt>
+                  <dd>
+                    <ol>
+                      <li>
+                        <p>
+                          If the <code>keyData</code> parameter passed to the
+                          <a href="#dfn-SubtleCrypto-method-importKey">importKey</a> method is not a
+                          JsonWebKey dictionary, <a href="#concept-throw">throw</a> a
+                          <a href="#dfn-TypeError"><code>TypeError</code></a>.
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          Let <var>keyData</var> be the <code>keyData</code> parameter passed to the
+                          <a href="#dfn-SubtleCrypto-method-importKey">importKey</a> method.
+                        </p>
+                      </li>
+                    </ol>
+                  </dd>
+                </dl>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the <a href="#dfn-CryptoKey">CryptoKey</a> object that
+                  results from performing the import key operation specified by
+                  <var>normalizedAlgorithm</var> using <var>keyData</var>,
+                  <var>algorithm</var>, 
+                  <var>format</var>, <var>extractable</var> and <var>usages</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                  <var>result</var> is <code>"secret"</code> or <code>"private"</code> and
+                  <var>usages</var> is empty, then <a href="#concept-throw">throw</a> a <a href="#dfn-SyntaxError">SyntaxError</a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal
+                  slot of <var>result</var> to <var>extractable</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal
+                  slot of <var>result</var> to the <a href="#concept-normalized-usages">normalized
+                    value</a> of <var>usages</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+            <div class="note"><div class="noteHeader">Note</div>
+              <p class="norm">
+                This note is non-normative.
+              </p>
+              <p>
+                For structured key formats, <code>"spki"</code>, <code>"pks8"</code>
+                and <code>"jwk"</code>, fields that are not explicitly referred to in the key
+                import procedures for an algorithm are ignored.
+              </p>
+            </div>
+          </div>
+
+          <div id="SubtleCrypto-method-exportKey" class="section">
+            <h4>14.3.10. The <a href="#dfn-SubtleCrypto-method-exportKey">exportKey</a> method</h4>
+            <p>
+              When invoked, the <dfn id="dfn-SubtleCrypto-method-exportKey"><code>exportKey</code></dfn> method <span class="RFC2119">MUST</span> perform the following steps:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>format</var> and <var>key</var> be the <code>format</code> and
+                  <code>key</code> parameters passed to the <a href="#dfn-SubtleCrypto-method-exportKey">exportKey</a> method, respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>key</var> does not identify a <a href="#algorithms">registered algorithm</a>
+                  that supports the export key operation, then <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal slot
+                  of <var>key</var> is false, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>         
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the result of performing the export key operation
+                  specified by the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                  internal slot of <var>key</var> using <var>key</var> and <var>format</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-wrapKey" class="section">
+            <h4>14.3.11. The wrapKey method</h4>
+            <p>
+              When invoked, the <dfn id="dfn-SubtleCrypto-method-wrapKey">wrapKey</dfn> method <span class="RFC2119">MUST</span> perform the following steps:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  Let <var>format</var>, <var>key</var>, <var>wrappingKey</var> and
+                  <var>algorithm</var> be the <code>format</code>, <code>key</code>,
+                  <code>wrappingKey</code> and <code>wrapAlgorithm</code> parameters passed to the
+                  <a href="#dfn-SubtleCrypto-method-wrapKey">wrapKey</a> method,
+                  respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"wrapKey"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"encrypt"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> does not identify a
+                  <a href="#algorithms">registered algorithm</a> that supports the encrypt or wrap
+                  key operation, then <a href="#concept-throw">throw</a> a
+                  <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>wrappingKey</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>wrappingKey</var> does not contain an entry that is <code>"wrapKey"</code>,
+                  then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the algorithm identified by the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>key</var> does not support the export key operation, then <a href="#concept-throw">throw</a> a  <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal slot
+                  of <var>key</var> is false, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>         
+              </li>
+              <li>
+                <p>
+                  Let <var>key</var> be the result of performing the export key operation specified
+                  the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>key</var> using <var>key</var> and <var>format</var>.
+                </p>
+              </li>
+              <li>
+                <dl class="switch">
+                  <dt>
+                    If <var>format</var> is equal to the strings <code>"raw"</code>,
+                    <code>"pkcs8"</code>, or <code>"spki"</code>:
+                  </dt>
+                  <dd>
+                    Set <var>bytes</var> be set to <var>key</var>.
+                  </dd>
+                  <dt>
+                    If <var>format</var> is equal to the string <code>"jwk"</code>:
+                  </dt>
+                  <dd>
+                    <ol>
+                      <li>
+                        <p>
+                          Convert <var>key</var> to an ECMAScript Object, as specified in [
+                          <a href="#WebIDL">WebIDL</a>].
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          Let <var>json</var> be the result of representing <var>key</var> as a
+                          UTF-16 string conforming to the JSON grammar; for example, by executing
+                          the <code>JSON.stringify</code> algorithm specified in
+                          <a href="#ECMA-262">ECMA262</a>.
+                        </p>
+                      </li>
+                      <li>
+                        <p>
+                          Let <var>bytes</var> be the byte sequence the results from converting
+                          <var>json</var>, a JavaScript String comprised of UTF-16 code points, to
+                          UTF-8 code points.
+                        </p>
+                      </li>
+                    </ol>
+                  </dd>
+                </dl>
+                <div class="note"><div class="noteHeader">Note</div>
+                  <p class="norm">
+                    This note is non-normative.
+                  </p>
+                  <p>
+                    The key wrapping operations for some algorithms place constraints on the payload
+                    size. For example AES-KW requires the payload to be a multiple of 8 bytes in
+                    length and RSA-OAEP places a restriction on the length. For key formats that
+                    offer flexibility in serialization of a given key (for example JWK),
+                    implementations may choose to adapt the serialization to the constraints of
+                    the wrapping algorithm. This is why JSON.stringify is not normatively required,
+                    as otherwise it would prohibit implementations from introducing added
+                    padding.
+                  </p>
+                </div>
+              </li>
+              <li>
+                <dl class="switch">
+                  <dt>If <var>normalizedAlgorithm</var> supports the wrap key operation:</dt>
+                  <dd>
+                    <p>
+                      Let <var>result</var> be the result of performing the wrap key operation
+                      specified by <var>normalizedAlgorithm</var> using <var>algorithm</var>,
+                      <var>wrappingKey</var> as <var>key</var> and <var>bytes</var> as
+                      <var>plaintext</var>.
+                    </p>
+                  </dd>
+                  <dt>Otherwise, if <var>normalizedAlgorithm</var> supports the encrypt operation:</dt>
+                  <dd>
+                    <p>
+                      Let <var>result</var> be the result of performing the encrypt operation
+                      specified by <var>normalizedAlgorithm</var> using <var>algorithm</var>,
+                      <var>wrappingKey</var> as <var>key</var> and <var>bytes</var> as
+                      <var>plaintext</var>.
+                    </p>
+                  </dd>
+                  <dt>Otherwise:</dt>
+                  <dd>
+                    <a href="#concept-throw">throw</a> a
+                    <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                  </dd>
+                </dl>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="SubtleCrypto-method-unwrapKey" class="section">
+            <h4>14.3.12. The unwrapKey method</h4>
+            <p>
+              When invoked, the <dfn id="dfn-SubtleCrypto-method-unwrapKey">unwrapKey</dfn> method
+              <span class="RFC2119">MUST</span> perform the following steps: 
+            </p>
+            <ol>
+            <li>
+                <p>
+                  Let <var>format</var>, <var>unwrappingKey</var>,
+                  <var>algorithm</var>, <var>unwrappedKeyAlgorithm</var>,
+                  <var>extractable</var> and <var>usages</var>,
+                  be the <code>format</code>, <code>unwrappingKey</code>,
+                  <code>unwrapAlgorithm</code>, <code>unwrappedKeyAlgorithm</code>,
+                  <code>extractable</code> and <code>keyUsages</code>
+                  parameters passed to the
+                  <a href="#dfn-SubtleCrypto-method-unwrapKey">unwrapKey</a> method,
+                  respectively.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>wrappedKey</var> be the result of
+                  <a href="#concept-clone-BufferSource">cloning the data</a> of the
+                  <code>data</code> parameter passed to the
+                  <a href="#dfn-SubtleCrypto-method-unwrapKey">unwrapKey</a> method.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"unwrapKey"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, let <var>normalizedAlgorithm</var> be the result of
+                  <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>algorithm</var> and <code>op</code> set to
+                  <code>"decrypt"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>normalizedKeyAlgorithm</var> be the result of <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>, with
+                  <code>alg</code> set to <var>unwrappedKeyAlgorithm</var> and <code>op</code> set
+                  to <code>"importKey"</code>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If an error occurred, return a Promise rejected with
+                  <var>normalizedKeyAlgorithm</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Let <var>promise</var> be a new Promise.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Return <var>promise</var> and asynchronously perform the remaining steps.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the following steps or referenced procedures say to
+                  <a href="#concept-throw">throw</a> an error,
+                  reject <var>promise</var> with
+                  the returned error and then
+                  <a href="#terminate-the-algorithm">terminate the algorithm.</a>
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the <a href="#dfn-Algorithm-name">name</a> member of
+                  <var>normalizedAlgorithm</var> is not equal to the
+                  <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the
+                  [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                  <var>unwrappingKey</var> then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                  <var>unwrappingKey</var> does not contain an entry that is
+                  <code>"unwrapKey"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                </p>
+              </li>
+              <li>
+                <dl class="switch">
+                  <dt>If <var>normalizedAlgorithm</var> supports an unwrap key operation:</dt>
+                  <dd>
+                    Let <var>key</var> be the result of performing the unwrap key operation
+                    specified by <var>normalizedAlgorithm</var> using <var>algorithm</var>,
+                    <var>unwrappingKey</var> as <var>key</var> and <var>wrappedKey</var> as
+                    <var>ciphertext</var>.
+                  </dd>
+                  <dt>
+                    Otherwise, if <var>normalizedAlgorithm</var> supports a decrypt
+                    operation:
+                  </dt>
+                  <dd>
+                    Let <var>key</var> be the result of performing the decrypt operation specified
+                    by <var>normalizedAlgorithm</var> using <var>algorithm</var>,
+                    <var>unwrappingKey</var> as <var>key</var> and <var>wrappedKey</var> as
+                    <var>ciphertext</var>.
+                  </dd>
+                  <dt>Otherwise:</dt>
+                  <dd>
+                    <a href="#concept-throw">throw</a> a
+                    <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                  </dd>
+                </dl>
+              </li>
+              <li>
+                <dl class="switch">
+                  <dt>
+                    If <var>format</var> is equal to the strings <code>"raw"</code>,
+                    <code>"pkcs8"</code>, or <code>"spki"</code>:
+                  </dt>
+                  <dd>
+                    Set <var>bytes</var> be set to <var>key</var>.
+                  </dd>
+                  <dt>
+                    If <var>format</var> is equal to the string <code>"jwk"</code>:
+                  </dt>
+                  <dd>
+                    Let <var>bytes</var> be the result of executing the
+                    <a href="#concept-parse-a-jwk">parse a JWK</a> algorithm, withe <var>key</var>
+                    as the <code>data</code> to be parsed.
+                  </dd>
+                </dl>
+              </li>
+              <li>
+                <p>
+                  Let <var>result</var> be the result of performing the import key operation
+                  specified by <var>normalizedKeyAlgorithm</var> using
+                  <var>unwrappedKeyAlgorithm</var> as <var>algorithm</var>, <var>format</var>,
+                  <var>usages</var>
+                  and <var>extractable</var> and with
+                  <var>bytes</var> as <var>keyData</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                  <var>result</var> is <code>"secret"</code> or <code>"private"</code> and
+                  <var>usages</var> is empty, then <a href="#concept-throw">throw</a> a <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal
+                  slot of <var>result</var> to <var>extractable</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal
+                  slot of <var>result</var> to the <a href="#concept-normalized-usages">normalized
+                    value</a> of <var>usages</var>.
+                </p>
+              </li>
+              <li>
+                <p>
+                  Resolve <var>promise</var> with
+                  <var>result</var>.
+                </p>
+              </li>
+            </ol>
+          </div>
+        </div>
+        <div id="SubtleCrypto-Exceptions" class="section">
+          <h3>14.4. Exceptions</h3>
+          <p>
+            The methods of the <a href="#dfn-SubtleCrypto">SubtleCrypto</a> interface return errors
+            by rejecting the returned promise with a predefined exception defined in ECMAScript
+            [<a href="#ECMA-262">ECMA-262</a>] or
+            <a href="#dfn-DOMException">DOMException</a>. The following predefined exceptions are
+            used: <dfn id="dfn-TypeError">TypeError</dfn>. The following DOMException types from
+            [<a href="#DOM4">DOM4</a>] are used:
+          </p>
+          <table>
+            <tbody>
+              <tr>
+                <th>Type</th>
+                <th>Message (optional)</th>
+              </tr>
+              <tr>
+                <td><dfn id="dfn-NotSupportedError"><code>NotSupportedError</code></dfn></td>
+                <td>The algorithm is not supported</td>
+              </tr>
+              <tr>
+                <td><dfn id="dfn-SyntaxError"><code>SyntaxError</code></dfn></td>
+                <td>A required parameter was missing or out-of-range</td>
+              </tr>
+              <tr>
+                <td><dfn id="dfn-InvalidStateError"><code>InvalidStateError</code></dfn></td>
+                <td>The requested operation is not valid for the current state of the provided key.</td>
+              </tr>
+              <tr>
+                <td><dfn id="dfn-InvalidAccessError"><code>InvalidAccessError</code></dfn></td>
+                <td>The requested operation is not valid for the provided key</td>
+              </tr>
+              <tr>
+                <td><dfn id="dfn-UnknownError"><code>UnknownError</code></dfn></td>
+                <td>The operation failed for an unknown transient reason (e.g. out of memory)</td>
+              </tr>
+              <tr>
+                <td><dfn id="dfn-DataError"><code>DataError</code></dfn></td>
+                <td>Data provided to an operation does not meet requirements</td>
+              </tr>
+              <tr>
+                <td><dfn id="dfn-OperationError"><code>OperationError</code></dfn></td>
+                <td>The operation failed for an operation-specific reason</td>
+              </tr>
+            </tbody>
+          </table>
+          <p>
+            When this specification says to
+            <dfn id="concept-throw">throw</dfn> an error, the user agent must
+            <a href="http://heycam.github.io/WebIDL/#dfn-throw">throw</a> an error as described in
+            [<a href="#WebIDL">WebIDL</a>]. When this occurs in a sub-algorithm,
+            this results in termination of execution of the sub-algorithm and all ancestor algorithms
+            until one is reached that explicitly describes procedures for catching exceptions.
+          </p>
+        </div>
+      </div>
+
+      <div id="JsonWebKey-dictionary" class="section">
+        <h2>15. JsonWebKey dictionary</h2>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaOtherPrimesInfo">RsaOtherPrimesInfo</dfn> {
+  <span class="comment">// The following fields are defined in Section 6.3.2.7 of <a href="#jwa">JSON Web Algorithms</a></span>
+  DOMString r;
+  DOMString d;
+  DOMString t;
+};
+
+dictionary <dfn id="dfn-JsonWebKey">JsonWebKey</dfn> {
+  <span class="comment">// The following fields are defined in Section 3.1 of <a href="#jwk">JSON Web Key</a></span>
+  DOMString kty;
+  DOMString use;
+  sequence&lt;DOMString&gt; key_ops;
+  DOMString alg;
+
+  <span class="comment">// The following fields are defined in <a href="#iana-section-jwk">JSON Web Key Parameters Registration</a></span>
+  boolean ext;
+
+  <span class="comment">// The following fields are defined in Section 6 of <a href="#jwa">JSON Web Algorithms</a></span>
+  DOMString crv;
+  DOMString x;
+  DOMString y;
+  DOMString d;
+  DOMString n;
+  DOMString e;
+  DOMString p;
+  DOMString q;
+  DOMString dp;
+  DOMString dq;
+  DOMString qi;
+  sequence&lt;RsaOtherPrimesInfo&gt; oth;
+  DOMString k;
+};
+        </code></pre></div></div>
+        <div id="JsonWebKey-description">
+          <h3>Description</h3>
+          <p class="norm">The following section is non-normative</p>
+          <p>
+            The <a href="#dfn-JsonWebKey">JsonWebKey</a> dictionary provides a way to represent
+            and exchange cryptographic keys represented by the <a href="#jwk">JSON Web Key</a>
+            structure, while allowing native and efficient use within Web Cryptography API
+            applications.
+          </p>
+        </div>
+      </div>
+
+      <div id="big-integer" class="section">
+        <h2>16. BigInteger</h2>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+typedef Uint8Array <dfn id="dfn-BigInteger">BigInteger</dfn>;
+        </code></pre></div></div>
+        <p>
+          The <a href="#dfn-BigInteger">BigInteger</a> typedef is a <code>Uint8Array</code> that
+          holds an arbitrary magnitude unsigned integer in big-endian order. Values read from
+          the API SHALL have minimal typed array length (that is, at most 7 leading zero bits,
+          except the value 0 which shall have length 8 bits). The API SHALL accept values with
+          any number of leading zero bits, including the empty array, which represents zero.
+        </p>
+
+        <div class="note"><div class="noteHeader">Note</div>
+          <strong>Implementation Note:</strong> Since the integer is unsigned, the highest order bit
+          is NOT a sign bit. Implementors should take care when mapping to big integer
+          implementations that expected signed integers.
+        </div>
+      </div>
+      
+      <div id="keypair" class="section">
+        <h2>17. CryptoKeyPair dictionary</h2>
+        <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-CryptoKeyPair">CryptoKeyPair</dfn> {
+  <a href="#dfn-CryptoKey">CryptoKey</a> <dfn id="dfn-CryptoKeyPair-publicKey">publicKey</dfn>;
+  <a href="#dfn-CryptoKey">CryptoKey</a> <dfn id="dfn-CryptoKeyPair-privateKey">privateKey</dfn>;
+};
+        </code></pre></div></div>
+        <p>
+          The <a href="#dfn-CryptoKeyPair">CryptoKeyPair</a> dictionary represents an
+          asymmetric key pair that is comprised of both public and private keys.
+        </p>
+      </div>
+
+      <div id="algorithms" class="section">
+        <h2>18. Algorithms</h2>
+        <div id="algorithms-section-overview" class="section">
+          <h3>18.1. Overview</h3>
+          <p class="norm">This section is non-normative.</p>
+          <p>
+            In addition to providing a common interface to perform cryptographic operations, by
+            way of the <a href="#dfn-SubtleCrypto">SubtleCrypto</a> interface, this specification
+            also provides descriptions for a variety of algorithms that authors may wish to use and
+            that User Agents may choose to implement. This includes a selection of commonly-deployed
+            symmetric and asymmetric algorithms, key derivation mechanisms, and methods for wrapping
+            and unwrapping keys. Further, this specification defines a process to allow additional
+            specifications to introduce additional cryptographic algorithms.
+          </p>
+        </div>
+
+        <div id="algorithm-concepts" class="section">
+          <h3>18.2. Concepts</h3>
+          <div id="algorithm-concepts-naming" class="section">
+            <h4>18.2.1. Naming</h4>
+            <p>
+              Every cryptographic algorithm defined for use with the Web Cryptography API
+              <span class="RFC2119">MUST</span> have a unique name, referred to as its
+              <dfn id="recognized-algorithm-name">recognized algorithm name</dfn>, such that no
+              other specification defines the same case-sensitive string for use with the
+              Web Cryptography API.
+            </p>
+          </div>
+          <div id="algorithm-concepts-operations" class="section">
+            <h4>18.2.2. Supported Operations</h4>
+            <p>
+              Every cryptographic algorithm defined for use with the Web Cryptography API has a list
+              of <dfn id="supported-operation">supported operations</dfn>, which are a set of
+              sub-algorithms to be invoked by the <a href="#dfn-SubtleCrypto">SubtleCrypto</a>
+              interface in order to perform the desired cryptographic operation. This specification
+              makes use of the following operations:
+            </p>
+            <ul>
+              <li>encrypt</li>
+              <li>decrypt</li>
+              <li>sign</li>
+              <li>verify</li>
+              <li>deriveBits</li>
+              <li>wrapKey</li>
+              <li>unwrapKey</li>
+              <li>generateKey</li>
+              <li>importKey</li>
+              <li>exportKey</li>
+              <li>getLength</li>
+            </ul>
+            <p>
+              If a given algorithm specification does not list a particular operation as supported,
+              or explicitly lists an operation as not-supported, then the User Agent
+              <span class="RFC2119">MUST</span> behave as if the invocation of the sub-algorithm
+              threw a NotSupportedError.
+            </p>
+          </div>
+          <div id="algorithm-concepts-normalization" class="section">
+            <h4>18.2.3. Normalization</h4>
+            <p>
+              Every cryptographic algorithm defined for use with the Web Cryptography API <span class="RFC2119">MUST</span> define, for every <a href="#supported-operation">
+              supported operation</a>, the IDL type to use for <a href="#algorithm-normalization">algorithm normalization</a>, as well as the
+              IDL type or types of the return values of the sub-algorithms.
+            </p>
+          </div>
+        </div>
+
+        <div id="algorithm-conventions" class="section">
+          <h3>18.3. Specification Conventions</h3>
+          <p>
+            Every cryptographic algorithm definition within this specification employs the following
+            specification conventions. A section, titled <em>"Registration"</em>, will include the
+            <a href="#recognized-algorithm-name">recognized algorithm name</a>. Additionally, it
+            includes a table, which will list each of the <a href="#supported-operation">supported
+            operations</a> as rows, identified by the <dfn id="supported-operations">Operation</dfn>
+            column. The contents of the <dfn id="algorithm-specific-params">Parameters</dfn> column
+            for a given row will contain the IDL type to use for <a href="#algorithm-normalization">algorithm normalization</a> for that operation,
+            and the contents of the <dfn id="algorithm-result">Result</dfn> column for that row
+            indicate the IDL type that
+            results from performing the supported operation.
+          </p>
+          <p>
+            If a conforming User Agent implements an algorithm, it
+            <span class="RFC2119">MUST</span> implement all of the <a href="#supported-operation">
+            supported operations</a> and <span class="RFC2119">MUST</span> return the IDL type
+            specified.
+          </p>
+          <p>
+            Additionally, upon initialization, conforming User Agents must perform the
+            <a href="#concept-define-an-algorithm">define an algorithm</a> steps for each of
+            the supported operations, registering their IDL parameter type as indicated.
+          </p>
+        </div>
+      
+        <div id="algorithm-normalization" class="section">
+          <h3>18.4. Algorithm Normalization</h3>
+          <div id="algorithm-normalization-description" class="section">
+            <h4>18.4.1. Description</h4>
+            <p class="norm">This section is non-normative</p>
+            <p>
+              The <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> typedef permits
+              algorithms to either be specified as a <a href="#dfn-DOMString">DOMString</a> or an
+              object. The usage of <a href="#dfn-DOMString">DOMString</a> is to permit authors a
+              short-hand for noting algorithms that have no parameters (e.g. SHA-1).
+              The usage of object is to allow an <a href="#dfn-Algorithm">Algorithm</a> (or appropriate subclass) to be specified, which
+              contains all of the associated parameters for an object.
+            </p>
+            <p>
+              Because of this, it's necessary to define the algorithm for converting an <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> into an appropriate dictionary
+              that is usable with this API. This algorithm must be extensible, so as to allow new
+              cryptographic algorithms to be added, and consistent, so that Web IDL type mapping can
+              occur before any control is returned to the calling script, which would potentially
+              allow the mutation of parameters or the script environment.
+            </p>
+          </div>
+
+          <div id="algorithm-normalization-internal" class="section">
+            <h4>18.4.2. Internal State Objects</h4>
+            <p>
+              This specification makes use of an internal object,
+              [[<dfn id="dfn-supportedAlgorithms">supportedAlgorithms</dfn>]]. This internal object is
+              not exposed to applications.
+            </p>
+            <p>
+              Because this value is not exposed to applications, the exact type is not specified.
+              It is only required to behave as an associative container of key/value pairs, where
+              comparisons of keys are performed in a case-sensitive manner.
+            </p>
+            <p>
+              The initial contents of this internal object are as follows:
+            </p>
+            <ol>
+              <li>
+                <p>
+                  For each value, <var>v</var> in the List of <a href="#supported-operation">supported operations</a>, set the <var>v</var> key of
+                   the internal object [[<a href="#dfn-supportedAlgorithms">supportedAlgorithms</a>]]
+                   to a new associative container.
+                </p>
+              </li>
+            </ol>
+          </div>
+
+          <div id="algorithm-normalization-define-an-algorithm" class="section">
+            <h4>18.4.3. Defining an Algorithm</h4>
+            <p>
+              The <dfn id="concept-define-an-algorithm">define an algorithm</dfn> algorithm is used
+              by specification authors to indicate how a user agent should normalize arguments for a
+              particular algorithm. Its input is an algorithm name <var>alg</var>, represented as a
+              DOMString, operation name <var>op</var>, represented as a DOMString, and desired IDL
+              dictionary type <var>type</var>. The algorithm behaves as follows:
+            </p>
+            <ol>
+              <li>
+                Let <var>registeredAlgorithms</var> be the associative container stored at the
+                <var>op</var> key of [[<a href="#dfn-supportedAlgorithms">supportedAlgorithms</a>]]..
+              </li>
+              <li>
+                Set the <var>alg</var> key of <var>registeredAlgorithms</var> to the IDL dictionary
+                type <var>type</var>.
+              </li>
+            </ol>
+          </div>
+
+          <div id="algorithm-normalization-normalize-an-algorithm" class="section">
+            <h4>18.4.4. Normalizing an algorithm</h4>
+            <p>
+              The <dfn id="dfn-normalize-an-algorithm">normalize an algorithm</dfn> algorithm defines
+              a process for coercing inputs to a targeted IDL dictionary type, after Web IDL
+              conversion has occurred. It is designed to be extensible, to allow future specifications
+              to define additional algorithms, as well as safe for use with Promises. Its input is an
+              operation name <var>op</var> and an <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a> <var>alg</var>. Its output is
+              either an IDL dictionary type or an error. It behaves as follows:
+            </p>
+            <dl class="switch">
+              <dt>If <var>alg</var> is an instance of a DOMString:</dt>
+              <dd>
+                <p>
+                  Return the result of running the <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a> algorithm, with
+                  the <code>alg</code> set to a new <a href="#dfn-KeyAlgorithm">KeyAlgorithm</a>
+                  dictionary whose <a href="#dfn-KeyAlgorithm-name">name</a> attribute is
+                  <var>alg</var>, and with the <code>op</code> set to <var>op</var>.
+                </p>
+              </dd>
+              <dt>If <var>alg</var> is an object:</dt>
+              <dd>
+                <ol>
+                  <li>
+                    Let <var>registeredAlgorithms</var> be the associative container stored at the
+                    <code>op</code> key of [[<a href="#dfn-supportedAlgorithms">supportedAlgorithms</a>]].
+                  </li>
+                  <li>
+                    Let <var>initialAlg</var> be the result of converting the ECMAScript object
+                    represented by <var>alg</var> to the IDL dictionary type <a href="#dfn-Algorithm">Algorithm</a>, as defined by [<a href="#WebIDL">WebIDL</a>].
+                  </li>
+                  <li>
+                    If an error occurred, return the error and terminate this algorithm.
+                  </li>
+                  <li>
+                    Let <var>algName</var> be the value of the <a href="#dfn-Algorithm-name">name</a>
+                    attribute of <var>initialAlg</var>.
+                  </li>
+                  <li>
+                    <dl class="switch">
+                      <dt>
+                        If <var>registeredAlgorithms</var> contains a key that is a
+                        <a href="#case-insensitive">case-insensitive</a> string match for
+                        <var>algName</var>:
+                      </dt>
+                      <dd>
+                        <ol>
+                          <li>
+                            <p>
+                              Set <var>algName</var> to the value of the matching key.
+                            </p>
+                          </li>
+                          <li>
+                            <p>
+                              Let <var>desiredType</var> be the IDL dictionary type stored at
+                              <var>algName</var> in <var>registeredAlgorithms</var>.
+                            </p>
+                          </li>
+                        </ol>
+                      </dd>
+                      <dt>Otherwise:</dt>
+                      <dd>
+                        Return a new <code>NotSupportedError</code> and terminate this algorithm.
+                      </dd>
+                    </dl>
+                  </li>
+                  <li>
+                    Let <var>normalizedAlgorithm</var> be the result of converting the ECMAScript
+                    object represented by <var>alg</var> to the IDL dictionary type
+                    <var>desiredType</var>, as defined by [<a href="#WebIDL">WebIDL</a>].
+                  </li>
+                  <li>
+                    Set the <a href="#dfn-Algorithm-name">name</a> attribute of
+                    <var>normalizedAlgorithm</var> to <var>algName</var>.
+                  </li>
+                  <li>
+                    If an error occurred, return the error and terminate this algorithm.
+                  </li>
+                  <li>
+                    Let <var>dictionaries</var> be a list consisting of the IDL dictionary type
+                    <var>desiredType</var> and all of <var>desiredType</var>'s inherited dictionaries,
+                    in order from least to most derived.
+                  </li>
+                  <li>
+                    <p>
+                      For each dictionary <var>dictionary</var> in <var>dictionaries</var>:
+                    </p>
+                    <ol>
+                      <li>
+                        <p>
+                          For each dictionary member <var>member</var> declared on
+                          <var>dictionary</var>, in order:
+                        </p>
+                        <ol>
+                          <li>
+                            Let <var>key</var> be the identifier of <var>member</var>.
+                          </li>
+                          <li>
+                            Let <var>idlValue</var> be the value of the dictionary member with
+                            key name of <var>key</var> on <var>normalizedAlgorithm</var>.
+                          </li>
+                          <li>
+                            <dl class="switch">
+                              <dt>
+                                If <var>member</var> is of the type
+                                <a href="http://heycam.github.io/WebIDL/#common-BufferSource">BufferSource</a> and is
+                                present:
+                              </dt>
+                              <dd>
+                                Set the dictionary member on <var>normalizedAlgorithm</var> with key
+                                name <var>key</var> to a <a href="#concept-clone-BufferSource">clone of
+                                <var>idlValue</var></a>, replacing the current value.
+                              </dd>
+                              <dt>
+                                If <var>member</var> is of the type
+                                <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a>:
+                              </dt>
+                              <dd>
+                                Set the dictionary member on <var>normalizedAlgorithm</var> with key
+                                name <var>key</var> to the result of
+                                <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>,
+                                with the <code>alg</code> set to <var>idlValue</var> and the
+                                <code>op</code> set to <code>"digest"</code>.
+                              </dd>
+                              <dt>
+                                If <var>member</var> is of the type
+                                <a href="#dfn-AlgorithmIdentifier">AlgorithmIdentifier</a>:
+                              </dt>
+                              <dd>
+                                Set the dictionary member on <var>normalizedAlgorithm</var> with key
+                                name <var>key</var> to the result of
+                                <a href="#dfn-normalize-an-algorithm">normalizing an algorithm</a>,
+                                with the <code>alg</code> set to <var>idlValue</var> and the
+                                <code>op</code> set to the operation defined by the specification
+                                that definines the algorithm identified by <var>algName</var>.
+                              </dd>
+                            </dl>
+                          </li>
+                          <li>
+                            If an error occurred, return the error and terminate this algorithm.
+                          </li>
+                        </ol>
+                      </li>
+                    </ol>
+                  </li>
+                  <li>
+                    Return <var>normalizedAlgorithm</var>.
+                  </li>
+                </ol>
+              </dd>
+            </dl>
+          </div>
+
+        </div>
+
+        <div id="algorithm-recommendations" class="section">
+          <h3>18.5. Recommendations</h3>
+          <p class="norm">This section is non-normative.</p>
+          <div id="algorithm-recommendations-authors" class="section">
+            <h4>18.5.1. For Authors</h4>
+            <p>
+              As this API is meant to be extensible, in order to keep up with future developments
+              within cryptography, there are no algorithms that conforming user agents are required
+              to implement. As such, authors should check to see what algorithms are currently
+              recommended and supported by implementations.
+            </p>
+            <p>
+              As highlighted in the <a href="#security-considerations">Security Considerations</a>,
+              even cryptographic algorithms that might be considered strong for one purpose may be
+              insufficient when used with another purpose. Authors should therefore proceed with
+              extreme caution before inventing new cryptographic protocols.
+            </p>
+            <p>
+              Additionally, this specification includes several algorithms which, in their default
+              usage, can result in cryptographic vulnerabilities. While these concerns may be
+              mitigated, such as through the combination and composition with additional algorithms
+              provided by this specification, authors should proceed with caution and review the
+              relevant cryptographic literature before using a given algorithm. The inclusion of
+              algorithms within this specification is not an indicator of their suitability for any
+              or all purpose, and instead merely serve to provide as a specification for how a
+              conforming User Agent must implement the given algorithm, if it choses to implement
+              the algorithm.
+            </p>
+          </div>
+          <div id="algorithm-recommendations-implementers" class="section">
+            <h4>18.5.2. For Implementers</h4>
+            <p>
+              In order to promote interoperability for developers, this specification includes a
+              list of suggested algorithms. These are considered to be the most widely used
+              algorithms in practice at the time of writing, and therefore provide a good starting
+              point for initial implementations of this specification. The suggested algorithms are:
+            </p>
+            <ul>
+              <li>
+                  <a href="#hmac">HMAC</a> using <a href="#alg-sha-1">SHA-1</a>
+              </li>
+              <li>
+                  <a href="#hmac">HMAC</a> using <a href="#alg-sha-256">SHA-256</a>
+              </li>
+              <li>
+                  <a href="#rsassa-pkcs1">RSASSA-PKCS1-v1_5</a> using
+                  <a href="#alg-sha-256">SHA-1</a>
+              </li>
+              <li>
+                  <a href="#rsa-pss">RSA-PSS</a> using <a href="#alg-sha-256">SHA-256</a>
+                  and MGF1 with <a href="#alg-sha-256">SHA-256</a>.
+              </li>
+              <li>
+                  <a href="#rsa-oaep">RSA-OAEP</a> using <a href="#alg-sha-256">SHA-256</a>
+                  and MGF1 with <a href="#alg-sha-256">SHA-256</a>.
+              </li>
+              <li>
+                  <a href="#ecdsa">ECDSA</a> using <a href="#dfn-NamedCurve-p256">P-256</a>
+                  curve and <a href="#alg-sha-256">SHA-256</a>
+              </li>
+              <li><a href="#aes-cbc">AES-CBC</a></li>
+            </ul>
+          </div>
+        </div>
+      </div>
+      
+      <div id="algorithm-overview" class="section">
+        <h2>19. Algorithm Overview</h2>
+        <p class="norm">The following section is non-normative.</p>
+        <p>
+          The table below contains an overview of the algorithms described within this
+          specification, as well as the set of <a href="#subtlecrypto-interface-methods">subtlecrypto
+          methods</a> the algorithm may be used with. In order for
+          an algorithm to be used with a method the corresponding
+          operation or operations, as defined
+          in the procedures for the method, must be defined in the algorithm specification.
+          Note that this mapping of methods to underlying
+          operations is not one-to-one:
+        </p>
+        <ul>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-encrypt">encrypt</a> method requires the encrypt operation.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-decrypt">decrypt</a> method requires the decrypt operation.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-sign">sign</a> method requires the sign operation.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-verify">decrypt</a> method requires the verify operation.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-generateKey">generateKey</a> method requires the generateKey operation.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-deriveKey">deriveKey</a> method requires the
+            deriveBits operation for the key derivation algorithm and the get length and importKey operations
+            for the derived key algorithm.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-digest">digest</a> method requires the digest operation.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-wrapKey">wrapKey</a> method requires the either
+            the encrypt or wrapKey operation for the wrapping algorithm and the exportKey operation
+            for the wrapped key algorithm.</p>
+          </li>
+          <li>
+            <p>The <a href="#SubtleCrypto-method-unwrapKey">unwrapKey</a> method requires the either
+            the decrypt or unwrapKey operation for the unwrapping algorithm and the importKey operation
+            for the unwrapped key algorithm.</p>
+          </li>
+        </ul>
+        <p class="note">
+          Application developers and script authors should not interpret this table as a
+          recommendation for the use of particular algorithms. Instead, it simply documents what
+          methods areA supported. Authors should refer to the <a href="#security-developers">Security considerations for authors</a> section of this
+          document to better understand the risks and concerns that may arise when using certain
+          algorithms.
+        </p>
+        <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+          <p>
+            Note: All algorithms listed should be considered as "features at risk",
+            barring implementors adopting them. Their inclusion in the Editor's Draft
+            reflects requests for their inclusion by members of the community, and are
+            included as an exercise to ensure the robustness of the API defined in this
+            specification.
+          </p>
+          <p>
+            As such, the list of algorithms, and the recommendations, may be significantly
+            altered in future revisions.
+          </p>
+        </div>
+        <table>
+          <thead>
+            <tr>
+              <th>Algorithm name</th>
+              <th scope="col">encrypt</th>
+              <th scope="col">decrypt</th>
+              <th scope="col">sign</th>
+              <th scope="col">verify</th>
+              <th scope="col">digest</th>
+              <th scope="col">generateKey</th>
+              <th scope="col">deriveKey</th>
+              <th scope="col">deriveBits</th>
+              <th scope="col">importKey</th>
+              <th scope="col">exportKey</th>
+              <th scope="col">wrapKey</th>
+              <th scope="col">unwrapKey</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr>
+              <td><a href="#rsassa-pkcs1">RSASSA-PKCS1-v1_5</a></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#rsa-pss">RSA-PSS</a></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#rsa-oaep">RSA-OAEP</a></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td> 
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+            </tr>
+            <tr>
+              <td><a href="#ecdsa">ECDSA</a></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#ecdh">ECDH</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#aes-ctr">AES-CTR</a></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+            </tr>
+            <tr>
+              <td><a href="#aes-cbc">AES-CBC</a></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+            </tr>
+            <tr>
+              <td><a href="#aes-cmac">AES-CMAC</a></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#aes-gcm">AES-GCM</a></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+            </tr>
+            <tr>
+              <td><a href="#aes-cfb">AES-CFB</a></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+            </tr>
+            <tr>
+              <td><a href="#aes-kw">AES-KW</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+            </tr>
+            <tr>
+              <td><a href="#hmac">HMAC</a></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#dh">DH</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#sha">SHA-1</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#sha">SHA-256</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#sha">SHA-384</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#sha">SHA-512</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#concatkdf">CONCAT</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#hkdf-ctr">HKDF-CTR</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+            </tr>
+            <tr>
+              <td><a href="#pbkdf2">PBKDF2</a></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td></td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td>✔</td>
+              <td></td>
+              <td></td>
+              <td></td>
+            </tr>
+          </tbody>
+        </table>
+      </div>
+
+      <div id="rsassa-pkcs1" class="section">
+        <h3>20. RSASSA-PKCS1-v1_5</h3>
+        <div id="rsassa-pkcs1-description" class="section">
+          <h4>20.1. Description</h4>
+          <p>
+            The <code>"RSASSA-PKCS1-v1_5"</code> algorithm identifier is used to perform
+            signing and verification using the RSASSA-PKCS1-v1_5 algorithm specified in
+            [<cite><a href="#RFC3447">RFC3447</a></cite>] and using the SHA hash functions defined
+            in this specification.
+          </p>
+          <p>
+            <a href="#dfn-applicable-specification">Other specifications</a>
+            may specify the use of additional hash algorithms with RSASSA-PKCS1-v1_5. Such
+            specifications myst define the digest operations for the additional hash algorithms and
+            <dfn id="dfn-rsa-ssa-extended-import-steps">key import steps</dfn> and
+            <dfn id="dfn-rsa-ssa-extended-export-steps">key export steps</dfn> for RSASSA-PKCS1-v1_5.
+          </p>
+        </div>
+        <div id="rsassa-pkcs1-registration" class="section">
+          <h4>20.2. Registration</h4>
+          <p>
+            The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
+            this algorithm is <code>"RSASSA-PKCS1-v1_5"</code>.
+          </p>
+          <table>
+            <thead>
+              <tr>
+                <th><a href="#supported-operations">Operation</a></th>
+                <th><a href="#algorithm-specific-params">Parameters</a></th>
+                <th><a href="#algorithm-result">Result</a></th>
+              </tr>
+            </thead>
+            <tbody>
+              <tr>
+                <td>sign</td>
+                <td>None</td>
+                <td>ArrayBuffer</td>
+              </tr>
+              <tr>
+                <td>verify</td>
+                <td>None</td>
+                <td>boolean</td>
+              </tr>
+              <tr>
+                <td>generateKey</td>
+                <td><a href="#dfn-RsaHashedKeyGenParams">RsaHashedKeyGenParams</a></td>
+                <td><a href="#dfn-CryptoKeyPair">CryptoKeyPair</a></td>
+              </tr>
+              <tr>
+                <td>importKey</td>
+                <td><a href="#dfn-RsaHashedImportParams">RsaHashedImportParams</a></td>
+                <td><a href="#dfn-CryptoKey">CryptoKey</a></td>
+              </tr>
+              <tr>
+                <td>exportKey</td>
+                <td>None</td>
+                <td>object</td>
+              </tr>
+            </tbody>
+          </table>
+        </div>
+        <div id="RsaKeyGenParams-dictionary" class="section">
+          <h4>20.3. RsaKeyGenParams dictionary</h4>
+          <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaKeyGenParams">RsaKeyGenParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
+  <span class="comment">// The length, in bits, of the RSA modulus</span>
+  [EnforceRange] required unsigned long <dfn id="dfn-RsaKeyGenParams-modulusLength">modulusLength</dfn>;
+  <span class="comment">// The RSA public exponent</span>
+  required <a href="#dfn-BigInteger">BigInteger</a> <dfn id="dfn-RsaKeyGenParams-publicExponent">publicExponent</dfn>;
+};
+          </code></pre></div></div>
+        </div>
+        <div id="RsaHashedKeyGenParams-dictionary" class="section">
+          <h4>20.4. RsaHashedKeyGenParams dictionary</h4>
+          <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaHashedKeyGenParams">RsaHashedKeyGenParams</dfn> : <a href="#dfn-RsaKeyGenParams">RsaKeyGenParams</a> {
+  <span class="comment">// The hash algorithm to use</span> 
+  required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn id="dfn-RsaHashedKeyGenParams-hash">hash</dfn>;
+};
+          </code></pre></div></div>
+        </div>
+        <div id="RsaKeyAlgorithm-dictionary" class="section">
+          <h4>20.5. RsaKeyAlgorithm dictionary</h4>
+          <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaKeyAlgorithm">RsaKeyAlgorithm</dfn> : <a href="#dfn-KeyAlgorithm">KeyAlgorithm</a> {
+  <span class="comment">// The length, in bits, of the RSA modulus</span>
+  required unsigned long <dfn id="dfn-RsaKeyAlgorithm-modulusLength">modulusLength</dfn>;
+  <span class="comment">// The RSA public exponent</span>
+  required <a href="#dfn-BigInteger">BigInteger</a> <dfn id="dfn-RsaKeyAlgorithm-publicExponent">publicExponent</dfn>;
+};
+          </code></pre></div></div>
+        </div>
+        <div id="RsaHashedKeyAlgorithm-dictionary" class="section">
+          <h4>20.6. RsaHashedKeyAlgorithm dictionary</h4>
+          <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaHashedKeyAlgorithm">RsaHashedKeyAlgorithm</dfn> : <a href="#dfn-RsaKeyAlgorithm">RsaKeyAlgorithm</a> {
+  <span class="comment">// The hash algorithm that is used with this key</span>
+  required <a href="#dfn-KeyAlgorithm">KeyAlgorithm</a> <dfn id="dfn-RsaHashedKeyAlgorithm-hash">hash</dfn>;
+};
+          </code></pre></div></div>
+        </div>
+        <div id="RsaHashedImportParams-dictionary" class="section">
+          <h4>20.7. RsaHashedImportParams dictionary</h4>
+          <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaHashedImportParams">RsaHashedImportParams</dfn> {
+  <span class="comment">// The hash algorithm to use</span>
+  required <a href="#dfn-HashAlgorithmIdentifier">HashAlgorithmIdentifier</a> <dfn id="dfn-RsaHashedImportParams-hash">hash</dfn>;
+};
+          </code></pre></div></div>
+          <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+            <p>
+              Should this be folded into RsaHashedKeyGenParams and rely on the optional nature of the
+              dictionary fields?
+            </p>
+          </div>
+        </div>
+        <div id="rsassa-pkcs1-operations" class="section">
+          <h4>20.8. Operations</h4>
+          <dl>
+            <dt>Sign</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>key</var> is not <code>"private"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Perform the signature generation operation defined in Section 8.2 of [<cite><a href="#RFC3447">RFC3447</a></cite>] with the key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of <var>key</var>
+                    as the signer's private key and the <a href="#concept-contents-of-arraybuffer">contents of <var>message</var></a> as
+                    <var>M</var> and using the hash function specified in the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>key</var> as the Hash option for the EMSA-PKCS1-v1_5 encoding method.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>signature</var> be the value <var>S</var> that results from
+                    performing the operation.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Verify</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>key</var> is not <code>"public"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Perform the signature verification operation defined in Section 8.2 of
+                    [<cite><a href="#RFC3447">RFC3447</a></cite>] with the key represented by the
+                    [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+                    <var>key</var> as the signer's RSA public key and the <a href="#concept-contents-of-arraybuffer">contents of <var>message</var></a> as
+                    <var>M</var> and the <a href="#concept-contents-of-arraybuffer">contents of
+                    <var>signature</var></a> as <var>S</var> and using the hash function specified
+                    in the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute of the
+                    [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>key</var> as the Hash option for the EMSA-PKCS1-v1_5 encoding method.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>result</var> be a boolean with value true if the
+                    result of the operations was "valid signature" and a boolean with value
+                    false otherwise.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+            <dt>Generate Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If <var>usages</var> contains an entry which is not
+                     <code>"sign"</code> or <code>"verify"</code>,
+                    then <a href="#concept-throw">throw</a> a
+                    <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Generate an RSA key pair, as defined in [<cite><a href="#RFC3447">RFC3447</a></cite>], with RSA modulus length equal to the
+                    <a href="#dfn-RsaKeyGenParams-modulusLength">modulusLength</a> attribute of
+                    <var>normalizedAlgorithm</var> and RSA public exponent equal to the
+                    <a href="#dfn-RsaKeyGenParams-publicExponent">publicExponent</a> attribute of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If generation of the key pair fails,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>algorithm</var> be a new
+                    <a href="#dfn-RsaHashedKeyAlgorithm">RsaHashedKeyAlgorithm</a>
+                    dictionary.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
+                    <var>algorithm</var> to <code>"RSASSA-PKCS1-v1_5"</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the
+                    <a href="#dfn-RsaKeyAlgorithm-modulusLength">modulusLength</a>
+                    attribute of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaKeyGenParams-modulusLength">modulusLength</a>
+                    attribute of <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the
+                    <a href="#dfn-RsaKeyAlgorithm-publicExponent">publicExponent</a>
+                    attribute of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaKeyGenParams-publicExponent">publicExponent</a>
+                    attribute of <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute
+                    of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaHashedKeyGenParams">hash</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>publicKey</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                    object representing the public key of the generated key pair.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>publicKey</var> to <code>"public"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal
+                    slot of <var>publicKey</var> to <var>algorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal
+                    slot of <var>publicKey</var> to true.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                    <var>publicKey</var> to be the <a href="#concept-usage-intersection">usage
+                    intersection</a> of <var>usages</var> and <code>[ "verify" ]</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>privateKey</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                    object representing the private key of the generated key pair.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>privateKey</var> to <code>"private"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal
+                    slot of <var>privateKey</var> to <var>algorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal
+                    slot of <var>privateKey</var> to <var>extractable</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                    <var>privateKey</var> to be the <a href="#concept-usage-intersection">usage
+                    intersection</a> of <var>usages</var> and <code>[ "sign" ]</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>result</var> be a new <a href="#dfn-CryptoKeyPair">CryptoKeyPair</a>
+                    dictionary.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-CryptoKeyPair-publicKey">publicKey</a> attribute
+                    of <var>result</var> to be <var>publicKey</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-CryptoKeyPair-privateKey">privateKey</a> attribute
+                    of <var>result</var> to be <var>privateKey</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Return the result of converting <var>result</var> to an ECMAScript Object, as
+                    defined by [<a href="#WebIDL">WebIDL</a>].
+                  </p>
+                </li>
+              </ol>
+              <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+                <p>
+                  TODO: Specify the mapping between key.algorithm.hash and the appropriate Hash
+                  functions (and back to OID).
+                </p>
+              </div>
+            </dd>
+
+            <dt>Import Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>Let <var>keyData</var> be the key data to be imported.</p>
+                </li>
+                <li>
+                  <dl class="switch">
+                    <dt>If <var>format</var> is <code>"spki"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If <var>usages</var> contains an entry which is not
+                            <code>"verify"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>spki</var> be the result of running the
+                            <a href="#concept-parse-a-spki">parse a subjectPublicKeyInfo</a>
+                            algorithm over <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be undefined.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>alg</var> be the <code>algorithm</code> object identifier
+                            field of the <code>algorithm</code> AlgorithmIdentifier field of
+                            <var>spki</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>rsaEncryption</code>
+                              OID defined in Section 2.3.1 of <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha1WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-1"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha256WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-256"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha384WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-384"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha512WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-512"</code>.
+                              </p>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Perform any <a href="#dfn-rsa-ssa-extended-import-steps">key
+                                    import steps</a> defined by
+                                    <a href="#dfn-applicable-specification">other applicable
+                                    specifications</a>, passing <var>format</var>, <var>spki</var>
+                                    and obtaining <var>hash</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If an error occured or there are no
+                                    <a href="#dfn-applicable-specification">applicable
+                                    specifications</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>publicKey</var> be the result of performing the <a href="#concept-parse-an-asn1-structure">parse an ASN.1 structure</a>
+                            algorithm, with <var>data</var> as the
+                            <code>subjectPublicKeyInfo</code> field of <var>spki</var>,
+                            <var>structure</var> as the <code>RSAPublicKey</code> structure
+                            specified in Section A.1.1 of <a href="#RFC3447">RFC 3447</a>, and
+                            <var>exactData</var> set to true.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                            object that represents the RSA public key identified by
+                            <var>publicKey</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> to <code>"public"</code>
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"pkcs8"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If <var>usages</var> contains an entry which is not
+                             <code>"sign"</code>
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>privateKeyInfo</var> be the result of running the
+                            <a href="#concept-parse-a-privateKeyInfo">parse a privateKeyInfo</a>
+                            algorithm over <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be undefined.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>alg</var> be the <code>algorithm</code> object identifier
+                            field of the <code>privateKeyAlgorithm</code>
+                            PrivateKeyAlgorithmIdentifier field of <var>privateKeyInfo</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>rsaEncryption</code>
+                              OID defined in Section 2.3.1 of <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha1WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-1"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha256WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-256"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha384WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-384"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>sha512WithRSAEncryption</code> OID defined in Section A.2.4 of
+                              <a href="#RFC3279">RFC 3279</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-512"</code>.
+                              </p>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Perform any <a href="#dfn-rsa-ssa-extended-import-steps">key
+                                    import steps</a> defined by
+                                    <a href="#dfn-applicable-specification">other applicable
+                                    specifications</a>, passing <var>format</var>, <var>privateKeyInfo</var>
+                                    and obtaining <var>hash</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If an error occured or there are no
+                                    <a href="#dfn-applicable-specification">applicable
+                                    specifications</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>rsaPrivateKey</var> be the result of performing the <a href="#concept-parse-an-asn1-structure">parse an ASN.1 structure</a>
+                            algorithm, with <var>data</var> as the
+                            <code>privateKey</code> field of <var>privateKeyInfo</var>,
+                            <var>structure</var> as the <code>RSAPrivateKey</code> structure
+                            specified in Section A.1.2 of <a href="#RFC3447">RFC 3447</a>, and
+                            <var>exactData</var> set to true.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                            object that represents the RSA private key identified by
+                            <var>rsaPrivateKey</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> to <code>"private"</code>
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"jwk"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            Let <var>jwk</var> be the <a href="#dfn-JsonWebKey">JsonWebKey</a>
+                            dictionary represented by <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"d"</code> field of <var>jwk</var> is present and
+                            <var>usages</var> contains an entry which is not
+                            <code>"sign"</code>, or, if the <code>"d"</code> field of <var>jwk</var>
+                            is not present and
+                            <var>usages</var> contains an entry which is not
+                            <code>"verify"</code>
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"kty"</code> field of <var>jwk</var> is not a
+                            case-sensitive string match to <code>"RSA"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"use"</code> field of <var>jwk</var> is present, and is
+                            not a case-sensitive string match to <code>"sig"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"key_ops"</code> field of <var>jwk</var> is present, and
+                            is invalid according to the requirements of
+                            <a href="#jwk">JSON Web Key</a> or
+                            does not contain all of the specified <var>usages</var> values,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be a be a string whose initial value is
+                            undefined.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If the <code>"alg"</code> field of <var>jwk</var> is not
+                              present:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"RS1"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-1"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"RS256"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-256"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"RS384"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-384"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"RS512"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-512"</code>.
+                              </p>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Perform any <a href="#dfn-rsa-ssa-extended-import-steps">key
+                                    import steps</a> defined by
+                                    <a href="#dfn-applicable-specification">other applicable
+                                    specifications</a>, passing <var>format</var>, <var>jwk</var>
+                                    and obtaining <var>hash</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If an error occured or there are no
+                                    <a href="#dfn-applicable-specification">applicable
+                                    specifications</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>If the <code>"d"</code> field of <var>jwk</var> is present:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    If <var>jwk</var> does not meet the requirements of
+                                    Section 6.3.2 of <a href="#jwa">JSON Web
+                                    Algorithms</a>,
+                                    then <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a> object that represents the
+                                    RSA private key identified by interpreting <var>jwk</var>
+                                    according to Section 6.3.2 of <a href="#jwa"> JSON Web
+                                    Algorithms</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]]
+                                    internal slot of <var>key</var> to <code>"private"</code>
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    If <var>jwk</var> does not meet the requirements of Section
+                                    6.3.1 of <a href="#jwa">JSON Web Algorithms</a>, then <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a> object that represents the
+                                    RSA public key identified by interpreting <var>jwk</var>
+                                    according to Section 6.3.1 of <a href="#jwa"> JSON Web
+                                    Algorithms</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]]
+                                    internal slot of <var>key</var> to <code>"public"</code>
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>Otherwise:</dt>
+                    <dd>
+                      <a href="#concept-throw">throw</a> a
+                      <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                    </dd>
+                  </dl>
+                </li>
+                <li>
+                  <p>
+                    Let <var>algorithm</var> be a new
+                    <a href="#dfn-RsaHashedKeyAlgorithm">RsaHashedKeyAlgorithm</a> dictionary.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
+                    <var>algorithm</var> to <code>"RSASSA-PKCS1-v1_5"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaKeyAlgorithm-modulusLength">modulusLength</a>
+                    attribute of <var>algorithm</var> to the length, in bits, of the RSA public
+                    modulus.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaKeyAlgorithm-publicExponent">publicExponent</a>
+                    attribute of <var>algorithm</var> to the <a href="#dfn-BigInteger">BigInteger</a>
+                    representation of the RSA public exponent.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute of
+                    <var>algorithm</var> to the <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal
+                    slot of <var>key</var> to <var>algorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>Return <var>key</var>.</p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Export Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    Let <var>key</var> be the key to be exported.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If the underlying cryptographic key material represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of <var>key</var>
+                    cannot be accessed, then <a href="#concept-throw">throw</a> an <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <dl class="switch">
+                    <dt>If <var>format</var> is <code>"spki"</code></dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> is not <code>"public"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>data</var> be an instance of the <code>subjectPublicKeyInfo</code>
+                            ASN.1 structure defined in <a href="#RFC5280">RFC 5280</a>
+                            with the following properties:
+                          </p>
+                          <ul>
+                            <li>
+                              <p>
+                                Set the <var>algorithm</var> field to an
+                                <code>AlgorithmIdentifier</code> ASN.1 type with the following
+                                properties:
+                              </p>
+                              <ul>
+                                <li>
+                                  <p>
+                                    Set the <var>algorithm</var> field to the OID
+                                    <code>1.2.840.113549.1.1</code>
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the <var>params</var> field to the ASN.1 type NULL.
+                                  </p>
+                                </li>
+                              </ul>
+                            </li>
+                            <li>
+                              <p>
+                                Set the <var>subjectPublicKey</var> field to the result of
+                                DER-encoding an <code>RSAPublicKey</code> ASN.1 type, as defined
+                                in <a href="#RFC3447">RFC 3447</a>, Appendix A.1.1, that
+                                represents the RSA public key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+                                <var>key</var>
+                              </p>
+                            </li>
+                          </ul>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>result</var> be a new <code>ArrayBuffer</code> containing
+                            <var>data</var>.
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"pkcs8"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> is not <code>"private"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>data</var> be the result of encoding a privateKeyInfo structure
+                            with the following properties:
+                          </p>
+                          <ul>
+                            <li>
+                              <p>
+                                Set the <var>version</var> field to 0.
+                              </p>
+                            </li>
+                            <li>
+                              <p>
+                                Set the <var>privateKeyAlgorithm</var> field to a
+                                <code>PrivateKeyAlgorithmIdentifier</code> ASN.1 type with the
+                                following properties:
+                              </p>
+                              <ul>
+                                <li>
+                                  <p>
+                                    Set the <var>algorithm</var> field to the OID
+                                    <code>1.2.840.113549.1.1</code>
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the <var>params</var> field to the ASN.1 type NULL.
+                                  </p>
+                                </li>
+                              </ul>
+                            </li>
+                            <li>
+                              <p>
+                                Set the <var>privateKey</var> field to the result of DER-encoding
+                                an <code>RSAPrivateKey</code> ASN.1 type, as defined in <a href="#RFC3447">RFC 3447</a>, Appendix A.1.2, that represents the
+                                RSA private key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+                                <var>key</var>
+                              </p>
+                              <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+                                <a href="#RFC5208">RFC 5208</a> specifies that the encoding of
+                                this field should be <em>BER</em> encoded in Section 5 (as a "for
+                                example"). However, to avoid requiring WebCrypto implementations
+                                support BER-encoding and BER-decoding, only <em>DER</em> encodings
+                                are produced or accepted.
+                              </div>
+                            </li>
+                          </ul>                              
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>result</var> be a new <code>ArrayBuffer</code> containing
+                            <var>data</var>.
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"jwk"</code>:</dt>
+                    <dd>
+                      <ul>
+                        <li>
+                          <p>Let <var>jwk</var> be a new <a href="#dfn-JsonWebKey">JsonWebKey</a>
+                          dictionary.</p>
+                        </li>
+                        <li>
+                          <p>Set the <code>kty</code> attribute of <var>jwk</var> to the string
+                          <code>"RSA"</code>.</p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be the <a href="#dfn-KeyAlgorithm-name">name</a>
+                            attribute of the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a>
+                            attribute of <var>key</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>If <var>hash</var> is <code>"SHA-1"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"RS1"</code>.
+                              </p>
+                            </dd>
+                            <dt>If <var>hash</var> is <code>"SHA-256"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"RS256"</code>.
+                              </p>
+                            </dd>
+                            <dt>If <var>hash</var> is <code>"SHA-384"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"RS384"</code>.
+                              </p>
+                            </dd>
+                            <dt>If <var>hash</var> is <code>"SHA-512"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"RS512"</code>.
+                              </p>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Perform any <a href="#dfn-rsa-ssa-extended-export-steps">key
+                                    export steps</a> defined by
+                                    <a href="#dfn-applicable-specification">other applicable
+                                    specifications</a>, passing <var>format</var>, <var>key</var>
+                                    and obtaining <var>alg</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If an error occured or there are no
+                                    <a href="#dfn-applicable-specification">applicable
+                                    specifications</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the <code>alg</code> attribute of <var>jwk</var> to <var>alg</var>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Set the attributes <code>n</code> and <code>e</code> of <var>jwk</var>
+                            according to the corresponding definitions in <a href="#jwa">JSON Web
+                            Algorithms</a>, Section 6.3.1.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                              of <var>key</var> is <code>"private"</code>:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Set the attributes named <code>d</code>, <code>p</code>,
+                                    <code>q</code>, <code>dp</code>, <code>dq</code>, and
+                                    <code>qi</code> of <var>jwk</var> according to the
+                                    corresponding definitions in <a href="#jwa">JSON Web
+                                    Algorithms</a>, Section 6.3.2.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the underlying RSA private key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot
+                                    of <var>key</var> is represented by more than two primes, set
+                                    the attribute named <code>oth</code> of <var>jwk</var>
+                                    according to the corresponding definition in <a href="#jwa">JSON Web Algorithms</a>, Section 6.3.2.7
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Set the <code>key_ops</code> attribute of <var>jwk</var> to the <a href="#dfn-CryptoKey-usages">usages</a> attribute of <var>key</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the <code>ext</code> attribute of <var>jwk</var> to the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal slot
+                            of <var>key</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>result</var> be the result of converting <var>jwk</var>
+                            to an ECMAScript Object, as defined by [<a href="#WebIDL">WebIDL</a>].
+                          </p>
+                        </li>
+                      </ul>
+                    </dd>
+                    <dt>Otherwise</dt>
+                    <dd>
+                      <p>
+                        <a href="#concept-throw">throw</a> a
+                        <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                      </p>
+                    </dd>
+                  </dl>
+                </li>
+                <li>
+                  <p>
+                    Return <var>result</var>.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+          </dl>
+        </div>
+      </div>
+
+      <div id="rsa-pss" class="section">
+        <h3>21. RSA-PSS</h3>
+        <div id="rsa-pss-description" class="section">
+          <h4>21.1. Description</h4>
+          <p>
+            The <code>"RSA-PSS"</code> algorithm identifier is used to perform signing
+            and verification using the RSASSA-PSS algorithm specified in
+            [<cite><a href="#RFC3447">RFC3447</a></cite>], using the SHA hash functions defined
+            in this specification and the mask generation
+            formula MGF1.
+          </p>
+          <p>
+            <a href="#dfn-applicable-specification">Other specifications</a>
+            may specify the use of additional hash algorithms with RSASSA-PSS. Such specifications
+            must define the digest operation for the additional hash algorithms and
+            <dfn id="dfn-rsa-pss-extended-import-steps">key import steps</dfn> and
+            <dfn id="dfn-rsa-pss-extended-export-steps">key export steps</dfn> for RSASSA-PSS.
+          </p>
+        </div>
+        <div id="rsa-pss-registration" class="section">
+          <h4>21.2. Registration</h4>
+          <p>
+            The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
+            this algorithm is <code>"RSA-PSS"</code>.
+          </p>
+          <table>
+            <thead>
+              <tr>
+                <th><a href="#supported-operations">Operation</a></th>
+                <th><a href="#algorithm-specific-params">Parameters</a></th>
+                <th><a href="#algorithm-result">Result</a></th>
+              </tr>
+            </thead>
+            <tbody>
+              <tr>
+                <td>sign</td>
+                <td><a href="#dfn-RsaPssParams">RsaPssParams</a></td>
+                <td>ArrayBuffer</td>
+              </tr>
+              <tr>
+                <td>verify</td>
+                <td><a href="#dfn-RsaPssParams">RsaPssParams</a></td>
+                <td>boolean</td>
+              </tr>
+              <tr>
+                <td>generateKey</td>
+                <td><a href="#dfn-RsaHashedKeyGenParams">RsaHashedKeyGenParams</a></td>
+                <td><a href="#dfn-CryptoKeyPair">CryptoKeyPair</a></td>
+              </tr>
+              <tr>
+                <td>importKey</td>
+                <td><a href="#dfn-RsaHashedImportParams">RsaHashedImportParams</a></td>
+                <td><a href="#dfn-CryptoKey">CryptoKey</a></td>
+              </tr>
+              <tr>
+                <td>exportKey</td>
+                <td>None</td>
+                <td>object</td>
+              </tr>
+            </tbody>
+          </table>
+        </div>
+        <div id="RsaPssParams-dictionary" class="section">
+          <h4>21.3. RsaPssParams dictionary</h4>
+          <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaPssParams">RsaPssParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
+<span class="comment">// The desired length of the random salt</span>
+[EnforceRange] required unsigned long <dfn id="dfn-RsaPssParams-saltLength">saltLength</dfn>;
+};
+          </code></pre></div></div>
+        </div>
+        <div id="rsa-pss-operations" class="section">
+          <h4>21.4. Operations</h4>
+          <dl>
+            <dt>Sign</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>key</var> is not <code>"private"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Perform the signature generation operation defined in Section 8.1 of [<cite><a href="#RFC3447">RFC3447</a></cite>] with the key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of <var>key</var>
+                    as the signer's private key, <var>K</var>, and the <a href="#concept-contents-of-arraybuffer">contents of <var>message</var></a> as
+                    the message to be signed, <var>M</var>, and using the hash function specified
+                    by the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute of the
+                    [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>key</var> as the Hash option, MGF1 (defined in Section B.2.1 of [<cite><a href="#RFC3447">RFC3447</a></cite>]) as the MGF option and the <a href="#dfn-RsaPssParams-saltLength">saltLength</a> member of
+                    <var>normalizedAlgorithm</var> as the salt length option for the
+                    EMM-PSS-ENCODE operation.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>signature</var> be a new <code>ArrayBuffer</code> containing the
+                    signature, S, that results from performing the operation.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Verify</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>key</var> is not <code>"public"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Perform the signature verification operation defined in Section 8.1 of
+                    [<cite><a href="#RFC3447">RFC3447</a></cite>] with the key represented by the
+                    [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+                    <var>key</var> as the signer's RSA public key and the <a href="#concept-contents-of-arraybuffer">contents of <var>message</var></a> as
+                    <var>M</var> and <a href="#concept-contents-of-arraybuffer">the contents of
+                    <var>signature</var></a> as <var>S</var> and using the hash function specified
+                    by the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute of the
+                    [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>key</var> as the Hash option, MGF1 (defined in Section B.2.1 of [<cite><a href="#RFC3447">RFC3447</a></cite>]) as the MGF option and the <a href="#dfn-RsaPssParams-saltLength">saltLength</a> member of
+                    <var>normalizedAlgorithm</var> as the salt length option for the
+                    EMSA-PSS-VERIFY operation.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>result</var> be a boolean with value true if the
+                    result of the operation was "valid signature" and a boolean with value
+                    false otherwise.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Generate Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If <var>usages</var> contains an entry which is not
+                    <code>"sign"</code> or <code>"verify"</code>,
+                    then <a href="#concept-throw">throw</a> a
+                    <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Generate an RSA key pair, as defined in [<cite><a href="#RFC3447">RFC3447</a></cite>], with RSA modulus length equal to the
+                    <a href="#dfn-RsaKeyGenParams-modulusLength">modulusLength</a> member of
+                    <var>normalizedAlgorithm</var> and RSA public exponent equal to the
+                    <a href="#dfn-RsaKeyGenParams-publicExponent">publicExponent</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>algorithm</var> be a new
+                    <a href="#dfn-RsaHashedKeyAlgorithm">RsaHashedKeyAlgorithm</a>
+                    dictionary.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
+                    <var>algorithm</var> to <code>"RSA-PSS"</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the
+                    <a href="#dfn-RsaKeyAlgorithm-modulusLength">modulusLength</a>
+                    attribute of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaKeyGenParams-modulusLength">modulusLength</a>
+                    member of <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the
+                    <a href="#dfn-RsaKeyAlgorithm-publicExponent">publicExponent</a>
+                    attribute of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaKeyGenParams-publicExponent">publicExponent</a>
+                    member of <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute
+                    of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaHashedKeyGenParams">hash</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>publicKey</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                    object representing the public key of the generated key pair.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>publicKey</var> to <code>"public"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal
+                    slot of <var>publicKey</var> to <var>algorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal
+                    slot of <var>publicKey</var> to true.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                    <var>publicKey</var> to be the <a href="#concept-usage-intersection">usage
+                    intersection</a> of <var>usages</var> and <code>[ "verify" ]</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>privateKey</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                    object representing the private key of the generated key pair.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>privateKey</var> to <code>"private"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal
+                    slot of <var>privateKey</var> to <var>algorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal
+                    slot of <var>privateKey</var> to <var>extractable</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                    <var>privateKey</var> to be the <a href="#concept-usage-intersection">usage
+                    intersection</a> of <var>usages</var> and <code>[ "sign" ]</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>result</var> be a new <a href="#dfn-CryptoKeyPair">CryptoKeyPair</a>
+                    dictionary.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-CryptoKeyPair-publicKey">publicKey</a> attribute
+                    of <var>result</var> to <var>publicKey</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-CryptoKeyPair-privateKey">privateKey</a> attribute
+                    of <var>result</var> to <var>privateKey</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Return the result of converting <var>result</var> to an ECMAScript Object,
+                    as defined by [<a href="#WebIDL">WebIDL</a>].
+                  </p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Import Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>Let <var>keyData</var> be the key data to be imported.</p>
+                </li>
+                <li>
+                  <dl class="switch">
+                    <dt>If <var>format</var> is <code>"spki"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If <var>usages</var> contains an entry which is not
+                            <code>"verify"</code>
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>spki</var> be the result of running the
+                            <a href="#concept-parse-a-spki">parse a subjectPublicKeyInfo</a>
+                            algorithm over <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be undefined.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>alg</var> be the <code>algorithm</code> object identifier
+                            field of the <code>algorithm</code> AlgorithmIdentifier field of
+                            <var>spki</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>rsaEncryption</code>
+                              OID defined in <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the
+                              <code>id-RSASSA-PSS</code> OID defined in
+                              <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>params</var> be the ASN.1 structure contained within
+                                    the <code>parameters</code> field of the <code>algorithm</code>
+                                    AlgorithmIdentifier field of <var>spki</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>params</var> is not defined, or is not an instance of
+                                    the <code>RSASSA-PSS-params</code> ASN.1 type defined in
+                                    <a href="#RFC3447">RFC3447</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>hashAlg</var> be the AlgorithmIdentifier ASN.1 type
+                                    within the <code>hashAlgorithm</code> field of <var>params</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <dl class="switch">
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha1</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-1"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha256</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-256"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha384</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-384"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha512</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-512"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>Otherwise:</dt>
+                                    <dd>
+                                      <ol>
+                                        <li>
+                                          <p>
+                                            Perform any <a href="#dfn-rsa-pss-extended-import-steps">key
+                                            import steps</a> defined by
+                                            <a href="#dfn-applicable-specification">other applicable
+                                            specifications</a>, passing <var>format</var>, <var>spki</var>
+                                            and obtaining <var>hash</var>.
+                                          </p>
+                                        </li>
+                                        <li>
+                                          <p>
+                                            If an error occured or there are no
+                                            <a href="#dfn-applicable-specification">applicable
+                                            specifications</a>,
+                                            <a href="#concept-throw">throw</a> a
+                                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                                          </p>
+                                        </li>
+                                      </ol>
+                                    </dd>
+                                  </dl>
+                                </li>
+                              
+                                <li>
+                                  <p>
+                                    If the <code>algorithm</code> object identifier field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    equivalent to the OID <code>id-mgf1</code> defined in <a href="#RFC3447">RFC 3447</a>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the <code>parameters</code> field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    an instance of the <code>HashAlgorithm</code> ASN.1 type that is
+                                    identical in content to the <code>hashAlglorithm</code> field of
+                                    <var>params</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <p>
+                                <a href="#concept-throw">throw</a> a
+                                <a href="#dfn-DataError"><code>DataError</code></a>.
+                              </p>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>publicKey</var> be the result of performing the <a href="#concept-parse-an-asn1-structure">parse an ASN.1 structure</a>
+                            algorithm, with <var>data</var> as the
+                            <code>subjectPublicKeyInfo</code> field of <var>spki</var>,
+                            <var>structure</var> as the <code>RSAPublicKey</code> structure
+                            specified in Section A.1.1 of <a href="#RFC3447">RFC 3447</a>, and
+                            <var>exactData</var> set to true.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                            object that represents the RSA public key identified by
+                            <var>publicKey</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> to <code>"public"</code>
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"pkcs8"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If <var>usages</var> contains an entry which is not
+                            <code>"sign"</code>
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>privateKeyInfo</var> be the result of running the
+                            <a href="#concept-parse-a-privateKeyInfo">parse a privateKeyInfo</a>
+                            algorithm over <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing, then <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be undefined.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>alg</var> be the <code>algorithm</code> object identifier
+                            field of the <code>privateKeyAlgorithm</code>
+                            PrivateKeyAlgorithmIdentifier field of <var>privateKeyInfo</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>rsaEncryption</code>
+                              OID defined in <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>id-RSASSA-PSS</code> OID
+                              defined in <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>params</var> be the ASN.1 structure contained within
+                                    the <code>parameters</code> field of the
+                                    <code>privateKeyAlgorithm</code> PrivateKeyAlgorithmIdentifier
+                                    field of <var>privateKeyInfo</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>params</var> is not defined, or is not an instance of
+                                    the <code>RSASSA-PSS-params</code> ASN.1 type defined in
+                                    <a href="#RFC3447">RFC3447</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>hashAlg</var> be the AlgorithmIdentifier ASN.1 type
+                                    within the <code>hashAlgorithm</code> field of <var>params</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <dl class="switch">
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha1</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-1"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha256</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-256"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha384</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-384"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha512</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-512"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>Otherwise:</dt>
+                                    <dd>
+                                      <ol>
+                                        <li>
+                                          <p>
+                                            Perform any <a href="#dfn-rsa-pss-extended-import-steps">key
+                                            import steps</a> defined by
+                                            <a href="#dfn-applicable-specification">other applicable
+                                            specifications</a>, passing <var>format</var>, <var>privateKeyInfo</var>
+                                            and obtaining <var>hash</var>.
+                                          </p>
+                                        </li>
+                                        <li>
+                                          <p>
+                                            If an error occured or there are no
+                                            <a href="#dfn-applicable-specification">applicable
+                                            specifications</a>,
+                                            <a href="#concept-throw">throw</a> a
+                                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                                          </p>
+                                        </li>
+                                      </ol>
+                                    </dd>
+                                  </dl>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the <code>algorithm</code> object identifier field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    equivalent to the OID <code>id-mgf1</code> defined in <a href="#RFC3447">RFC 3447</a>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the <code>parameters</code> field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    an instance of the <code>HashAlgorithm</code> ASN.1 type that is
+                                    identical in content to the <code>hashAlglorithm</code> field of
+                                    <var>params</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <p>
+                                <a href="#concept-throw">throw</a> a
+                                <a href="#dfn-DataError"><code>DataError</code></a>.
+                              </p>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>rsaPrivateKey</var> be the result of performing the <a href="#concept-parse-an-asn1-structure">parse an ASN.1 structure</a>
+                            algorithm, with <var>data</var> as the
+                            <code>privateKey</code> field of <var>privateKeyInfo</var>,
+                            <var>structure</var> as the <code>RSAPrivateKey</code> structure
+                            specified in Section A.1.2 of <a href="#RFC3447">RFC 3447</a>, and
+                            <var>exactData</var> set to true.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                            object that represents the RSA private key identified by
+                            <var>rsaPrivateKey</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> to <code>"private"</code>
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"jwk"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            Let <var>jwk</var> be the <a href="#dfn-JsonWebKey">JsonWebKey</a>
+                            dictionary represented by <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"d"</code> field of <var>jwk</var> is present and
+                            <var>usages</var> contains an entry which is not
+                            <code>"sign"</code>, or, if the <code>"d"</code> field of <var>jwk</var>
+                            is not present and
+                            <var>usages</var> contains an entry which is not
+                            <code>"verify"</code>
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"kty"</code> field of <var>jwk</var> is not a
+                            case-sensitive string match to <code>"RSA"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"use"</code> field of <var>jwk</var> is present, and is
+                            not a case-sensitive string match to <code>"sig"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"key_ops"</code> field of <var>jwk</var> is present, and
+                            is invalid according to the requirements of
+                            <a href="#jwk">JSON Web Key</a> or
+                            does not contain all of the specified <var>usages</var> values,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If the <code>"alg"</code> field of <var>jwk</var> is not
+                              present:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"PS1"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-1"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"PS256"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-256"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"PS384"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-384"</code>.
+                              </p>
+                            </dd>
+                            <dt>
+                              If the <code>"alg"</code> field is equal to the string
+                              <code>"PS512"</code>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be the string <code>"SHA-512"</code>.
+                              </p>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Perform any <a href="#dfn-rsa-pss-extended-import-steps">key
+                                    import steps</a> defined by
+                                    <a href="#dfn-applicable-specification">other applicable
+                                    specifications</a>, passing <var>format</var>, <var>jwk</var>
+                                    and obtaining <var>hash</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If an error occured or there are no
+                                    <a href="#dfn-applicable-specification">applicable
+                                    specifications</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>If the <code>"d"</code> field of <var>jwk</var> is present:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    If <var>jwk</var> does not meet the requirements of
+                                    Section 6.3.2 of <a href="#jwa">JSON Web
+                                    Algorithms</a>,
+                                    then <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a> object that represents the
+                                    RSA private key identified by interpreting <var>jwk</var>
+                                    according to Section 6.3.2 of <a href="#jwa"> JSON Web
+                                    Algorithms</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]]
+                                    internal slot of <var>key</var> to <code>"private"</code>
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    If <var>jwk</var> does not meet the requirements of Section
+                                    6.3.1 of <a href="#jwa">JSON Web Algorithms</a>, then <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a> object that represents the
+                                    RSA public key identified by interpreting <var>jwk</var>
+                                    according to Section 6.3.1 of <a href="#jwa"> JSON Web
+                                    Algorithms</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]]
+                                    internal slot of <var>key</var> to <code>"public"</code>
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>Otherwise:</dt>
+                    <dd>
+                      <a href="#concept-throw">throw</a> a
+                      <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                    </dd>
+                  </dl>
+                </li>
+                <li>
+                  <p>
+                    Let <var>algorithm</var> be a new
+                    <a href="#dfn-RsaHashedKeyAlgorithm">RsaHashedKeyAlgorithm</a> dictionary.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
+                    <var>algorithm</var> to <code>"RSA-PSS"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaKeyAlgorithm-modulusLength">modulusLength</a>
+                    attribute of <var>algorithm</var> to the length, in bits, of the RSA public
+                    modulus.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaKeyAlgorithm-publicExponent">publicExponent</a>
+                    attribute of <var>algorithm</var> to the <a href="#dfn-BigInteger">BigInteger</a>
+                    representation of the RSA public exponent.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute of
+                    <var>algorithm</var> to the <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal
+                    slot of <var>key</var> to <var>algorithm</var>
+                  </p>
+                </li>
+                <li>
+                  <p>Return <var>key</var>.</p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Export Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    Let <var>key</var> be the key to be exported.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If the underlying cryptographic key material represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of <var>key</var>
+                    cannot be accessed, then <a href="#concept-throw">throw</a> an <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <dl class="switch">
+                    <dt>If <var>format</var> is <code>"spki"</code></dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> is not <code>"public"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>data</var> be an instance of the <code>subjectPublicKeyInfo</code>
+                            ASN.1 structure defined in <a href="#RFC5280">RFC 5280</a>
+                            with the following properties:
+                          </p>
+                          <ul>
+                            <li>
+                              <p>
+                                Set the <var>algorithm</var> field to an
+                                <code>AlgorithmIdentifier</code> ASN.1 type with the following
+                                properties:
+                              </p>
+                              <ul>
+                                <li>
+                                  <p>
+                                    Set the <var>algorithm</var> field to the OID
+                                    <code>id-RSASSA-PSS</code> defined in
+                                    <a href="#RFC3447">RFC 3447</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the <var>params</var> field to an instance of the
+                                    <code>RSASSA-PSS-params</code> ASN.1 type with the following
+                                    properties:
+                                  </p>
+                                  <ul>
+                                    <li>
+                                      <p>
+                                        Set the <var>hashAlgorithm</var> field to an instance of
+                                        the <code>HashAlgorithm</code> ASN.1 type with the
+                                        following properties:
+                                      </p>
+                                      <dl class="switch">
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-1"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha1</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-256"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha256</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-384"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha384</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-512"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha512</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>Otherwise:</dt>
+                                        <dd>
+                                          <ol>
+                                            <li>
+                                              <p>
+                                                Perform any <a href="#dfn-rsa-pss-extended-export-steps">key export steps</a>
+                                                defined by <a href="#dfn-applicable-specification">other applicable
+                                                specifications</a>, passing <var>format</var> and the
+                                                <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                                the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                                internal slot of <var>key</var>
+                                                and obtaining <var>hashOid</var> and <var>hashParams</var>.
+                                              </p>
+                                            </li>
+                                            <li>
+                                              <p>
+                                                Set the <var>algorithm</var> object identifier
+                                                of <var>hashAlgorithm</var> to <var>hashOid</var>.
+                                              </p>
+                                            </li>
+                                            <li>
+                                              <p>
+                                                Set the <var>params</var> field of <var>hashAlgorithm</var>
+                                                to
+                                                <var>hashParams</var> if <var>hashParams</var> is not
+                                                undefined and omit the <var>params</var> field otherwise.
+                                              </p>
+                                            </li>
+                                          </ol>
+                                        </dd>
+                                      </dl>
+                                    </li>
+                                    <li>
+                                      <p>
+                                        Set the <var>maskGenAlgorithm</var> field to an instance
+                                        of the <code>MaskGenAlgorithm</code> ASN.1 type with the
+                                        following properties:
+                                      </p>
+                                      <ul>
+                                        <li>
+                                          <p>
+                                            Set the <var>algorithm</var> field to the OID
+                                            <code>id-mgf1</code> defined in <a href="#RFC3447">RFC
+                                            3447</a>.
+                                          </p>
+                                        </li>
+                                        <li>
+                                          <p>
+                                            Set the <var>params</var> field to an instance of the
+                                            <code>HashAlgorithm</code> ASN.1 type that is
+                                            identical to the <var>hashAlgorithm</var> field.
+                                          </p>
+                                        </li>
+                                      </ul>
+                                    </li>
+                                    <li>
+                                      <p>
+                                        Set the <var>saltLength</var> field to the length in
+                                        octets of the digest algorithm identified by the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute
+                                        of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                        internal slot of <var>key</var>.
+                                      </p>
+                                    </li>
+                                  </ul>
+                                </li>
+                              </ul>
+                            </li>
+                            <li>
+                              <p>
+                                Set the <var>subjectPublicKey</var> field to the result of
+                                DER-encoding an <code>RSAPublicKey</code> ASN.1 type, as defined
+                                in <a href="#RFC3447">RFC 3447</a>, Appendix A.1.1, that
+                                represents the RSA public key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+                                <var>key</var>
+                              </p>
+                            </li>
+                          </ul>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>result</var> be a new <code>ArrayBuffer</code> containing
+                            <var>data</var>.
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"pkcs8"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot
+                            of <var>key</var> is not <code>"private"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>data</var> be the result of encoding a privateKeyInfo structure
+                            with the following properties:
+                          </p>
+                          <ul>
+                            <li>
+                              <p>
+                                Set the <var>version</var> field to 0.
+                              </p>
+                            </li>
+                            <li>
+                              <p>
+                                Set the <var>privateKeyAlgorithm</var> field to an
+                                <code>PrivateKeyAlgorithmIdentifier</code> ASN.1 type with the
+                                following properties:
+                              </p>
+                              <ul>
+                                <li>
+                                  <p>
+                                    Set the <var>algorithm</var> field to the OID
+                                    <code>id-RSASSA-PSS</code> defined in
+                                    <a href="#RFC3447">RFC 3447</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the <var>params</var> field to an instance of the
+                                    <code>RSASSA-PSS-params</code> ASN.1 type with the following
+                                    properties:
+                                  </p>
+                                  <ul>
+                                    <li>
+                                      <p>
+                                        Set the <var>hashAlgorithm</var> field to an instance of
+                                        the <code>HashAlgorithm</code> ASN.1 type with the
+                                        following properties:
+                                      </p>
+                                      <dl class="switch">
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-1"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha1</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-256"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha256</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-384"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha384</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-512"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha512</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>Otherwise:</dt>
+                                        <dd>
+                                          <ol>
+                                            <li>
+                                              <p>
+                                                Perform any <a href="#dfn-rsa-pss-extended-export-steps">key export steps</a>
+                                                defined by <a href="#dfn-applicable-specification">other applicable
+                                                specifications</a>, passing <var>format</var> and the
+                                                <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                                the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                                internal slot of <var>key</var>
+                                                and obtaining <var>hashOid</var> and <var>hashParams</var>.
+                                              </p>
+                                            </li>
+                                            <li>
+                                              <p>
+                                                Set the <var>algorithm</var> object identifier
+                                                of <var>hashAlgorithm</var> to <var>hashOid</var>.
+                                              </p>
+                                            </li>
+                                            <li>
+                                              <p>
+                                                Set the <var>params</var> field of <var>hashAlgorithm</var>
+                                                to
+                                                <var>hashParams</var> if <var>hashParams</var> is not
+                                                undefined and omit the <var>params</var> field otherwise.
+                                              </p>
+                                            </li>
+                                          </ol>
+                                        </dd>
+                                      </dl>
+                                    </li>
+                                    <li>
+                                      <p>
+                                        Set the <var>maskGenAlgorithm</var> field to an instance
+                                        of the <code>MaskGenAlgorithm</code> ASN.1 type with the
+                                        following properties:
+                                      </p>
+                                      <ul>
+                                        <li>
+                                          <p>
+                                            Set the <var>algorithm</var> field to the OID
+                                            <code>id-mgf1</code> defined in <a href="#RFC3447">RFC
+                                            3447</a>.
+                                          </p>
+                                        </li>
+                                        <li>
+                                          <p>
+                                            Set the <var>params</var> field to an instance of the
+                                            <code>HashAlgorithm</code> ASN.1 type that is
+                                            identical to the <var>hashAlgorithm</var> field.
+                                          </p>
+                                        </li>
+                                      </ul>
+                                    </li>
+                                    <li>
+                                      <p>
+                                        Set the <var>saltLength</var> field to the length in
+                                        octets of the digest algorithm identified by the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute
+                                        of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                        internal slot of <var>key</var>.
+                                      </p>
+                                    </li>
+                                  </ul>
+                                </li>
+                              </ul>
+                            </li>
+                            <li>
+                              <p>
+                                Set the <var>privateKey</var> field to the result of DER-encoding
+                                an <code>RSAPrivateKey</code> ASN.1 type, as defined in <a href="#RFC3447">RFC 3447</a>, Appendix A.1.2, that represents the
+                                RSA private key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+                                <var>key</var>
+                              </p>
+                              <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+                                <a href="#RFC5208">RFC 5208</a> specifies that the encoding of
+                                this field should be <em>BER</em> encoded in Section 5 (as a "for
+                                example"). However, to avoid requiring WebCrypto implementations
+                                support BER-encoding and BER-decoding, only <em>DER</em> encodings
+                                are produced or accepted.
+                              </div>
+                            </li>
+                          </ul>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>result</var> be a new <code>ArrayBuffer</code> containing
+                            <var>data</var>.
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"jwk"</code>:</dt>
+                    <dd>
+                      <ul>
+                        <li>
+                          <p>Let <var>jwk</var> be a new <a href="#dfn-JsonWebKey">JsonWebKey</a> dictionary.</p>
+                        </li>
+                        <li>
+                          <p>Set the <code>kty</code> attribute of <var>jwk</var> to the string
+                          <code>"RSA"</code>.</p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be the <a href="#dfn-KeyAlgorithm-name">name</a>
+                            attribute of the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a>
+                            attribute of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                            <var>key</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>If <var>hash</var> is <code>"SHA-1"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"PS1"</code>.
+                              </p>
+                            </dd>
+                            <dt>If <var>hash</var> is <code>"SHA-256"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"PS256"</code>.
+                              </p>
+                            </dd>
+                            <dt>If <var>hash</var> is <code>"SHA-384"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"PS384"</code>.
+                              </p>
+                            </dd>
+                            <dt>If <var>hash</var> is <code>"SHA-512"</code>:</dt>
+                            <dd>
+                              <p>
+                                Set the <code>alg</code> attribute of <var>jwk</var> to the string
+                                <code>"PS512"</code>.
+                              </p>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Perform any <a href="#dfn-rsa-pss-extended-export-steps">key export steps</a>
+                                    defined by <a href="#dfn-applicable-specification">other applicable
+                                    specifications</a>, passing <var>format</var> and the
+                                    <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                    the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                    internal slot of <var>key</var>
+                                    and obtaining <var>alg</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the <code>alg</code> attribute of <var>jwk</var> to <var>alg</var>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Set the attributes <code>n</code> and <code>e</code> of <var>jwk</var>
+                            according to the corresponding definitions in <a href="#jwa">JSON Web
+                            Algorithms</a>, Section 6.3.1.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                              <var>key</var> is <code>"private"</code>:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Set the attributes named <code>d</code>, <code>p</code>,
+                                    <code>q</code>, <code>dp</code>, <code>dq</code>, and
+                                    <code>qi</code> of <var>jwk</var> according to the
+                                    corresponding definitions in <a href="#jwa">JSON Web
+                                    Algorithms</a>, Section 6.3.2.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the underlying RSA private key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot
+                                    of <var>key</var> is represented by more than two primes, set
+                                    the attribute named <code>oth</code> of <var>jwk</var>
+                                    according to the corresponding definition in <a href="#jwa">JSON Web Algorithms</a>, Section 6.3.2.7
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Set the <code>key_ops</code> attribute of <var>jwk</var> to the <a href="#dfn-CryptoKey-usages">usages</a> attribute of <var>key</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the <code>ext</code> attribute of <var>jwk</var> to the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal slot
+                            of <var>key</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>result</var> be the result of converting <var>jwk</var>
+                            to an ECMAScript Object, as defined by [<a href="#WebIDL">WebIDL</a>].
+                          </p>
+                        </li>
+                      </ul>
+                    </dd>
+                    <dt>Otherwise</dt>
+                    <dd>
+                      <p>
+                        <a href="#concept-throw">throw</a> a
+                        <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                      </p>
+                    </dd>
+                  </dl>
+                </li>
+                <li>
+                  <p>
+                    Return <var>result</var>.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+          </dl>
+        </div>
+      </div>
+
+      <div id="rsa-oaep" class="section">
+        <h3>22. RSA-OAEP</h3>
+        <div id="rsa-oaep-description" class="section">
+          <h4>22.1. Description</h4>
+          <p>
+            The <code>"RSA-OAEP"</code> algorithm identifier is used to perform encryption
+            and decryption ordering to the RSAES-OAEP algorithm specified in
+            [<cite><a href="#RFC3447">RFC3447</a></cite>], using the SHA hash functions defined
+            in this specification and using the mask
+            generation function MGF1.
+          </p>
+          <p>
+            <a href="#dfn-applicable-specification">Other specifications</a>
+            may specify the use of additional hash algorithms with RSAES-OAEP. Such specifications
+            must define the digest operation for the additional hash algorithm and
+            <dfn id="dfn-rsa-oaep-extended-import-steps">key import steps</dfn> and
+            <dfn id="dfn-rsa-oaep-extended-export-steps">key export steps</dfn> for RSAES-OAEP.
+          </p>
+        </div>
+        <div id="rsa-oaep-registration" class="section">
+          <h4>22.2. Registration</h4>
+          <p>
+            The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
+            this algorithm is <code>"RSA-OAEP"</code>.
+          </p>
+          <table>
+            <thead>
+              <tr>
+                <th><a href="#supported-operations">Operation</a></th>
+                <th><a href="#algorithm-specific-params">Parameters</a></th>
+                <th><a href="#algorithm-result">Result</a></th>
+              </tr>
+            </thead>
+            <tbody>
+              <tr>
+                <td>encrypt</td>
+                <td><a href="#dfn-RsaOaepParams">RsaOaepParams</a></td>
+                <td>ArrayBuffer</td>
+              </tr>
+              <tr>
+                <td>decrypt</td>
+                <td><a href="#dfn-RsaOaepParams">RsaOaepParams</a></td>
+                <td>ArrayBuffer</td>
+              </tr>
+              <tr>
+                <td>generateKey</td>
+                <td><a href="#dfn-RsaHashedKeyGenParams">RsaHashedKeyGenParams</a></td>
+                <td><a href="#dfn-CryptoKeyPair">CryptoKeyPair</a></td>
+              </tr>
+              <tr>
+                <td>importKey</td>
+                <td><a href="#dfn-RsaHashedImportParams">RsaHashedImportParams</a></td>
+                <td><a href="#dfn-CryptoKey">CryptoKey</a></td>
+              </tr>
+              <tr>
+                <td>exportKey</td>
+                <td>None</td>
+                <td>object</td>
+              </tr>
+            </tbody>
+          </table>
+        </div>
+
+        <div id="rsa-oaep-params" class="section">
+          <h4>22.3. RsaOaepParams dictionary</h4>
+          <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-RsaOaepParams">RsaOaepParams</dfn> : <a href="#dfn-Algorithm">Algorithm</a> {
+<span class="comment">// The optional label/application data to associate with the message</span>
+BufferSource <dfn id="dfn-RsaOaepParams-label">label</dfn>;
+};
+          </code></pre></div></div>
+        </div>
+        <div id="rsa-oaep-operations" class="section">
+          <h4>22.4. Operations</h4>
+          <dl>
+            <dt>Encrypt</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of <var>key</var>
+                    is not <code>"public"</code>,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>label</var> be the <a href="#concept-contents-of-arraybuffer">contents of</a> the <a href="#dfn-RsaOaepParams-label">label</a> member of
+                    <var>normalizedAlgorithm</var> or the empty octet string if the
+                    <a href="#dfn-RsaOaepParams-label">label</a> member of
+                    <var>normalizedAlgorithm</var> is not present.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Perform the encryption operation defined in Section 7.1 of [<cite><a href="#RFC3447">RFC3447</a></cite>] with the key represented by <var>key</var>
+                    as the recipient's RSA public key, the <a href="#concept-contents-of-arraybuffer">contents of <var>plaintext</var></a>
+                    as the message to be encrypted, <var>M</var> and <var>label</var>
+                    as the label, <var>L</var>, and with the hash
+                    function specified by the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a>
+                    attribute of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>key</var> as the Hash option and MGF1 (defined in Section B.2.1 of
+                    [<cite><a href="#RFC3447">RFC3447</a></cite>]) as the MGF option.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>ciphertext</var> be a new <code>ArrayBuffer</code>
+                    containing the value <var>C</var> that results from performing the
+                    operation.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+            <dt>Decrypt</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of <var>key</var>
+                    is not <code>"private"</code>,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>label</var> be the <a href="#concept-contents-of-arraybuffer">contents of</a> the <a href="#dfn-RsaOaepParams-label">label</a> member of
+                    <var>normalizedAlgorithm</var> or the empty octet string if the
+                    <a href="#dfn-RsaOaepParams-label">label</a> member of
+                    <var>normalizedAlgorithm</var> is not present.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Perform the decryption operation defined in Section 7.1 of [<cite><a href="#RFC3447">RFC3447</a></cite>] with the key represented by <var>key</var>
+                    as the recipient's RSA private key, the <a href="#concept-contents-of-arraybuffer">contents of <var>ciphertext</var></a>
+                    as the ciphertext to be decrypted, C, and <var>label</var>
+                    as the label, <var>L</var>, and with the hash
+                    function specified by the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a>
+                    attribute of the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>key</var> as the Hash option and MGF1 (defined in Section B.2.1 of
+                    [<cite><a href="#RFC3447">RFC3447</a></cite>]) as the MGF option.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>plaintext</var> be a new <code>ArrayBuffer</code>
+                    containing the value <var>M</var> that results from performing the
+                    operation.
+                  </p>
+                </li>
+              </ol>
+            </dd>
+            <dt>Generate Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    If <var>usages</var> contains an entry which is not
+                    <code>"encrypt"</code>, <code>"decrypt"</code>,
+                    <code>"wrapKey"</code> or <code>"unwrapKey"</code>,
+                    then <a href="#concept-throw">throw</a> a
+                    <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Generate an RSA key pair, as defined in [<cite><a href="#RFC3447">RFC3447</a></cite>], with RSA modulus length equal to the
+                    <a href="#dfn-RsaKeyGenParams-modulusLength">modulusLength</a> member of
+                    <var>normalizedAlgorithm</var> and RSA public exponent equal to the
+                    <a href="#dfn-RsaKeyGenParams-publicExponent">publicExponent</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If performing the operation results in an error,
+                    then <a href="#concept-throw">throw</a> an
+                    <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>algorithm</var> be a new
+                    <a href="#dfn-RsaHashedKeyAlgorithm">RsaHashedKeyAlgorithm</a>
+                    object.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
+                    <var>algorithm</var> to <code>"RSA-OAEP"</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the
+                    <a href="#dfn-RsaKeyAlgorithm-modulusLength">modulusLength</a>
+                    attribute of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaKeyGenParams-modulusLength">modulusLength</a>
+                    member of <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the
+                    <a href="#dfn-RsaKeyAlgorithm-publicExponent">publicExponent</a>
+                    attribute of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaKeyGenParams-publicExponent">publicExponent</a>
+                    member of <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute
+                    of <var>algorithm</var> to equal the
+                    <a href="#dfn-RsaHashedKeyGenParams">hash</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>publicKey</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                    object representing the public key of the generated key pair.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>publicKey</var> to <code>"public"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>publicKey</var> to <var>algorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal slot of
+                    <var>publicKey</var> to true.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                    <var>publicKey</var> to be the
+                    <a href="#concept-usage-intersection">usage intersection</a> of
+                    <var>usages</var> and <code>[ "encrypt", "wrapKey" ]</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>privateKey</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                    object representing the private key of the generated key pair.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                    <var>privateKey</var> to <code>"private"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>privateKey</var> to <var>algorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-extractable">extractable</a>]] internal slot of
+                    <var>privateKey</var> to <var>extractable</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-usages">usages</a>]] internal slot of
+                    <var>privateKey</var> to be the
+                    <a href="#concept-usage-intersection">usage intersection</a> of
+                    <var>usages</var> and <code>[ "decrypt", "unwrapKey" ]</code>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Let <var>result</var> be a new <a href="#dfn-CryptoKeyPair">CryptoKeyPair</a>
+                    dictionary.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-CryptoKeyPair-publicKey">publicKey</a> attribute
+                    of <var>result</var> to be <var>publicKey</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-CryptoKeyPair-privateKey">privateKey</a> attribute
+                    of <var>result</var> to be <var>privateKey</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Return the result of converting <var>result</var> to an ECMAScript Object, as
+                    defined by [<a href="#WebIDL">WebIDL</a>].
+                  </p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Import Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>Let <var>keyData</var> be the key data to be imported.</p>
+                </li>
+                <li>
+                  <dl class="switch">
+                    <dt>If <var>format</var> is <code>"spki"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If <var>usages</var> contains an entry which is not
+                            <code>"encrypt"</code> or
+                            <code>"wrapKey"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>spki</var> be the result of running the
+                            <a href="#concept-parse-a-spki">parse a subjectPublicKeyInfo</a>
+                            algorithm over <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be a string whose initial value is undefined.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>alg</var> be the <code>algorithm</code> object identifier
+                            field of the <code>algorithm</code> AlgorithmIdentifier field of
+                            <var>spki</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>rsaEncryption</code>
+                              OID defined in <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>id-RSAES-OAEP</code>
+                              OID defined in <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>params</var> be the ASN.1 structure contained within
+                                    the <code>parameters</code> field of the <code>algorithm</code>
+                                    AlgorithmIdentifier field of <var>spki</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>params</var> is not defined, or is not an instance of
+                                    the <code>RSAES-OAEP-params</code> ASN.1 type defined in
+                                    <a href="#RFC3447">RFC3447</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>hashAlg</var> be the AlgorithmIdentifier ASN.1 type
+                                    within the <code>hashAlgorithm</code> field of <var>params</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <dl class="switch">
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha1</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-1"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha256</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-256"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha384</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-384"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha512</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-512"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>Otherwise:</dt>
+                                    <dd>
+                                      <ol>
+                                        <li>
+                                          <p>
+                                            Perform any <a href="#dfn-rsa-oaep-extended-import-steps">key
+                                            import steps</a> defined by
+                                            <a href="#dfn-applicable-specification">other applicable
+                                            specifications</a>, passing <var>format</var>, <var>spki</var>
+                                            and obtaining <var>hash</var>.
+                                          </p>
+                                        </li>
+                                        <li>
+                                          <p>
+                                            If an error occured or there are no
+                                            <a href="#dfn-applicable-specification">applicable
+                                            specifications</a>,
+                                            <a href="#concept-throw">throw</a> a
+                                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                                          </p>
+                                        </li>
+                                      </ol>
+                                    </dd>
+                                  </dl>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the <code>algorithm</code> object identifier field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    equivalent to the OID <code>id-mgf1</code> defined in <a href="#RFC3447">RFC 3447</a>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the <code>parameters</code> field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    an instance of the <code>HashAlgorithm</code> ASN.1 type that is
+                                    identical in content to the <code>hashAlglorithm</code> field of
+                                    <var>params</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <p>
+                                <a href="#concept-throw">throw</a> a
+                                <a href="#dfn-DataError"><code>DataError</code></a>.
+                              </p>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>publicKey</var> be the result of performing the <a href="#concept-parse-an-asn1-structure">parse an ASN.1 structure</a>
+                            algorithm, with <var>data</var> as the
+                            <code>subjectPublicKeyInfo</code> field of <var>spki</var>,
+                            <var>structure</var> as the <code>RSAPublicKey</code> structure
+                            specified in Section A.1.1 of <a href="#RFC3447">RFC 3447</a>, and
+                            <var>exactData</var> set to true.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                            object that represents the RSA public key identified by
+                            <var>publicKey</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                            <var>key</var> to <code>"public"</code>
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"pkcs8"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If <var>usages</var> contains an entry which is not
+                            <code>"decrypt"</code> or <code>"unwrapKey"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>privateKeyInfo</var> be the result of running the
+                            <a href="#concept-parse-a-privateKeyInfo">parse a privateKeyInfo</a>
+                            algorithm over <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing, then <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>hash</var> be a string whose initial value is undefined.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>alg</var> be the <code>algorithm</code> object identifier
+                            field of the <code>privateKeyAlgorithm</code>
+                            PrivateKeyAlgorithmIdentifier field of <var>privateKeyInfo</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>rsaEncryption</code>
+                              OID defined in <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <p>
+                                Let <var>hash</var> be undefined.
+                              </p>
+                            </dd>
+                            <dt>
+                              If <var>alg</var> is equivalent to the <code>id-RSAES-OAEP</code>
+                              OID defined in <a href="#RFC3447">RFC 3447</a>:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>params</var> be the ASN.1 structure contained within
+                                    the <code>parameters</code> field of the
+                                    <code>privateKeyAlgorithm</code> PrivateKeyAlgorithmIdentifier
+                                    field of <var>privateKeyInfo</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>params</var> is not defined, or is not an instance of
+                                    the <code>RSAES-OAEP-params</code> ASN.1 type defined in <a href="#RFC3447">RFC3447</a>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>hashAlg</var> be the AlgorithmIdentifier ASN.1 type
+                                    within the <code>hashAlgorithm</code> field of
+                                    <var>params</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <dl class="switch">
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the <code>id-sha1</code>
+                                      OID defined in <a href="#RFC3447">RFC 3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-1"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the
+                                      <code>id-sha256</code> OID defined in <a href="#RFC3447">RFC
+                                      3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-256"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the
+                                      <code>id-sha384</code> OID defined in <a href="#RFC3447">RFC
+                                      3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-384"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>
+                                      If the <code>algorithm</code> object identifier field of
+                                      <var>hashAlg</var> is equivalent to the
+                                      <code>id-sha512</code> OID defined in <a href="#RFC3447">RFC
+                                      3447</a>:
+                                    </dt>
+                                    <dd>
+                                      <p>
+                                        Set <var>hash</var> to the string <code>"SHA-512"</code>.
+                                      </p>
+                                    </dd>
+                                    <dt>Otherwise:</dt>
+                                    <dd>
+                                      <ol>
+                                        <li>
+                                          <p>
+                                            Perform any <a href="#dfn-rsa-oaep-extended-import-steps">key
+                                            import steps</a> defined by
+                                            <a href="#dfn-applicable-specification">other applicable
+                                            specifications</a>, passing <var>format</var>, <var>spki</var>
+                                            and obtaining <var>hash</var>.
+                                          </p>
+                                        </li>
+                                        <li>
+                                          <p>
+                                            If an error occured or there are no
+                                            <a href="#dfn-applicable-specification">applicable
+                                            specifications</a>,
+                                            <a href="#concept-throw">throw</a> a
+                                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                                          </p>
+                                        </li>
+                                      </ol>
+                                    </dd>
+                                  </dl>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the <code>algorithm</code> object identifier field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    equivalent to the OID <code>id-mgf1</code> defined in <a href="#RFC3447">RFC 3447</a>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If the <code>parameters</code> field of the
+                                    <code>maskGenAlgorithm</code> field of <var>params</var> is not
+                                    an instance of the <code>HashAlgorithm</code> ASN.1 type that is
+                                    identical in content to the <code>hashAlglorithm</code> field of
+                                    <var>params</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <p>
+                                <a href="#concept-throw">throw</a> a
+                                <a href="#dfn-DataError"><code>DataError</code></a>.
+                              </p>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>rsaPrivateKey</var> be the result of performing the <a href="#concept-parse-an-asn1-structure">parse an ASN.1 structure</a>
+                            algorithm, with <var>data</var> as the
+                            <code>privateKey</code> field of <var>privateKeyInfo</var>,
+                            <var>structure</var> as the <code>RSAPrivateKey</code> structure
+                            specified in Section A.1.2 of <a href="#RFC3447">RFC 3447</a>, and
+                            <var>exactData</var> set to true.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If an error occurred while parsing,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a>
+                            object that represents the RSA private key identified by
+                            <var>rsaPrivateKey</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                            <var>key</var> to <code>"private"</code>
+                          </p>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>If <var>format</var> is <code>"jwk"</code>:</dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            Let <var>jwk</var> be the <a href="#dfn-JsonWebKey">JsonWebKey</a>
+                            dictionary represented by <var>keyData</var>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"d"</code> field of <var>jwk</var> is present and
+                            <var>usages</var> contains an entry which is not
+                            <code>"decrypt"</code> or <code>"unwrapKey"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"d"</code> field of <var>jwk</var> is not present and
+                            <var>usages</var> contains an entry which is not
+                            <code>"encrypt"</code> or <code>"wrapKey"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-SyntaxError"><code>SyntaxError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"kty"</code> field of <var>jwk</var> is not a
+                            case-sensitive string match to <code>"RSA"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"use"</code> field of <var>jwk</var> is present, and is
+                            not a case-sensitive string match to <code>"enc"</code>,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            If the <code>"key_ops"</code> field of <var>jwk</var> is present, and
+                            is invalid according to the requirements of
+                            <a href="#jwk">JSON Web Key</a> or
+                            does not contain all of the specified <var>usages</var> values,
+                            then <a href="#concept-throw">throw</a> a
+                            <a href="#dfn-DataError"><code>DataError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>If the <code>alg</code> field of <var>jwk</var> is not present:</dt>
+                            <dd>Let <var>hash</var> be undefined.</dd>
+                            <dt>
+                              If the <code>alg</code> field of <var>jwk</var> is equal to
+                              <code>"RSA-OAEP"</code>:
+                            </dt>
+                            <dd>Let <var>hash</var> be the string <code>"SHA-1"</code>.</dd>
+                            <dt>
+                              If the <code>alg</code> field of <var>jwk</var> is equal to
+                              <code>"RSA-OAEP-256"</code>:
+                            </dt>
+                            <dd>Let <var>hash</var> be the string <code>"SHA-256"</code>.</dd>
+                            <dt>
+                              If the <code>alg</code> field of <var>jwk</var> is equal to
+                              <code>"RSA-OAEP-384"</code>:
+                            </dt>
+                            <dd>Let <var>hash</var> be the string <code>"SHA-384"</code>.</dd>
+                            <dt>
+                              If the <code>alg</code> field of <var>jwk</var> is equal to
+                              <code>"RSA-OAEP-512"</code>:
+                            </dt>
+                            <dd>Let <var>hash</var> be the string <code>"SHA-512"</code>.</dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Perform any <a href="#dfn-rsa-oaep-extended-import-steps">key
+                                    import steps</a> defined by
+                                    <a href="#dfn-applicable-specification">other applicable
+                                    specifications</a>, passing <var>format</var>, <var>jwk</var>
+                                    and obtaining <var>hash</var>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If an error occured or there are no
+                                    <a href="#dfn-applicable-specification">applicable
+                                    specifications</a>,
+                                    <a href="#concept-throw">throw</a> a
+                                    <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl>
+                            <dt>
+                              If <var>hash</var> is not undefined:
+                            </dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    Let <var>normalizedHash</var> be the result of
+                                    <a href="#dfn-normalize-an-algorithm">normalize an algorithm</a>
+                                    with <code>alg</code> set to <var>hash</var> and <code>op</code> set
+                                    to <code>digest</code>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    If <var>normalizedHash</var> is not equal to the
+                                    <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                                    <var>normalizedAlgorithm</var>, <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                        <li>
+                          <dl class="switch">
+                            <dt>If the <code>"d"</code> field of <var>jwk</var> is present:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    If <var>jwk</var> does not meet the requirements of Section
+                                    6.3.2 of <a href="#jwa">JSON Web Algorithms</a>, then <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a> object that represents the
+                                    RSA private key identified by interpreting <var>jwk</var>
+                                    according to Section 6.3.2 of <a href="#jwa"> JSON Web
+                                    Algorithms</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                                    <var>key</var> to <code>"private"</code>
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                            <dt>Otherwise:</dt>
+                            <dd>
+                              <ol>
+                                <li>
+                                  <p>
+                                    If <var>jwk</var> does not meet the requirements of Section
+                                    6.3.1 of <a href="#jwa">JSON Web Algorithms</a>, then <a href="#concept-throw">throw</a> a <a href="#dfn-DataError"><code>DataError</code></a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Let <var>key</var> be a new <a href="#dfn-CryptoKey">CryptoKey</a> object that represents the
+                                    RSA public key identified by interpreting <var>jwk</var>
+                                    according to Section 6.3.1 of <a href="#jwa"> JSON Web
+                                    Algorithms</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                                    <var>key</var> to <code>"public"</code>
+                                  </p>
+                                </li>
+                              </ol>
+                            </dd>
+                          </dl>
+                        </li>
+                      </ol>
+                    </dd>
+                    <dt>Otherwise:</dt>
+                    <dd>
+                      <a href="#concept-throw">throw</a> a
+                      <a href="#dfn-NotSupportedError"><code>NotSupportedError</code></a>.
+                    </dd>
+                  </dl>
+                </li>
+                <li>
+                  <p>
+                    Let <var>algorithm</var> be a new
+                    <a href="#dfn-RsaHashedKeyAlgorithm">RsaHashedKeyAlgorithm</a>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-KeyAlgorithm-name">name</a> attribute of
+                    <var>algorithm</var> to <code>"RSA-OAEP"</code>
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaKeyAlgorithm-modulusLength">modulusLength</a>
+                    attribute of <var>algorithm</var> to the length, in bits, of the RSA public
+                    modulus.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaKeyAlgorithm-publicExponent">publicExponent</a>
+                    attribute of <var>algorithm</var> to the <a href="#dfn-BigInteger">BigInteger</a>
+                    representation of the RSA public exponent.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the <a href="#dfn-RsaHashedKeyAlgorithm-hash">hash</a> attribute of
+                    <var>algorithm</var> to the <a href="#dfn-RsaHashedImportParams-hash">hash</a> member of
+                    <var>normalizedAlgorithm</var>.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    Set the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]] internal slot of
+                    <var>key</var> to <var>algorithm</var>
+                  </p>
+                </li>
+                <li>
+                  <p>Return <var>key</var>.</p>
+                </li>
+              </ol>
+            </dd>
+
+            <dt>Export Key</dt>
+            <dd>
+              <ol>
+                <li>
+                  <p>
+                    Let <var>key</var> be the key to be exported.
+                  </p>
+                </li>
+                <li>
+                  <p>
+                    If the underlying cryptographic key material represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of <var>key</var>
+                    cannot be accessed, then <a href="#concept-throw">throw</a> a <a href="#dfn-OperationError"><code>OperationError</code></a>.
+                  </p>
+                </li>
+                <li>
+                  <dl class="switch">
+                    <dt>If <var>format</var> is <code>"spki"</code></dt>
+                    <dd>
+                      <ol>
+                        <li>
+                          <p>
+                            If the [[<a href="#dfn-CryptoKey-slot-type">type</a>]] internal slot of
+                            <var>key</var> is not <code>"public"</code>, then <a href="#concept-throw">throw</a> an <a href="#dfn-InvalidAccessError"><code>InvalidAccessError</code></a>.
+                          </p>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>data</var> be an instance of the <code>subjectPublicKeyInfo</code>
+                            ASN.1 structure defined in <a href="#RFC5280">RFC 5280</a>
+                            with the following properties:
+                          </p>
+                          <ul>
+                            <li>
+                              <p>
+                                Set the <var>algorithm</var> field to an
+                                <code>AlgorithmIdentifier</code> ASN.1 type with the following
+                                properties:
+                              </p>
+                              <ul>
+                                <li>
+                                  <p>
+                                    Set the <var>algorithm</var> field to the OID
+                                    <code>id-RSAES-OAEP</code> defined in
+                                    <a href="#RFC3447">RFC 3447</a>.
+                                  </p>
+                                </li>
+                                <li>
+                                  <p>
+                                    Set the <var>params</var> field to an instance of the
+                                    <code>RSAES-OAEP-params</code> ASN.1 type with the following
+                                    properties:
+                                  </p>
+                                  <ul>
+                                    <li>
+                                      <p>
+                                        Set the <var>hashAlgorithm</var> field to an instance of
+                                        the <code>HashAlgorithm</code> ASN.1 type with the
+                                        following properties:
+                                      </p>
+                                      <dl class="switch">
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-1"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha1</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-256"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha256</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-384"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha384</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>
+                                          If the <a href="#dfn-KeyAlgorithm-name">name</a>
+                                          attribute of the <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                          the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                          internal slot of <var>key</var> is <code>"SHA-512"</code>:
+                                        </dt>
+                                        <dd>
+                                          <p>
+                                            Set the <var>algorithm</var> object identifier
+                                            of <var>hashAlgorithm</var> to the
+                                            OID <code>id-sha512</code> defined in <a href="#RFC3447">RFC 3447</a>.
+                                          </p>
+                                        </dd>
+                                        <dt>Otherwise:</dt>
+                                        <dd>
+                                          <ol>
+                                            <li>
+                                              <p>
+                                                Perform any <a href="#dfn-rsa-pss-extended-export-steps">key export steps</a>
+                                                defined by <a href="#dfn-applicable-specification">other applicable
+                                                specifications</a>, passing <var>format</var> and the
+                                                <a href="#dfn-RsaHashedKeyAlgorithm">hash</a> attribute of
+                                                the [[<a href="#dfn-CryptoKey-slot-algorithm">algorithm</a>]]
+                                                internal slot of <var>key</var>
+                                                and obtaining <var>hashOid</var> and <var>hashParams</var>.
+                                              </p>
+                                            </li>
+                                            <li>
+                                              <p>
+                                                Set the <var>algorithm</var> object identifier
+                                                of <var>hashAlgorithm</var> to <var>hashOid</var>.
+                                              </p>
+                                            </li>
+                                            <li>
+                                              <p>
+                                                Set the <var>params</var> field of <var>hashAlgorithm</var>
+                                                to
+                                                <var>hashParams</var> if <var>hashParams</var> is not
+                                                undefined and omit the <var>params</var> field otherwise.
+                                              </p>
+                                            </li>
+                                          </ol>
+                                        </dd>
+                                      </dl>
+                                    </li>
+                                    <li>
+                                      <p>
+                                        Set the <var>maskGenAlgorithm</var> field to an instance
+                                        of the <code>MaskGenAlgorithm</code> ASN.1 type with the
+                                        following properties:
+                                      </p>
+                                      <ul>
+                                        <li>
+                                          <p>
+                                            Set the <var>algorithm</var> field to the OID
+                                            <code>id-mgf1</code> defined in <a href="#RFC3447">RFC
+                                            3447</a>.
+                                          </p>
+                                        </li>
+                                        <li>
+                                          <p>
+                                            Set the <var>params</var> field to an instance of the
+                                            <code>HashAlgorithm</code> ASN.1 type that is
+                                            identical to the <var>hashAlgorithm</var> field.
+                                          </p>
+                                        </li>
+                                      </ul>
+                                    </li>
+                                  </ul>
+                                </li>
+                              </ul>
+                            </li>
+                            <li>
+                              <p>
+                                Set the <var>subjectPublicKey</var> field to the result of
+                                DER-encoding an <code>RSAPublicKey</code> ASN.1 type, as defined
+                                in <a href="#RFC3447">RFC 3447</a>, Appendix A.1.1, that
+                                represents the RSA public key represented by the [[<a href="#dfn-CryptoKey-slot-handle">handle</a>]] internal slot of
+                                <var>key</var>
+                              </p>
+                            </li>
+                          </ul>
+                        </li>
+                        <li>
+                          <p>
+                            Let <var>result</var> be a new <code>ArrayBuffer</code> containing
+                            <var>data</var>.
+                          </p>
+                        </li>