<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Bruno - I have been thinking of the
possible ways by which Private Keys are stored securely by the
JavaScript applications for use in JSON Encryption (for example).<br>
<br>
Do you know how JS libraries such as DOMCrypt and Crypto.jsĀ deal
with storage of private keys?<br>
<br>
On 12/12/2012 08:30 AM, Bruno Oliveira wrote:<br>
</div>
<blockquote
cite="mid:D8C608923B214D309FD068C1939B867C@abstractj.org"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-unicode">
<pre wrap="">Sorry Anil, but on HTML5 local storage is not an option, because can be easily hacked. Maybe session storage, but on AeroGear we don't have plans to store sensitive date on local storage.
I'd rather to go with Bill's approach.
<div class="moz-txt-sig">--
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile
On Tuesday, December 11, 2012 at 5:33 PM, Anil Saldhana wrote:
</div></pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> </span>The cookies may be the easiest for you. An option with HTML5 is
<span class="moz-txt-citetags">> </span>the localstorage. In this case, the JS calls from the browser have
<span class="moz-txt-citetags">> </span>to save/restore the token that identifies session token/bearer token
<span class="moz-txt-citetags">> </span>and send it as part of the call.
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>On 12/11/2012 11:16 AM, Bill Burke wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> > </span>I'm looking for some input.
<span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>For the OAuth SSO protocol I'm working on, I'm thinking of storing the
<span class="moz-txt-citetags">> > </span>bearer token within a "secure" cookie and verifying the bearer token
<span class="moz-txt-citetags">> > </span>each HTTP request (for browser-based apps only). The upside to this is
<span class="moz-txt-citetags">> > </span>that you can establish a stateless SSO between a set of load-balanced
<span class="moz-txt-citetags">> > </span>servers. Downside is it takes about 1-2ms on my box to both parse and
<span class="moz-txt-citetags">> > </span>verify the cookie. TO much overhead? Should I store the unmarshaled
<span class="moz-txt-citetags">> > </span>token in the HTTP session instead?
<span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>Any other thoughts on bearer tokens stored in cookies?
<span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>Thanks
<span class="moz-txt-citetags">> > </span>
<span class="moz-txt-citetags">> > </span>Bill
</pre>
</blockquote>
<pre wrap=""><span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>_______________________________________________
<span class="moz-txt-citetags">> </span>security-dev mailing list
<span class="moz-txt-citetags">> </span><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>)
<span class="moz-txt-citetags">> </span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</div>
</blockquote>
<br>
</body>
</html>