Re: [security-dev] input on bearer tokens and cookies

Why not just have the server store it and embed it within a script dynamically when theres code-on-demand? On 12/13/2012 10:21 AM, Anil Saldhana wrote: > Bruno, > my head hurts now thinking about how to do PKI from JS apps, without > any support from browsers to store private keys securely. > > Keypair can be generated easily by JS apps. The public key can be > registered with the server. Now the private key - how do we store it? > > - We can save it in localstorage. You said that it is not safe. > - Use a JS api (that needs to be created by the w3c wg) that can stash > the private key securely by the browser in a keystore. > > Regards, > Anil > > On 12/13/2012 04:00 AM, Bruno Oliveira wrote: >> They will…in 2014 :) >> >> >> -- >> "The measure of a man is what he does with power" - Plato >> - >> @abstractj >> - >> Volenti Nihil Difficile >> >> >> >> On Wednesday, December 12, 2012 at 10:00 PM, Anil Saldhana wrote: >> >>> On 12/12/2012 05:54 PM, Bill Burke wrote: >>>> On 12/12/2012 6:46 PM, Anil Saldhana wrote: >>>>> On 12/12/2012 05:31 PM, Bill Burke wrote: >>>>>> Anil.............I know WTF PKI and symetric keys are...... >>>>> >>>>> Bill, the links on sym and pki were for others. Not you. :) Remember >>>>> there are others who are reading >>>>> the emails silently without answering. ;) >>>> >>>> Fair enough, apologies. :) >>> <gangnam-style/> See below. >>>>>> My question was, why would a browser Javascript app need to use private >>>>>> keys? >>>>> >>>>> Maybe this use case is bogus. I am just thinking aloud. >>>> Ya same, I'm also curious to know if this use case is bogus or not, >>>> hence my question. >>> >>> I know this question of JS and Private Key storage has popped up in this >>> W3C Web Crypto WG >>> (http://www.w3.org/2011/11/webcryptography-charter.html) where Bruno and >>> I are part of. I am not following all the emails that flow in there. >>> Based on this WG recommendations, the browsers are going to add support >>> for secure storage for PKI in the browser. Maybe this usecase is not >>> bogus but not possible to implement now due to the gap in browser support. >>>