[security-dev] input on bearer tokens and cookies

Anil Saldhana Anil.Saldhana at redhat.com
Thu Dec 13 10:21:38 EST 2012


Bruno,
   my head hurts now thinking about how to do PKI from JS apps, without 
any support from browsers to store private keys securely.

Keypair can be generated easily by JS apps.  The public key can be 
registered with the server.  Now the private key - how do we store it?

- We can save it in localstorage.  You said that it is not safe.
- Use a JS api (that needs to be created by the w3c wg)  that can stash 
the private key securely by the browser in a keystore.

Regards,
Anil

On 12/13/2012 04:00 AM, Bruno Oliveira wrote:
> They will…in 2014 :)
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
>
> On Wednesday, December 12, 2012 at 10:00 PM, Anil Saldhana wrote:
>
>> On 12/12/2012 05:54 PM, Bill Burke wrote:
>>>   
>>> On 12/12/2012 6:46 PM, Anil Saldhana wrote:
>>>> On 12/12/2012 05:31 PM, Bill Burke wrote:
>>>>> Anil.............I know WTF PKI and symetric keys are......
>>>>   
>>>>   
>>>> Bill, the links on sym and pki were for others. Not you. :) Remember
>>>> there are others who are reading
>>>> the emails silently without answering. ;)
>>>   
>>>   
>>> Fair enough, apologies. :)
>>   
>> <gangnam-style/> See below.
>>>   
>>>>> My question was, why would a browser Javascript app need to use private
>>>>> keys?
>>>>   
>>>>   
>>>> Maybe this use case is bogus. I am just thinking aloud.
>>>   
>>> Ya same, I'm also curious to know if this use case is bogus or not,
>>> hence my question.
>>   
>>   
>> I know this question of JS and Private Key storage has popped up in this
>> W3C Web Crypto WG
>> (http://www.w3.org/2011/11/webcryptography-charter.html) where Bruno and
>> I are part of. I am not following all the emails that flow in there.
>> Based on this WG recommendations, the browsers are going to add support
>> for secure storage for PKI in the browser. Maybe this usecase is not
>> bogus but not possible to implement now due to the gap in browser support.


More information about the security-dev mailing list