[security-dev] input on bearer tokens and cookies

Bill Burke bburke at redhat.com
Thu Dec 13 15:18:17 EST 2012


Why not just have the server store it and embed it within a script 
dynamically when theres code-on-demand?

On 12/13/2012 10:21 AM, Anil Saldhana wrote:
> Bruno,
>     my head hurts now thinking about how to do PKI from JS apps, without
> any support from browsers to store private keys securely.
>
> Keypair can be generated easily by JS apps.  The public key can be
> registered with the server.  Now the private key - how do we store it?
>
> - We can save it in localstorage.  You said that it is not safe.
> - Use a JS api (that needs to be created by the w3c wg)  that can stash
> the private key securely by the browser in a keystore.
>
> Regards,
> Anil
>
> On 12/13/2012 04:00 AM, Bruno Oliveira wrote:
>> They will…in 2014 :)
>>
>>
>> --
>> "The measure of a man is what he does with power" - Plato
>> -
>> @abstractj
>> -
>> Volenti Nihil Difficile
>>
>>
>>
>> On Wednesday, December 12, 2012 at 10:00 PM, Anil Saldhana wrote:
>>
>>> On 12/12/2012 05:54 PM, Bill Burke wrote:
>>>>
>>>> On 12/12/2012 6:46 PM, Anil Saldhana wrote:
>>>>> On 12/12/2012 05:31 PM, Bill Burke wrote:
>>>>>> Anil.............I know WTF PKI and symetric keys are......
>>>>>
>>>>>
>>>>> Bill, the links on sym and pki were for others. Not you. :) Remember
>>>>> there are others who are reading
>>>>> the emails silently without answering. ;)
>>>>
>>>>
>>>> Fair enough, apologies. :)
>>>
>>> <gangnam-style/> See below.
>>>>
>>>>>> My question was, why would a browser Javascript app need to use private
>>>>>> keys?
>>>>>
>>>>>
>>>>> Maybe this use case is bogus. I am just thinking aloud.
>>>>
>>>> Ya same, I'm also curious to know if this use case is bogus or not,
>>>> hence my question.
>>>
>>>
>>> I know this question of JS and Private Key storage has popped up in this
>>> W3C Web Crypto WG
>>> (http://www.w3.org/2011/11/webcryptography-charter.html) where Bruno and
>>> I are part of. I am not following all the emails that flow in there.
>>> Based on this WG recommendations, the browsers are going to add support
>>> for secure storage for PKI in the browser. Maybe this usecase is not
>>> bogus but not possible to implement now due to the gap in browser support.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list