[security-dev] input on bearer tokens and cookies

Anil Saldhana Anil.Saldhana at redhat.com
Thu Dec 13 15:25:32 EST 2012


Bill,
   if I recall, the whole idea of XKMS specification W3C started long 
long ago was to offload keys to a 3rd party key server. I don't think 
that spec flew.

Regards,
Anil

On 12/13/2012 02:18 PM, Bill Burke wrote:
> Why not just have the server store it and embed it within a script
> dynamically when theres code-on-demand?
>
> On 12/13/2012 10:21 AM, Anil Saldhana wrote:
>> Bruno,
>>      my head hurts now thinking about how to do PKI from JS apps, without
>> any support from browsers to store private keys securely.
>>
>> Keypair can be generated easily by JS apps.  The public key can be
>> registered with the server.  Now the private key - how do we store it?
>>
>> - We can save it in localstorage.  You said that it is not safe.
>> - Use a JS api (that needs to be created by the w3c wg)  that can stash
>> the private key securely by the browser in a keystore.
>>
>> Regards,
>> Anil
>>
>> On 12/13/2012 04:00 AM, Bruno Oliveira wrote:
>>> They will…in 2014 :)
>>>
>>>
>>> --
>>> "The measure of a man is what he does with power" - Plato
>>> -
>>> @abstractj
>>> -
>>> Volenti Nihil Difficile
>>>
>>>
>>>
>>> On Wednesday, December 12, 2012 at 10:00 PM, Anil Saldhana wrote:
>>>
>>>> On 12/12/2012 05:54 PM, Bill Burke wrote:
>>>>> On 12/12/2012 6:46 PM, Anil Saldhana wrote:
>>>>>> On 12/12/2012 05:31 PM, Bill Burke wrote:
>>>>>>> Anil.............I know WTF PKI and symetric keys are......
>>>>>>
>>>>>> Bill, the links on sym and pki were for others. Not you. :) Remember
>>>>>> there are others who are reading
>>>>>> the emails silently without answering. ;)
>>>>>
>>>>> Fair enough, apologies. :)
>>>> <gangnam-style/> See below.
>>>>>>> My question was, why would a browser Javascript app need to use private
>>>>>>> keys?
>>>>>>
>>>>>> Maybe this use case is bogus. I am just thinking aloud.
>>>>> Ya same, I'm also curious to know if this use case is bogus or not,
>>>>> hence my question.
>>>>
>>>> I know this question of JS and Private Key storage has popped up in this
>>>> W3C Web Crypto WG
>>>> (http://www.w3.org/2011/11/webcryptography-charter.html) where Bruno and
>>>> I are part of. I am not following all the emails that flow in there.
>>>> Based on this WG recommendations, the browsers are going to add support
>>>> for secure storage for PKI in the browser. Maybe this usecase is not
>>>> bogus but not possible to implement now due to the gap in browser support.
>>>>


More information about the security-dev mailing list