[security-dev] input on bearer tokens and cookies

Bruno Oliveira bruno at abstractj.org
Thu Dec 13 20:07:32 EST 2012 

I'm probably missing something, but I can't understand the real need here. But if you want to I'd suggest:  

- Stick with session storage instead of local storage + use a nonce for key derivation (I'm not saying that's a perfect solution)

I've been looking at this https://github.com/openpgpjs/openpgpjs/, but just for the record, we have nothing implemented, yet. They're using local storage (https://github.com/openpgpjs/openpgpjs/blob/master/src/openpgp.keyring.js#L82), but if you really want to, maybe we can fork, improve and send some patches.  

Also, I've been testing http://code.google.com/p/crypto-js/. Cryptography will be one of our goals to CR1.


--  
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile



On Thursday, December 13, 2012 at 1:21 PM, Anil Saldhana wrote:

> Bruno,
> my head hurts now thinking about how to do PKI from JS apps, without  
> any support from browsers to store private keys securely.
>  
> Keypair can be generated easily by JS apps. The public key can be  
> registered with the server. Now the private key - how do we store it?
>  
> - We can save it in localstorage. You said that it is not safe.
> - Use a JS api (that needs to be created by the w3c wg) that can stash  
> the private key securely by the browser in a keystore.
>  
> Regards,
> Anil
>  
> On 12/13/2012 04:00 AM, Bruno Oliveira wrote:
> > They will…in 2014 :)
> >  
> >  
> > --
> > "The measure of a man is what he does with power" - Plato
> > -
> > @abstractj
> > -
> > Volenti Nihil Difficile
> >  
> >  
> >  
> > On Wednesday, December 12, 2012 at 10:00 PM, Anil Saldhana wrote:
> >  
> > > On 12/12/2012 05:54 PM, Bill Burke wrote:
> > > >  
> > > > On 12/12/2012 6:46 PM, Anil Saldhana wrote:
> > > > > On 12/12/2012 05:31 PM, Bill Burke wrote:
> > > > > > Anil.............I know WTF PKI and symetric keys are......
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > > Bill, the links on sym and pki were for others. Not you. :) Remember
> > > > > there are others who are reading
> > > > > the emails silently without answering. ;)
> > > >  
> > > >  
> > > >  
> > > >  
> > > > Fair enough, apologies. :)
> > >  
> > >  
> > > <gangnam-style/> See below.
> > > >  
> > > > > > My question was, why would a browser Javascript app need to use private
> > > > > > keys?
> > > > >  
> > > > >  
> > > > >  
> > > > >  
> > > > > Maybe this use case is bogus. I am just thinking aloud.
> > > >  
> > > >  
> > > > Ya same, I'm also curious to know if this use case is bogus or not,
> > > > hence my question.
> > >  
> > >  
> > >  
> > >  
> > > I know this question of JS and Private Key storage has popped up in this
> > > W3C Web Crypto WG
> > > (http://www.w3.org/2011/11/webcryptography-charter.html) where Bruno and
> > > I are part of. I am not following all the emails that flow in there.
> > > Based on this WG recommendations, the browsers are going to add support
> > > for secure storage for PKI in the browser. Maybe this usecase is not
> > > bogus but not possible to implement now due to the gap in browser support.
> >  
>  
>  
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org (mailto:security-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list