W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Re: Encryption use-case. Re: Last call for Use-cases/Goals for web crypto charter

From: Andrew Sutherland <asutherland@asutherland.org>
Date: Fri, 25 Nov 2011 10:49:13 -0800
Message-ID: <4ECFE329.4050806@asutherland.org>
To: public-identity@w3.org
On 11/25/2011 09:35 AM, Anders Rundgren wrote:
> IMHO, key backup must be an intrinsic feature of a message based
> encryption system.  This is probably why message based encryption
> haven't made it in the consumer space; it is really messy.
>
> "cloud-sync" or whatever the proper terms is then becomes more or
> less required as a lighter alternative to explicit key backup.

Yes, this is important, and it is indeed messy.  Although it would 
simplify my life if the crypto API enabled this from within content, I 
would worry that it would be a foot-gun by allowing a single successful 
attack on a JS based app to leak the keys.

I believe the need for backup could be accomplished by 1) allowing 
browser synchronization mechanisms (ex: Firefox Sync) to backup the keys 
and 2) allowing browser extensions to also get at the keys (preferably 
with granular authorizations to touch the keys by origin).  This would 
allow web-based messaging applications to be secure in an introductory 
usage phase that requires no special privileges, and then subsequently 
'upgrade' to a more full-featured implementation that does.

Andrew
Received on Friday, 25 November 2011 18:49:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 November 2011 18:49:45 GMT