Re: Encrypted Private Key from Anders Rundgren on 2016-08-16 (public-webcrypto-comments@w3.org from August 2016)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 16 Aug 2016 16:10:32 +0200
To: "Peter Bielak, Executive Manager" <peter@safebash.com>, public-webcrypto-comments <public-webcrypto-comments@w3.org>
Message-ID: <101ba885-11e7-5a28-79ff-8cfc37fdc498@gmail.com>

On 2016-08-16 14:09, Peter Bielak, Executive Manager wrote:
> Anders thank you for help.
>
> I need to generate private key on client side so that provider cannot see this key.

Hi Peter,

This is the core problem with this design: the code that generates the key, decrypts the key etc. is supplied by the provider.
IMHO, you either trust a service provider or you do not; this is something in between.

This issue is probably also a reason to why WebCrypto maybe haven't been the smash hit once anticipated.

If you still consider this solution, I would recommend taking a peek in
https://pkijs.org/
and check if they haven't already implemented something along the lines you request.

Anders


 > That is why I need WebCrypto, I know that I could generate keys on server using OpenSSL etc. and the key needs to be stored in database so the only thing user has to care about is his password, it also needs to be in PKCS#8 PEM format so this key can be used for encryption in Swift on iDevices and in browser.
>
> One person from StackOverflow figured it out, here's my question: http://stackoverflow.com/questions/38413391/generate-rsa-key-pair-using-webcrypto-api-and-protect-it-with-passphrase
>
> but when using forge JS library it somehow breaks the key and it cannot be imported as CryptoKey - DOMException error - nothing more
> I did this:
> my other question: http://stackoverflow.com/questions/38677742/cryptokey-arraybuffer-to-base64-and-back
> CryptoKey to base64 and back works but when encrypted using forge and imported back - DOMException
>
> Thanks again
>
>
> ---- On Tue, 16 Aug 2016 13:45:32 +0200 *Anders Rundgren <anders.rundgren.net@gmail.com>*wrote ----
>
>
>     On Aug 16, 2016 12:50, "Peter Bielak, Executive Manager" <peter@safebash.com <mailto:peter@safebash.com>> wrote:
>     >
>     > I think the question should have been:
>     > How do I generate passphrase protected encrypted private key - pkcs#8 using WebCrypto API?
>     >
>
>
>     It is surely doable but since protected keys is already a part of WebCrypto there is no direct support for your use-case.
>
>     I have a feeling you are on the wrong track..
>
>     anders
>
>

Received on Tuesday, 16 August 2016 14:11:06 UTC