- From: Robin Berjon <robin@w3.org>
- Date: Mon, 15 Apr 2013 12:11:50 +0200
- To: Dominique Hazael-Massieux <dom@w3.org>
- CC: public-closingthegap@w3.org
On 15/04/2013 11:41 , Dominique Hazael-Massieux wrote: > * it's impossible to store local data safely (e.g. with encryption and > key management) — I assume this is something the Web Crypto API is > addressing, but I'm not sure if it addresses all of it, or just some > piece of an otherwise incomplete puzzle I don't know if Web Crypto is handling enough of this. I believe that what people are referring to here is some form of secure storage that cannot easily be tampered with (I'm unsure through which attack vectors though). Part of that problem (though not all of it I think) is the fact that multiple users of the same site on the same browser have their data stored locally in a store they can all access. This sort of thing should be keyed off a notion of identity understood by the browser. > * native apps can more easily avoid to ask you to login, and thus create > less risks with regard to password storage / re-use I don't think that's entirely true since if a native app does not give you some form of credentials you can reuse, then your content is locked on the device. You can have the same dynamics in a browser. But again, a notion of identity could go a long way in alleviating the problems here. -- Robin Berjon - http://berjon.com/ - @robinberjon
Received on Monday, 15 April 2013 10:11:57 UTC