- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 04 May 2016 10:53:59 -0400
- To: public-credentials@w3.org
On 05/04/2016 03:35 AM, Anders Rundgren wrote: > Then there's only one thing left which I don't understand: Where is > the private key used in step #2? At present (in the polyfill), the private key is password protected in local storage on the browser and the only site that can access it is authorization.io, which hands the credential over to the relying party. Clearly, this isn't ideal for security reasons, but it's the best we can do with current browser technology. In the future, we could move the private key off to a hardware/software-based security device IF such a system existed in a way that was broadly deployed (or if Native Messaging were standardized). In the far future, the browser could manage the private key and request signatures from a HSM device / FIDO device (or whatever ends up being built into the Web Platform). -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: The Web Browser API Incubation Anti-Pattern http://manu.sporny.org/2016/browser-api-incubation-antipattern/
Received on Wednesday, 4 May 2016 14:56:40 UTC