W3C home > Mailing lists > Public > public-credentials@w3.org > May 2016

Re: Proof of Possession -How?

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 04 May 2016 10:53:59 -0400
Message-ID: <572A0D07.1070106@digitalbazaar.com>
To: public-credentials@w3.org
On 05/04/2016 03:35 AM, Anders Rundgren wrote:
> Then there's only one thing left which I don't understand: Where is 
> the private key used in step #2?

At present (in the polyfill), the private key is password protected in
local storage on the browser and the only site that can access it is
authorization.io, which hands the credential over to the relying party.
Clearly, this isn't ideal for security reasons, but it's the best we can
do with current browser technology.

In the future, we could move the private key off to a
hardware/software-based security device IF such a system existed in a
way that was broadly deployed (or if Native Messaging were standardized).

In the far future, the browser could manage the private key and request
signatures from a HSM device / FIDO device (or whatever ends up being
built into the Web Platform).

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Web Browser API Incubation Anti-Pattern
http://manu.sporny.org/2016/browser-api-incubation-antipattern/
Received on Wednesday, 4 May 2016 14:56:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:28 UTC