Re: Proof of Possession -How?

On 05/04/2016 03:35 AM, Anders Rundgren wrote:
> Then there's only one thing left which I don't understand: Where is 
> the private key used in step #2?

At present (in the polyfill), the private key is password protected in
local storage on the browser and the only site that can access it is, which hands the credential over to the relying party.
Clearly, this isn't ideal for security reasons, but it's the best we can
do with current browser technology.

In the future, we could move the private key off to a
hardware/software-based security device IF such a system existed in a
way that was broadly deployed (or if Native Messaging were standardized).

In the far future, the browser could manage the private key and request
signatures from a HSM device / FIDO device (or whatever ends up being
built into the Web Platform).

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Web Browser API Incubation Anti-Pattern

Received on Wednesday, 4 May 2016 14:56:40 UTC