- From: Peter Beverloo <notifications@github.com>
- Date: Tue, 25 Aug 2015 07:01:09 -0700
- To: w3c/push-api <push-api@noreply.github.com>
Received on Tuesday, 25 August 2015 14:01:37 UTC
> If we are exporting keys, we need to ensure that we have a constant time string conversion for ArrayBuffer. Excuse my naitivity, but why does this matter? The client-side already has access to the raw key using `getKey`, and given that the key is bound to the origin that shouldn't be timing sensitive. The server-side can thus receive the key in either format. Since we rely on the client-server connection being secure for transporting the key (HTTPS), does the timing sensitivity occur if the server were to store the key in, say, base64? If the concern is that the client-server connection could be intercepted, then this problem could be attributed to the public key having to stay private more than timing sensitivity of serialization, right? --- Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/pull/130#issuecomment-134595088
Received on Tuesday, 25 August 2015 14:01:37 UTC