Re: ECC vs RSA, and Similar Conflicts from Jarred Nicholls on 2012-05-10 (public-webcrypto@w3.org from May 2012)

From: Jarred Nicholls <jarred@webkit.org>
Date: Thu, 10 May 2012 10:56:34 -0400
To: Eric Rescorla <ekr@rtfm.com>
Cc: David Dahl <ddahl@mozilla.com>, "Richard L. Barnes" <rbarnes@bbn.com>, Nadim <nadim@nadim.cc>, public-webcrypto@w3.org, Cullen Jennings <fluffy@cisco.com>
Message-ID: <CANufG2MECy09WiiYpJn=YzJRKORNN_bNSErMB9Ti=WnGWpCtHg@mail.gmail.com>

On Thu, May 10, 2012 at 10:44 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> On Thu, May 10, 2012 at 7:30 AM, David Dahl <ddahl@mozilla.com> wrote:
> > One of the reasons for establishing this WG is to try and provide a more
> secure way of using crypto on the web. Keeping the private keys private is
> at the top of this list. We can establish a spec that only ever references
> private key IDs, making this much more secure than existing JS crypto
> libraries that have access to private key material.
>
> It's not clear to me that this is "much more secure". What's the
> threat model under which
> that is the case?
>
> -Ekr
>
>
Where the private key is directly accessible by script loaded from
same-origin?

Compromised server injects hostile script into a page response, grabs the
private key, posts it to a foreign server, and now the private key has been
stolen and used to decrypt any data between the server and its clients
out-of-band.

Jarred

Received on Thursday, 10 May 2012 14:57:31 UTC