- From: <bugzilla@jessica.w3.org>
- Date: Mon, 19 May 2014 17:36:04 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25799 --- Comment #2 from Ryan Sleevi <sleevi@google.com> --- (In reply to elijah from comment #1) > On second thought, a tracker could simply import a key and then encrypt a > challenge or generate a signing key and then sign a challenge. I suppose the > only thing that can mitigate against keys as supercookies would be to > require the user's consent before any key is saved in long term storage. As mentioned on the mailing list, the concerns about Supercookies come from an earlier version of the draft that incorporated both key storage as well as inter-origin key sharing. As the WebCrypto API does not provide for any key storage, nor does it allow for inter-origin sharing, these concerns about supercookies (and extractability, which is entirely separate) are no longer relevant for the current API. These are only concerns when incorporating things like Key Discovery, which is a separate spec that is not part of the core Web Crypto API, and for which those security considerations should apply there. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Monday, 19 May 2014 17:36:05 UTC