[Bug 25799] supercookies from bugzilla@jessica.w3.org on 2014-05-19 (public-webcrypto@w3.org from May 2014)

From: <bugzilla@jessica.w3.org>
Date: Mon, 19 May 2014 17:36:04 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25799-7213-3N9kpb7Goz@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25799

--- Comment #2 from Ryan Sleevi <sleevi@google.com> ---
(In reply to elijah from comment #1)
> On second thought, a tracker could simply import a key and then encrypt a
> challenge or generate a signing key and then sign a challenge. I suppose the
> only thing that can mitigate against keys as supercookies would be to
> require the user's consent before any key is saved in long term storage.

As mentioned on the mailing list, the concerns about Supercookies come from an
earlier version of the draft that incorporated both key storage as well as
inter-origin key sharing.

As the WebCrypto API does not provide for any key storage, nor does it allow
for inter-origin sharing, these concerns about supercookies (and
extractability, which is entirely separate) are no longer relevant for the
current API.

These are only concerns when incorporating things like Key Discovery, which is
a separate spec that is not part of the core Web Crypto API, and for which
those security considerations should apply there.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Monday, 19 May 2014 17:36:05 UTC