W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] Proposal for secure key-value data stores

From: Nicholas Zakas <nzakas@yahoo-inc.com>
Date: Tue, 30 Mar 2010 11:55:12 -0700
Message-ID: <4E45EC6AD219FD47AD1BC06E4EE3845D04A42C31@SNV-EXVS09.ds.corp.yahoo.com>
Hi everyone,


In attempting to use localStorage at work, we ran into some major
security issues. Primary among those are the guidelines we have in place
regarding personalized user data. The short story is that personalized
data cannot be stored on disk unless it's encrypted using a
company-validated encryption mechanism and key. So if we actually wanted
to use localStorage, we'd be forced to encrypt each value as it was
being written and then decrypt each value being read. Because of this
tediousness, we opted not to use it. 


Another major issue also relates to the persistence of the data in
localStorage. Whereas cookies allow you to specify a time at which the
data will be removed, localStorage is there more or less forever.


It seems like any company that takes the security of its data seriously
would run into the same issues, and rather than forcing every company to
implement their own version of the same approach, a common native
approach would be incredibly useful.


With these problems in mind, and talking with a few other interested
parties, I came up with a draft proposal for a client-side data storage
mechanism that automatically handles encryption, decryption, and data
expiration. I'd love to hear what people think:








Commander Lock: "Damnit Morpheus, not everyone believes what you

Morpheus: "My beliefs do not require them to."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100330/161836e3/attachment.htm>
Received on Tuesday, 30 March 2010 11:55:12 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:22 UTC