[whatwg] whatwg Digest, Vol 72, Issue 63

Nicholas,

Looks interesting. Quite similar to an API I was working on recently (a
non-web API in my case). 

A question though:

    "... the callback must be called asynchronously ..."

Why? Do you anticipate that openSecureStorage may take so long to execute
that we want to avoid blocking the UI thread? Can't we have a callback
that is invoked synchronously?

> -----Original Message-----
> From: whatwg-bounces at lists.whatwg.org 
> [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of 
> whatwg-request at lists.whatwg.org
> Sent: Wednesday, 31 March 2010 8:07 a.m.
> To: whatwg at lists.whatwg.org
> Subject: whatwg Digest, Vol 72, Issue 63
> 
> Send whatwg mailing list submissions to
> 	whatwg at lists.whatwg.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.whatwg.org/listinfo.cgi/whatwg-whatwg.org
> or, via email, send a message with subject or body 'help' to
> 	whatwg-request at lists.whatwg.org
> 
> You can reach the person managing the list at
> 	whatwg-owner at lists.whatwg.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of whatwg digest..."
> 
> 
> Today's Topics:
> 
>    1. Proposal for secure key-value data stores (Nicholas Zakas)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 30 Mar 2010 11:55:12 -0700
> From: "Nicholas Zakas" <nzakas at yahoo-inc.com>
> To: <whatwg at lists.whatwg.org>
> Subject: [whatwg] Proposal for secure key-value data stores
> Message-ID:
> 	
> <4E45EC6AD219FD47AD1BC06E4EE3845D04A42C31 at SNV-EXVS09.ds.corp.y
ahoo.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi everyone,
> 
>  
> 
> In attempting to use localStorage at work, we ran into some major
> security issues. Primary among those are the guidelines we 
> have in place
> regarding personalized user data. The short story is that personalized
> data cannot be stored on disk unless it's encrypted using a
> company-validated encryption mechanism and key. So if we 
> actually wanted
> to use localStorage, we'd be forced to encrypt each value as it was
> being written and then decrypt each value being read. Because of this
> tediousness, we opted not to use it. 
> 
>  
> 
> Another major issue also relates to the persistence of the data in
> localStorage. Whereas cookies allow you to specify a time at which the
> data will be removed, localStorage is there more or less forever.
> 
>  
> 
> It seems like any company that takes the security of its data 
> seriously
> would run into the same issues, and rather than forcing every 
> company to
> implement their own version of the same approach, a common native
> approach would be incredibly useful.
> 
>  
> 
> With these problems in mind, and talking with a few other interested
> parties, I came up with a draft proposal for a client-side 
> data storage
> mechanism that automatically handles encryption, decryption, and data
> expiration. I'd love to hear what people think:
> 
>  
> 
> http://www.nczonline.net/blog/securestore-proposal/
> 
>  
> 
>  
> 
> -Nicholas
> 
>  
> 
> ______________________________________________
> 
> Commander Lock: "Damnit Morpheus, not everyone believes what you
> believe!"
> 
> Morpheus: "My beliefs do not require them to."
> 
>  
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachmen
ts/20100330/161836e3/attachment.html>
> 
> ------------------------------
> 
> _______________________________________________
> whatwg mailing list
> whatwg at lists.whatwg.org
> http://lists.whatwg.org/listinfo.cgi/whatwg-whatwg.org
> 
> 
> End of whatwg Digest, Vol 72, Issue 63
> **************************************
> 

Received on Tuesday, 30 March 2010 13:20:01 UTC