Services/Sync/KeyRecovery: Difference between revisions

Jump to navigation Jump to search

Services/Sync/KeyRecovery (view source)

Revision as of 23:38, 22 September 2011

158 bytes added ,  22 September 2011
→‎User-Generated Tokens
Line 151: Line 151:


E.g. take a hash of the user's password as the "user auth key" and upload that along with the recovery data.  When going to retrieve the data, the client generates its own auth token and signs it with the previously-uploaded key.
E.g. take a hash of the user's password as the "user auth key" and upload that along with the recovery data.  When going to retrieve the data, the client generates its own auth token and signs it with the previously-uploaded key.
(This is quite similar to https://bugzilla.mozilla.org/show_bug.cgi?id=638905 except the "proof of identity" is derived from the password, not the sync key)


The advantage is that this simplifies the workflow for the client, and removes one component which could provide an additional attack surface.
The advantage is that this simplifies the workflow for the client, and removes one component which could provide an additional attack surface.
Rfkelly
Confirmed users
358

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/350618"

Navigation menu