668
edits
BrowserID Key Wrapping: Difference between revisions
Jump to navigation
Jump to search
→Wrapping
| Line 56: | Line 56: | ||
=== Wrapping === | === Wrapping === | ||
Once a user key is established within BrowserID for a given email address, a site can generate a key SK, then ask BrowserID to wrap it. BrowserID will do so using UK, | Once a user key is established within BrowserID for a given email address, a site can generate a key SK, then ask BrowserID to wrap it. BrowserID will do so using UK, and will tag this wrapped key with the origin that requested the wrapping. This tagging is meant to ensure that unwrapping is done only by the domain that requested the wrapping in the first place. | ||
[[Image:browserid-keywrapping.png]] | [[Image:browserid-keywrapping.png]] | ||
| Line 63: | Line 63: | ||
[[Image:browserid-keyunwrapping.png]] | [[Image:browserid-keyunwrapping.png]] | ||
==== What this Means for the Service ==== | |||
BrowserID is providing key wrapping and unwrapping, but as far as the service is concerned, BrowserID does not provide key storage. The service is expected to wrap any cryptographic material it needs in the client, using the BrowserID wrapping API, and then store the wrapped data (usually just a single key) on its own servers. For example, in the case of Firefox Sync, the user's sync key gets wrapped by BrowserID, and this wrapped key is then stored on the Sync servers themselves. | |||
== Security Considerations == | == Security Considerations == | ||