[whatwg] Proposal for secure key-value data stores
nzakas at yahoo-inc.com
Tue Mar 30 11:55:12 PDT 2010
In attempting to use localStorage at work, we ran into some major
security issues. Primary among those are the guidelines we have in place
regarding personalized user data. The short story is that personalized
data cannot be stored on disk unless it's encrypted using a
company-validated encryption mechanism and key. So if we actually wanted
to use localStorage, we'd be forced to encrypt each value as it was
being written and then decrypt each value being read. Because of this
tediousness, we opted not to use it.
Another major issue also relates to the persistence of the data in
localStorage. Whereas cookies allow you to specify a time at which the
data will be removed, localStorage is there more or less forever.
It seems like any company that takes the security of its data seriously
would run into the same issues, and rather than forcing every company to
implement their own version of the same approach, a common native
approach would be incredibly useful.
With these problems in mind, and talking with a few other interested
parties, I came up with a draft proposal for a client-side data storage
mechanism that automatically handles encryption, decryption, and data
expiration. I'd love to hear what people think:
Commander Lock: "Damnit Morpheus, not everyone believes what you
Morpheus: "My beliefs do not require them to."
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg