[whatwg] Proposal for secure key-value data stores

[Dirk Pranke]

On Tue, Mar 30, 2010 at 2:06 PM, Nicholas Zakas <nzakas at yahoo-inc.com> wrote:
> Yes, that's precisely what I'm talking about. It seems to me that this will end up being a pretty common pattern (encrypting/decrypting data stored locally).
>
> The idea behind letting the key to be defined by the developer is to allow any usage that developers deem appropriate for the situation. For example, one might want to only use a server-generated key to access the data, in which case this data won't be available offline but will be used to supplement the online behavior. Another might determine the key based on some information in a cookie, which is less secure but does allow offline access while also ensuring that if the cookie changes or is deleted, the data remains secure.
>
> The idea behind the expiration date is to allow developers to be sure the data won't stay around on disk indefinitely. Think about the Internet café use case where people are repeatedly logging in and out - we don't want everyone's data living on that computer for however many years it's in use.
>
> One way or another, I think JavaScript crypto is going to be important in the next few years.

Perhaps we should instead focus on a set of JS Crypto APIs, since that
is largely orthogonal to the storage APIs?

-- Dirk