On Nov 13, 2013, at 5:24 AM, Learmonth, Iain Ross <[email protected]> wrote: > I'm talking about storing TLS client certificates encrypted in the cloud and > synchronising them across browsers, decrypting them client side with a > symmetric key generated from a password.
Why use cloud sync and shared keys? Why not have a different cert on each browser, signed by my master key, and then certify the master key? Granted this leaves open a pretty big hole if the master key is compromised, and we don't really care this much about most of our web logins, but storing the client key in the cloud seems chancy, particularly if it's protected by a password. Of course, storing the master key on a virus-infected PC is no better, but if your PC is infected with a virus, your cloud-stored cert will be revealed anyway. A custom rPI that serves as your key master and never does anything else would be a good, cheap option. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
