Thanks Jim
I need to research the use of certificates more. We can have the concept of an admin user that gets each client device loaded with a certificate prior to it’s usage. Clearly we want this to be as hassle free as possible, but our clients would share our security concerns so we can hope they will forgive some of the installation complexities. <<You should NEVER transmit a private key across the internet. Exposing any kind of private key <<material into the web client is just not a good idea. We considered passing the private key, but it would be passed encrypted with the users password and via SSL. We could use a public/private key solution as described here: http://www.mail-archive.com/[email protected]/msg12063.html This makes things more secure as far as writing data, but doesn’t really help with the security of reading the data. >>I'd also advise against using any JS-crypto solution, as the algorithms can be compromised via >>a XSS scripting attack unless your client can sandbox and secure the algorithms somehow. I have considered using a JS-crypto but isolating it to the show and update functions so that it is running in couch instead of the browser. I have also considered doing it in erlang as described here: http://web.archiveorange.com/archive/v/oW6DzmgYHcRrVUfqBqyf However, I don’t know erlang and worry about the learning curve. Thanks for the link and the information on keygen. I’ll see if I can come up with something better with this information. I'll be looking at Jens idea of a PhoneGap app using some keychain API as well. Jay
