Thanks! There's currently no browser API that guarantees the ... • Aaron Parecki

77°F

https://berlin.social/@ir/112438489029794850

Thanks! There's currently no browser API that guarantees the use of secure-element-stored private keys. The best we get now is non-exportable. There's a mention of that here https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-6.3.4.2.2 But as discussed, even hardware-backed keys don't prevent an attacker from starting their own flow in the browser with their own keys.

Portland, Oregon • 47°F

Tue, May 14, 2024 5:32am -07:00

Have you written a response to this? Let me know the URL:

Posted in /replies using monocle.p3k.io