I've been poking around trying to figure out where to put asymmetric keys generated by webcrypto to use for logging into web sites instead of using passwords over the wire. I've always been conflicted about using localStorage (which works fine because it's trivial to convert the keys to a pem string). You and others seem to imply that indexedDB is somehow more secure vs localStorage which would surprise me greatly unless there were some browser secured mechanism to access the db. Or are you not making that claim? IMO, if you have XSS issues, you have already massively failed so taking that off the table, I'm not sure what remains.
I've been poking around trying to figure out where to put asymmetric keys generated by webcrypto to use for logging into web sites instead of using passwords over the wire. I've always been conflicted about using localStorage (which works fine because it's trivial to convert the keys to a pem string). You and others seem to imply that indexedDB is somehow more secure vs localStorage which would surprise me greatly unless there were some browser secured mechanism to access the db. Or are you not making that claim? IMO, if you have XSS issues, you have already massively failed so taking that off the table, I'm not sure what remains.
You can check out what I've been working on here:
out.mtcc.com/hoba-bis
Mike