Brian, On 08/14, Gix, Brian wrote: > I don't think so.... If a token is leaked, and we offer *any* kind of > mechanism to export keys, then any permissions that the App with > legitimate access to the token has, is then conferred on *any* entity > that obtains access to the token. > > The only way around this is to not allow any access, by any apps, to > any exportable keys.... or to secure access to the token. No, not the only way. We could require additional authentication before attached applicatino can access export functionality - for example, check that user running the application belongs to a certain group. regards -- Michał Lowas-Rzechonek <michal.lowas-rzechonek@xxxxxxxxxxx> Silvair http://silvair.com Jasnogórska 44, 31-358 Krakow, POLAND
