0
I'm now comfortable generating public and private keys for each user of a website.
Is there any pro's / con's for generating the Private keys on the client in the browser or on the server?
And once generated is there any best practices for safely storing the users key?
I feel we need to store the key for the user as they can't be trusted to keep it safe and not lose it.
The connection to the website is all over SSL and the data center is ISO-27001 certified.
It depends on your usecase. If you were writing a web wallet like blockchain.info, I'd tell you to generate the keys on the client. If you were creating an exchange, and you needed exclusive control of the keys, doing that on the client would be a terrible idea. – Nick ODell – 2017-03-12T05:31:56.870
So if I don't need exclusive key access, generate them on the client. 1) If I do generate them on the client should I ever try to save them to the database, or is it really up to the user who generated the key to store it?
2) If I do need exclusive access, I generate them on the server and save them encrypted again in the database? Any more advice on this route? – Will-In-China – 2017-03-12T08:37:36.327
I can understand why nobody wants to discuss this, holding the keys is like a hot potato, you want them but you don't want them – Will-In-China – 2017-03-13T00:37:03.503