W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Re: Drastically cutting primary features [was Re: Last call for public comments on Web Crypto charter]

From: Brian Smith <bsmith@mozilla.com>
Date: Thu, 24 Nov 2011 19:03:57 -0800 (PST)
To: Mark Watson <watsonm@netflix.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, public-identity <public-identity@w3.org>, Harry Halpin <hhalpin@w3.org>
Message-ID: <1552044400.179773.1322190237375.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Mark Watson wrote:
> The possibility to develop secure application protocols in Javascript,
> without using TLS, is exactly the one of the points of this API, at
> least for us.

I do anticipate this work enabling substitutes for TLS.

I wouldn't be surprised if some uses of key material and/or transmissions of key material were specifically restricted to authenticated and encrypted (i.e. TLS) connections by implementations. The key material is going to be traceable to the user's identity so it will likely have to be protected to the same extent as the user's identity is. 

Browser makers seem keen to prevent any new mixed content scenerios. AFAICT, that means that the browser has to understand at least some of the security properties of the transport security protocol used, to ensure that transport security protocol has the same/similar properties that TLS has. The easiest way to do that would be to just have all applications use TLS. If TLS isn't appropriate for some applications like streaming video, then we should have a (separate?) discussion of how that is going to work.

- Brian
Received on Friday, 25 November 2011 03:04:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 November 2011 03:04:33 GMT