W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Re: Drastically cutting primary features [was Re: Last call for public comments on Web Crypto charter]

From: Brian Smith <bsmith@mozilla.com>
Date: Thu, 24 Nov 2011 19:05:08 -0800 (PST)
To: Mark Watson <watsonm@netflix.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, public-identity <public-identity@w3.org>, Harry Halpin <hhalpin@w3.org>
Message-ID: <907369421.179775.1322190308004.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Brian Smith wrote:
> Mark Watson wrote:
> > The possibility to develop secure application protocols in
> > Javascript,
> > without using TLS, is exactly the one of the points of this API, at
> > least for us.
> 
> I do anticipate this work enabling substitutes for TLS.

Of course, I wrote exactly the opposite of what I meant:

I do NOT anticipate this work enabling substitutes for TLS.

> I wouldn't be surprised if some uses of key material and/or
> transmissions of key material were specifically restricted to
> authenticated and encrypted (i.e. TLS) connections by implementations.
> The key material is going to be traceable to the user's identity so it
> will likely have to be protected to the same extent as the user's
> identity is.
> 
> Browser makers seem keen to prevent any new mixed content scenerios.
> AFAICT, that means that the browser has to understand at least some of
> the security properties of the transport security protocol used, to
> ensure that transport security protocol has the same/similar
> properties that TLS has. The easiest way to do that would be to just
> have all applications use TLS. If TLS isn't appropriate for some
> applications like streaming video, then we should have a (separate?)
> discussion of how that is going to work.
> 
> - Brian
Received on Friday, 25 November 2011 03:05:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 November 2011 03:05:37 GMT