- From: Brian Smith <bsmith@mozilla.com>
- Date: Thu, 24 Nov 2011 19:05:08 -0800 (PST)
- To: Mark Watson <watsonm@netflix.com>
- Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, public-identity <public-identity@w3.org>, Harry Halpin <hhalpin@w3.org>
Brian Smith wrote: > Mark Watson wrote: > > The possibility to develop secure application protocols in > > Javascript, > > without using TLS, is exactly the one of the points of this API, at > > least for us. > > I do anticipate this work enabling substitutes for TLS. Of course, I wrote exactly the opposite of what I meant: I do NOT anticipate this work enabling substitutes for TLS. > I wouldn't be surprised if some uses of key material and/or > transmissions of key material were specifically restricted to > authenticated and encrypted (i.e. TLS) connections by implementations. > The key material is going to be traceable to the user's identity so it > will likely have to be protected to the same extent as the user's > identity is. > > Browser makers seem keen to prevent any new mixed content scenerios. > AFAICT, that means that the browser has to understand at least some of > the security properties of the transport security protocol used, to > ensure that transport security protocol has the same/similar > properties that TLS has. The easiest way to do that would be to just > have all applications use TLS. If TLS isn't appropriate for some > applications like streaming video, then we should have a (separate?) > discussion of how that is going to work. > > - Brian
Received on Friday, 25 November 2011 03:05:36 UTC