W3C home > Mailing lists > Public > public-sysapps@w3.org > November 2012

Re: how to protect javascript codes

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Mon, 19 Nov 2012 11:15:44 +0100
Message-ID: <50AA06D0.9010300@telia.com>
To: Mountie Lee <mountie.lee@mw2.or.kr>
CC: Robin Berjon <robin@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>
I'm not sure that http://www.w3.org/TR/widgets-digsig/ actually meets
the requirements of banking since neither the platform nor the user
can have much ideas about the trustworthiness of downloaded code with
respect to access to keys.

In my take on this subject I have put the trust list on the key itself.
This may sound a bit strange but in fact banks do not want their keys to
be used with software they haven't written or have control of.

http://webpki.org/papers/PKI/pki-webcrypto.pdf

An alternative is third-party wetting (certification) of code which though is
costly and slow.

Anders

On 2012-11-19 10:28, Mountie Lee wrote:
> Hi.
> thanks for mail.
> 
> the link you mentioned is for installable WebApp case.
> 
> is there another approach to protect hosted WebApp or loaded JS source integrity?
> 
> PS) I'm informed carefully cross-post.
> 
> 
> On Mon, Nov 19, 2012 at 6:14 PM, Robin Berjon <robin@w3.org <mailto:robin@w3.org>> wrote:
> 
>     On 17/11/2012 03:51 , Mountie Lee wrote:
> 
>         I'm comparing javascript with binary plugins (like activeX or applet)
>         under the activeX or java applet
>         the code integrity can be verified by signature with signer's certificate.
> 
>         I'm expecting similar mechanisms.
> 
> 
>     You mean you're looking for something like this:
> 
>       http://www.w3.org/TR/widgets-__digsig/ <http://www.w3.org/TR/widgets-digsig/> ?
> 
>     PS: Please don't cross post without a good reason.
> 
>     -- 
>     Robin Berjon - http://berjon.com/ - @robinberjon
> 
> 
> 
> 
> -- 
> Mountie Lee
> 
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net <mailto:mountie@paygate.net>
> 
> =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World
> 
> 
> 
> 
Received on Monday, 19 November 2012 10:17:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 November 2012 10:17:16 GMT