- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Sat, 22 Jun 2013 05:50:14 +0200
- To: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
- CC: Dave Raggett <dsr@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>, Jonas Sicking <jonas@sicking.cc>
On 2013-06-21 10:51, GALINDO Virginie wrote: > Anders, > > I think you are mixing different things (SDOs, product initiative, your guess...). > To me, W3C is the right place to work on that topic. Virginie, Since the big guns either keep their stuff under wrappers (MSFT, Intel, ARM), or run their own show (Google), I just don't see any *implemented* deliverable. If W3C gets a buy-in from a *single* of the platform vendors (MSFT, GOOG, or APPL), I will maybe change my mind :-) W3C's effort with <keygen> in HTML5 made my alarm clock ring! It was designed 94/95 and has close to zero market-share. Microsoft *publicly* rejected it as well. FWIW, my own take on the "SE Enigma" is now ready but bringing it to an SDO is the last thing I want to do. I believe an Open Hardware/Open Software implementation and real-world testing is a *much* better idea. Anders > > Regards, > Virginie > gemalto > > > -----Original Message----- > From: Anders Rundgren [mailto:anders.rundgren@telia.com] > Sent: vendredi 21 juin 2013 07:13 > To: Jonas Sicking > Cc: Dave Raggett; public-sysapps@w3.org > Subject: Re: status of phase 1 work items? > > On 2013-06-21 01:22, Jonas Sicking wrote: >> Given that we still haven't made much progress on the basis of all of >> our specs, the runtime and security model, I think it's too early to >> start looking at the phase 2 specs. > > If I restrict myself to the Security Element API: > > TrustedComputingGroup which I'm an invited expert member of haven't been able to get the web-interface-topic on the table in the 13 years they have been operating... > > Microsoft has introduced a proprietary VSC (Virtual Smart Card) scheme using TPM 2.0 in Windows 8 while Google is working on a new kind of smart card for U2F (Universal 2-Factor Authentication) in FIDO Alliance. > Intel has launched something called IPT (Identity Protection Technology) which is another "candidate". Trustonic (ARM offspring) is presumably working on something similar under the wrappers. > > Regarding Jonas' reference to security model, the examples above use fundamentally different security models, ranging from signed code, user opt-ins, and SOP :-) > > That is, the subject is already toast from an SDO point-of-view unless rubber-stamping the existing Gemalto proposal is a viable option. > > I would consider a brief poll to see if the Security Element API should remain a chartered item. > > Anders > >> >> We still don't have much of an understanding of what the security >> model is. How trusted is the code that is accessing the APIs that >> we're designing? When are there security dialogs presented to the >> user? What checks did the store that the user got the app from do on >> the code before publishing the app? Are we ok with apps fingerprinting >> the user? Does the user have the ability to turn off certain >> permissions from a given app? Is that considered part of the normal >> flow of user behavior, or just the normal "the user can do whatever >> the heck he wants with his useragent, but he shouldn't be surprised if >> things break when he does freaky things"? >> >> / Jonas >> >> On Thu, Jun 20, 2013 at 6:29 PM, Dave Raggett <dsr@w3.org> wrote: >>> We now have first public working drafts for all of the phase 1 work >>> items with the exception of App URI, and the manifest extension spec. >>> >>> Several of the specs have been updated since the FPWD was published, >>> and are candidates for updated public working drafts. Any suggestions >>> for which ones are ready, or soon will be? >>> >>> I am also interested in a crisper understanding of where we are in >>> respect to the manifest and App URI work items. We handed the JSON >>> manifest format over to WebApps, with the understanding that we would >>> develop an extension spec to cover the specific requirements for >>> SysApps. WebApps have started discussion on the manifest format, >>> along with the realization that it should be usable for ebooks as >>> well as packaged apps. However, I am now quite sure where things >>> stand with respect to the SysApps extension spec, and the SysApps AppURI spec. >>> >>> A further question is where are in respect to starting phase 2? Am I >>> correct in assuming that we are already welcoming contributions on >>> use cases and requirements? Are we expecting to see draft >>> specifications in time for the Toronto face to face in late August? >>> >>> -- >>> Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett >>> >> >> > > >
Received on Saturday, 22 June 2013 03:50:57 UTC