W3C home > Mailing lists > Public > public-sysapps@w3.org > April 2014

Status - Signed Web Apps?

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 07 Apr 2014 21:54:07 +0200
Message-ID: <5343025F.5030007@gmail.com>
To: sysapps <public-sysapps@w3.org>
Pardon my ignorance but is there is draft in progress covering signed web apps
that for example could include an IFRAME + JS?

If so would it be possible to add an attribute which would *exclude* the signature from
being "trusted" by the client platform?  The purpose of that is to reuse the same packaging
and rendering for a scheme that could serve as the foundation for a new class of trusted
web applications where the requested client resource is the actual trusting entity.  In
the current plan such resources are limited to keys for secure operations like payments.

The original blueprint required a complete overhaul of the platform key system:
http://webpki.org/papers/PKI/pki-webcrypto.pdf#page=2

Fortunately a college of mine found a solution that will make it much easier by using
an x.509 extension for holding a hash or similar of the trusted code-signing key.

That is, it is the key that controls code access to itself.  This is essentially what payment
terminals in brick-and-mortar shops do, but here through virtualization and the web.

The scheme is an extension of: https://bugzilla.mozilla.org/show_bug.cgi?id=978867

In order for this to work it must be able to securely deduct that an invoker of the
WebCrypto API is signed including read access to the actual signature key.

Anders
Received on Monday, 7 April 2014 19:54:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:36:20 UTC