- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 31 Mar 2014 19:38:56 +0200
- To: Marcos Caceres <w3c@marcosc.com>, sysapps <public-sysapps@w3.org>
On 2014-03-31 18:29, Marcos Caceres wrote: Hi Marcos, I think the core issue here (for me...) is that the draft doesn't elaborate on the trust model. IMO, that should be a prerequisite for all WebAPIs ( https://developer.mozilla.org/en-US/docs/WebAPI ) because they are actually rather different. Geo-location is essentially a user privacy thing while networks usually have "concerned parties" in both ends. In a nutshell: I'm not able to tell which end (or mode) the Raw Socket API draft is trying to protect by requiring a trusted application. This may very well be due to limited understanding on my side :-( Cheers, Anders > > > On March 31, 2014 at 11:44:11 AM, Anders Rundgren (anders.rundgren.net@gmail.com) wrote: >>> I have some questions regarding the current draft. >> >> It seems that the Raw Socket API can only be used by "trusted applications". >> I don't know exactly what that is, or more specifically: who is >> the trusting party? >> >> Personally, I have limited faith in end-users' decisions to >> install trusted applications. > > We will try to make it web facing. > >> If this specification rather (implicitly?) relies of pre-installed >> trusted applications, it get >> pretty fuzzy since even if the application is trusted it doesn't >> automatically mean that >> you are welcome with your UPD or TCP requests everywhere. >> >> If the sample application UPnP does not in itself presume trusted >> connects, I do not really >> see why the callers need to be trusted either. >> >> For requests that actually needs to be trusted, DTLS and TLS using >> CCA (Client Certificate >> Authentication) ought to be a more scalable solution than using >> trusted applications. > > Do any browsers support this CCA thing? > > >
Received on Monday, 31 March 2014 17:39:29 UTC