W3C home > Mailing lists > Public > public-sysapps@w3.org > November 2014

Rethinking "SysApps"

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 26 Nov 2014 09:47:54 +0100
Message-ID: <547593BA.4050203@gmail.com>
To: sysapps <public-sysapps@w3.org>
Dear List,

Since the SysApps runtime model still seems to be incomplete or missing (?), I take the liberty outlining another model which has grown out of my work with Payments, Identity and Security Tokens.

There's obviously a need for locally installed systems applications like telephone dialers but these are IMO just like other "Apps" and I have nothing to add here.

So quickly over to something completely different...

Let's say that you wanted to have a phone call utility on a customer support web-page.
This is already available but through proprietary solutions, right?

This could be done in a portable fashion through a hosted SysApp created as an IFRAME and then embedded by the customer support web-page.  That is, the UA would still consider the code as trusted but it would also be able to communicate through postMessage() which is much nicer than web-intents (which BTW appears to have died somewhere down the road...).

For payments this would be even more useful since a local wallet like Apple Pay doesn't really work on the web.  A hosted, transiently downloaded wallet would security-wise be identical to the same wallet application locally installed, while still being embedded by a untrusted merchant application.

The upper part of the WebCrypto++ specification illustrated on
http://webpki.org/papers/PKI/pki-webcrypto.pdf#page=2
shows how the hosting, packaging and application isolation would be architected.

However, unlike WebCrypto++, the signature must now be trusted by the *platform*.

If this is actually working, it could give the web a well-deserved push forward; right now the battle between native and web appears to be rather uneven.

Even if you are not interested in payments, you may using a recent Chrome (or Firefox/Beta), try the following semi-mockup/demo which hi-lites the potential of hosted, embedded and locally trusted apps that also aren't being crippled by SOP:
https://mobilepki.org/WebCryptoPlusPlus

Thoughts?

Cheers,
Anders R
Received on Wednesday, 26 November 2014 08:48:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:36:21 UTC