- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Sat, 11 Jun 2011 13:05:33 +0100
- To: Nico Williams <nico@cryptonector.com>
- CC: Brian Smith <bsmith@mozilla.com>, public-web-security@w3.org, Jarred Nicholls <jarred@sencha.com>, David Dahl <ddahl@mozilla.com>
Hi Nico, On 10/06/11 21:41, Nico Williams wrote: > On Fri, Jun 10, 2011 at 2:54 PM, Brian Smith <bsmith@mozilla.com> wrote: >> [...] >> How much of all of that would be the responsibility of the browser? How much of this responsibility can/should the browser pass off to the web app? Should we be focused on the browser enforcing a particular security model, or should we focus on the browser enabling web apps to enforce their own security models? > > That's where trust comes in. If you have scripts putting > authentication methods together in the scripts, I worry that will only > get us a false sense of security. I think that this is a really a problem with downloaded code and is not specific to downloaded code that calls a crypto API. In other words, I'm not at all sure that solving key management for such API calls is that interesting by itself and that we'll be better off investing our time in some way of validating and controlling downloaded code, and that that's sufficiently different from this crypto API activity that those are actually fine things to do mostly separately. S.
Received on Saturday, 11 June 2011 12:06:04 UTC