W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Sat, 11 Jun 2011 13:05:33 +0100
Message-ID: <4DF35A0D.3050609@cs.tcd.ie>
To: Nico Williams <nico@cryptonector.com>
CC: Brian Smith <bsmith@mozilla.com>, public-web-security@w3.org, Jarred Nicholls <jarred@sencha.com>, David Dahl <ddahl@mozilla.com>

Hi Nico,

On 10/06/11 21:41, Nico Williams wrote:
> On Fri, Jun 10, 2011 at 2:54 PM, Brian Smith <bsmith@mozilla.com> wrote:
>> [...]
>> How much of all of that would be the responsibility of the browser? How much of this responsibility can/should the browser pass off to the web app? Should we be focused on the browser enforcing a particular security model, or should we focus on the browser enabling web apps to enforce their own security models?
> 
> That's where trust comes in.  If you have scripts putting
> authentication methods together in the scripts, I worry that will only
> get us a false sense of security.

I think that this is a really a problem with downloaded code
and is not specific to downloaded code that calls a crypto API.

In other words, I'm not at all sure that solving key management
for such API calls is that interesting by itself and that we'll
be better off investing our time in some way of validating and
controlling downloaded code, and that that's sufficiently
different from this crypto API activity that those are actually
fine things to do mostly separately.

S.
Received on Saturday, 11 June 2011 12:06:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC