W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

[WebCrypto.Next] User Trust Decisions

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 11 Nov 2014 15:42:05 +0100
Message-ID: <5462203D.5050406@gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
For structuring the discussions a bit...

It seems that there are three different user trust decisions that could apply to WebCrypto.Next:

1. Giving one of your identities to a site.  This is already an established use-case on the
web and I guess we won't be able to get away from such decisions.

2. During installation of a software package running with extended privileges, (hopefully)
received through some trustworthy channel.  Although I personally do not believe that
signed web-applications is ever going to be mainstream except on "WebOSes", some
people feel different.  Anyway, it is a valid use-case since we already do this for native
applications.

3. NEW.  Some of the thoughts that have been floating around require the user to
give site-specific code direct access to for example WebCrypto or PKCS #11 methods.
IMO, this is an invalid use-case because it 1) is too fuzzy for users, 2) doesn't match
typical issuer policies, 3) introduces considerable vulnerabilities.

AndersR
Received on Tuesday, 11 November 2014 14:42:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC