W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto contribution

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 02 Feb 2015 08:52:30 +0100
Message-ID: <54CF2CBE.7010501@gmail.com>
To: Rigo Wenning <rigo@w3.org>, public-web-security@w3.org
CC: Brad Hill <hillbrad@fb.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On 2015-02-02 08:38, Rigo Wenning wrote:
> Brad,
>
> On Thursday 29 January 2015 22:50:00 Brad Hill wrote:
>>    1.  Privacy and tracking.  How does the presence of specific crypto
>> elements and discoverable keys which are not Origin-scoped not create
>> privacy violations?
>
> Depends entirely on who controls activation and discoverability of the
> feature. Keys that are not origin-scoped may be extremely useful, but create
> the risk you describe in a mental model where the user is just a hoard of
> click-cattle. On the other hand, asking for good UI is like asking for the
> magic wand. A solution can be found IMHO in defined use cases where the
> browser is allowing the keys only in certain contexts and after informing the
> user. This is in fact the same as activating geolocation IMHO..

I think you should take a look on what Google have recommended:
https://lists.w3.org/Archives/Public/public-webcrypto-comments/2015Jan/0000.html

The next (anticipated) development step of the groundbreaking Apple Pay system
(becoming equally useful on the web), will most certainly follow this path,
anything else would be extremely foolish.

Then you get away from the crippling effect of SOP or turning users into click-cattles.

Anders

>
>   --Rigo
>
Received on Monday, 2 February 2015 07:53:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 February 2015 07:53:07 UTC