W3C home > Mailing lists > Public > public-web-security@w3.org > March 2015

RE: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments

From: Herve SIBERT <herve.sibert@st.com>
Date: Thu, 12 Mar 2015 08:06:58 +0100
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Harry Halpin <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto@w3.org>
CC: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <D56460D8B5C0334591AA8323170806FBCBCE4378@SAFEX1MAIL5.st.com>
Indeed, there seems to always be the assumption that the user-agent is secure and not compromised - and starting from that FIDO might be the cleanest possible design - but I don't see the perspective being on how to make internet usage more secure even if the user-agent is compromised, although there are technologies that will help if only they are brought to the open web.
Is there a principle in W3C that states that the user-agent not being compromised is always the assumption? (maybe it's part of the "Web security principles"?)

Cheers
Hervé

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] 
Sent: jeudi 12 mars 2015 07:41
To: Harry Halpin; public-web-security@w3.org; public-webcrypto-comments@w3.org
Cc: GALINDO Virginie; Wendy Seltzer
Subject: Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments

Hi,

Existing smart-card-using applications ranging from Windows login, SIM-cards in phones, EMV-cards in payment terminals, HTTPS Client Certificate Authentication in browsers, to the [now deprecated] custom signature browser-plugins, all share a common characteristic:
The smart card is accessed by "Trusted Code" which also holds associated UI.

Since the "Open Web" doesn't support this concept (transient web-code is by definition untrusted), it is not possible to continue without first having a firm plan on how to deal with "Trusted Code".

Sincerely,
Anders Rundgren
Principal,
WebPKI.org


Received on Thursday, 12 March 2015 07:07:32 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 12 March 2015 07:07:32 UTC