W3C home > Mailing lists > Public > public-web-security@w3.org > March 2015

Charter Proposal: "Trusted Code" for the Web

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 18 Mar 2015 06:15:27 +0100
Message-ID: <550909EF.4040505@gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
CC: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
Trusted Code for the Web

Existing security-related applications like authentication, payments, etc. are all based on that a core-part is executed by statically installed software that is supposed to be TRUSTED.

Since web-based applications are transiently downloaded, unsigned and come from any number of more or less known sources, such applications are by definition UNTRUSTED.

To compensate for this, web-based security-related applications currently rely on a hodge-podge of non-standard methods where trusted code is located somewhere outside of the actual web application.

Since each browser-vendor have had their own idea on what is secure and useful, interoperability has proven to be a major hassle, including the fact that the quest for locking down browsers (in order to make them more secure), also tends to break applications after browser updates.

Although security-related applications are interesting, they haven't proved to be a driver.  Fortunately it has turned out that the desired capability ("Trusted Code"), is also used by massively popular music streaming services, cloud-based storage services and open source collaboration networks.

The goal for the proposed effort would be to define a vendor- and device-neutral solution for dealing with trusted code on the Web.

-----

This proposal is also supposed to be a replacement for a possible  "smart cards for the web" effort
Received on Wednesday, 18 March 2015 05:16:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 18 March 2015 05:16:20 UTC