- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 29 Mar 2015 20:01:02 +0200
- To: Siva Narendra <siva@tyfone.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>, Rigo Wenning <rigo@w3.org>
On 2015-03-29 17:31, Siva Narendra wrote: > Dead-end because the data used to arrive are myths and are grossly inaccurate. > See my presentation from the workshop: > http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/slides/hardwaretokens/tyfone.pdf Hi Siva, The "Box" as you express it would of course work, the problem is that each application would (in order to work in a similar fashion to HTTPS Client Cert Auth) need their own box. HTTPS Client Cert Auth does not expose any "Crypto API", Keys or UI to untrusted web-code and is therefore in my (recently revised) opinion the "right" approach. Since we probably are not anyway near ready for specifying the boxes (applications), I have put the boxes *outside* of the browser. The payment application shown in the writeup is such a box. This particular box should preferably be designed by payments specialists which is yet another advantage with having the boxes on the outside: let each community define what they are best at. The announced closing of W3C's SysApps without reaching REC, is essentially saying the same thing: Putting sensitive system-level APIs in the Web is probably the "wrong" approach. It took thousands of hard working hours by *very qualified engineers* to reach this conclusion which says a thing or two about the complexity of these issues. We should IMO build on this experience and research! Regards, Anders
Received on Sunday, 29 March 2015 18:01:34 UTC