- From: Mountie Lee <mountie.lee@gmail.com>
- Date: Thu, 2 Aug 2012 09:46:15 +0900
- To: Ryan Sleevi <sleevi@google.com>
- Cc: public-webcrypto-comments@w3.org
- Message-ID: <CAE-+aYL_crirdFcCTYMdjZ+PfVzsGHYctvXx6EwvKk7orUu6_Q@mail.gmail.com>
Hi. let me comment more. I did not read about SysApp WG. for custom URI scheme, I have found following issues in Korea. - the URL scheme is not unique and can be replaced by last installed App. means a 3rd party App can override original App. - depending on App means depending on Vendor. I think to implement B2C personal information exchange, the server (B part) will encrypt personal information with symmetric or asymmetric algorithm of public key of personal. the client (C part) will try to decrypt the message with API (loaded from where? ) and key. if the API logic is loaded from same origin, the information also can be loaded from same origin. if we locate the API and encrypted message in local, too much security considerations are occurred. my comment is from the experience of wrong usage with ActiveX and abnormal PKI in Korea. users could not distinguish good mail from bank and virus mail from anonymous. regards mountie. On Mon, Jul 30, 2012 at 2:37 PM, Ryan Sleevi <sleevi@google.com> wrote: > Hi Mountie, > > It's not clear the rationale for discarding this use case. You seem to > suggest that because it's not currently implemented via "Web" APIs, > that therefore it cannot be. I'm not sure I would agree with that > conclusion. > > While admittedly not personally familiar with these schemes, based on > how they've been described I can see several ways that the Web > Cryptography API work could enable these use cases. Yes, it means that > providers (eg: such as the Korean credit card companies or banks) > would need to write new code, but I believe that is an understood > given, as we're describing a new API. > > Possible scenarios: > - Web Intents and/or registerProtocolHandler (whatever the latest > synthesis of these notions are called) to expose a custom URI scheme > that can process such messages > - Utilizing "extensions" or other applications that are in scope for > the SysApps WG, which could be granted privileged access to the local > filesystem (without requiring remote coordination) > - As you note, the provider can host the data file on their website, > rather than sending it via e-mail. > > All of these scenarios seem that, when combined, could provide a > better experience than the native applications currently required. > > It should be noted that the use cases listed are not limited to > "Things that can be used as drop in replacements," but to suggest that > given sufficient APIs, such applications can exist. Both your examples > and mine show that these APIs could be used, therefore it seems > appropriate to keep them on the use cases document. > > Regards, > Ryan > > On Sun, Jul 29, 2012 at 10:06 PM, Mountie Lee <mountie.lee@gmail.com> > wrote: > > Hi. > > > > I have comments for > > > http://www.w3.org/2012/webcrypto/wiki/Use_Cases#B2C_personnal_information_exchange > > > > as a Korean Citizen > > I receive many encrypted mails from card company or banks. > > > > the basic mechanism is as following. > > the sender send mail with application download link and encrypted mail > > attachment. > > the user is able to decrypt the mail attachment after installing the > > application via the link. > > the passphrase is normally the last 7 digits of my personal SSN. > > > > the sender forces user installing application to their WINDOWS PC. > > > > I think we can not replace this case with web crypto implementations. > > > > because > > > > has conflict "same origin" policy of browser. > > we can not make sure the email client has always web browsing capability > > and the content is normally loaded from local file system. > > > > has alternatives > > the sender can invite user to their web site > > and verify user identity. > > then show sensitive message on the web. > > > > so my comment is > > remove those use case "B2C personnal message exchange" > > (sorry Channy ^^!) > > > > best regards > > > > -- > > Mountie Lee > > > > Tel : +82 2 2140 2700 > > E-Mail : mountie@paygate.net > > Twitter : mountielee > > > > ======================================= > > PayGate Inc. > > THE STANDARD FOR ONLINE PAYMENT > > for Korea, Japan, China, and the World > > > -- Mountie Lee Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net Twitter : mountielee ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Thursday, 2 August 2012 00:47:00 UTC