W3C home > Mailing lists > Public > public-webcrypto@w3.org > July 2014

[Bug 25721] extractable keys should be disabled by default

From: <bugzilla@jessica.w3.org>
Date: Mon, 28 Jul 2014 19:21:09 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25721-7213-601n3uU5Dx@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721

--- Comment #20 from Tom Lowenthal <me@tomlowenthal.com> ---
Virgin's suggestion that UI is out of scope removes one possible mitigation of
the issue, not the issue itself.

A review by WebAppSec might well be useful in finding a more agreeable
solution.

I remain in substantial objection to extractable keys as described.

They seem grossly incompatible with the goal of implementing secure application
protocols on the level of web applications. Not least of which precisely
*because* of risks such as XSS and the code delivery problem of which we are
all aware.

As it stands, the spec doesn't seem on track to implement a solution which will
be actually useful at achieving the first goal specified in the WG's charter. I
hope to find a solution which will allow developers to implement trustworthy
applications.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Monday, 28 July 2014 19:21:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:23 UTC