Re: Same Origin Policy - Re: Agenda: <keygen> being destroyed when we need it

On 9/14/15 10:11 AM, Alex Russell wrote:
> On Mon, Sep 14, 2015 at 6:59 AM, Kingsley Idehen
> <kidehen@openlinksw.com <mailto:kidehen@openlinksw.com>> wrote:
>
>     On 9/12/15 1:54 PM, Alex Russell wrote:
>     > But that's all indulgent thinking. JavaScript is a core part of the
>     > web stack today. We live in a world where it exists. We cannot
>     pretend
>     > it doesn't.
>
>     Anyone should still be able to use the Web modulo Javascript.
>
>
> We agree! I'm a massive supporter of the Progressive Enhancement
> approach to app/site construction.
>  
>
>     Javascript is simply a popular programming language, supported by
>     browsers. It isn't core Web Technology, as far as I understand what
>     constitutes core Web Technology:
>
>     1. URIs
>     2. HTTP
>     3. HTML -- this doesn't make Javascript core Web technology (IMHO).
>
>
> While this formulation might be useful in some circumstances, it
> doesn't really clarify anything here. The security model of the web is
> about what the full set of commonly supported tech (together) can
> accomplish and is about setting limits on that behavior. For the same
> reason that CSS needs to be factored into security/privacy
> considerations, so does JavaScript.
>

Yes, but there's a difference in scope. Javascript cannot define the
scope of security for the core Web Stack, so to speak. These items must
be compartmentalized. The Web's architecture has loose-coupling at its
core, so compartmentalization is vital.

"The security model of the Web" has to be a composite rather than a
compound. Currently, your Javascript view is treating the Web security
model as a compound rather than composite.

A user should have the ability to save crypto data to their local OS
hosted keystore if they choose. There are no virtues in restricting that
to local browser storage, solely, at this stage in the game (browsers
with host OS interaction is already a common usage pattern). None of the
main operating systems (desktop or mobile) allow interactions with their
respective keystores without OS level authentication challenges, by
default.


-- 
Regards,

Kingsley Idehen       
Founder & CEO 
OpenLink Software     
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this