- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 7 Nov 2014 11:02:39 +0100
- To: "Nilsson, Claes1" <Claes1.Nilsson@sonymobile.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Mounir Lamouri <mounir@lamouri.fr>, "public-geolocation@w3.org" <public-geolocation@w3.org>, Mike West <mkwst@google.com>
On Fri, Nov 7, 2014 at 10:50 AM, Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com> wrote: > So is it easy for any evil guy to get a valid certificate. It should be easy for anyone to get a certificate. Authenticated/secure origins is not about that. It's about protecting the end user against the network. The user will still have to decide whether to trust the domain name. (It's far from trivial for any evil guy to get a certificate for a domain of his choosing. > How much can we then rely on certificate revocation systems? Not much, yet, but I'm not sure that matters much for this discussion. > If it is so that the added security of requiring https for sites using the Geolocation API is just "imaginary" then we may defer this issue and rely on more general solutions for giving web apps permission to use APIs. There was a workshop in Paris in September on trust and permissions http://www.w3.org/2014/07/permissions/minutes.html, and it is proposed that a W3C Community Group should be formed. 1) It's not imaginary. 2) I don't subscribe to the "lets form a task force" (non-)way of dealing with problems. -- https://annevankesteren.nl/
Received on Friday, 7 November 2014 10:03:10 UTC