W3C home > Mailing lists > Public > public-geolocation@w3.org > November 2014

Re: Requiring Authenticated Origins for Geolocation API's: Open Call for Comments (deadline - February 1, 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 7 Nov 2014 11:02:39 +0100
Message-ID: <CADnb78gFP0WROoqc2ZD22-fB=73n8uxsU6dWgNdNhv=EKGpkvA@mail.gmail.com>
To: "Nilsson, Claes1" <Claes1.Nilsson@sonymobile.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mounir Lamouri <mounir@lamouri.fr>, "public-geolocation@w3.org" <public-geolocation@w3.org>, Mike West <mkwst@google.com>
On Fri, Nov 7, 2014 at 10:50 AM, Nilsson, Claes1
<Claes1.Nilsson@sonymobile.com> wrote:
> So is it easy for any evil guy to get a valid certificate.

It should be easy for anyone to get a certificate.
Authenticated/secure origins is not about that. It's about protecting
the end user against the network. The user will still have to decide
whether to trust the domain name. (It's far from trivial for any evil
guy to get a certificate for a domain of his choosing.

> How much can we then rely on certificate revocation systems?

Not much, yet, but I'm not sure that matters much for this discussion.

> If it is so that the added security of requiring https for sites using the Geolocation API is just "imaginary" then we may defer this issue and rely on more general solutions for giving web apps permission to use APIs. There was a workshop in Paris in September on trust and permissions http://www.w3.org/2014/07/permissions/minutes.html, and it is proposed that a W3C Community Group should be formed.

1) It's not imaginary. 2) I don't subscribe to the "lets form a task
force" (non-)way of dealing with problems.

Received on Friday, 7 November 2014 10:03:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:51:10 UTC