- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Mon, 19 Nov 2012 11:15:44 +0100
- To: Mountie Lee <mountie.lee@mw2.or.kr>
- CC: Robin Berjon <robin@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>
I'm not sure that http://www.w3.org/TR/widgets-digsig/ actually meets the requirements of banking since neither the platform nor the user can have much ideas about the trustworthiness of downloaded code with respect to access to keys. In my take on this subject I have put the trust list on the key itself. This may sound a bit strange but in fact banks do not want their keys to be used with software they haven't written or have control of. http://webpki.org/papers/PKI/pki-webcrypto.pdf An alternative is third-party wetting (certification) of code which though is costly and slow. Anders On 2012-11-19 10:28, Mountie Lee wrote: > Hi. > thanks for mail. > > the link you mentioned is for installable WebApp case. > > is there another approach to protect hosted WebApp or loaded JS source integrity? > > PS) I'm informed carefully cross-post. > > > On Mon, Nov 19, 2012 at 6:14 PM, Robin Berjon <robin@w3.org <mailto:robin@w3.org>> wrote: > > On 17/11/2012 03:51 , Mountie Lee wrote: > > I'm comparing javascript with binary plugins (like activeX or applet) > under the activeX or java applet > the code integrity can be verified by signature with signer's certificate. > > I'm expecting similar mechanisms. > > > You mean you're looking for something like this: > > http://www.w3.org/TR/widgets-__digsig/ <http://www.w3.org/TR/widgets-digsig/> ? > > PS: Please don't cross post without a good reason. > > -- > Robin Berjon - http://berjon.com/ - @robinberjon > > > > > -- > Mountie Lee > > PayGate > CTO, CISSP > Tel : +82 2 2140 2700 > E-Mail : mountie@paygate.net <mailto:mountie@paygate.net> > > ======================================= > PayGate Inc. > THE STANDARD FOR ONLINE PAYMENT > for Korea, Japan, China, and the World > > > >
Received on Monday, 19 November 2012 10:17:16 UTC