Re: [sysapps/runtime] cross origin XHR in packaged apps from Marcos Caceres on 2013-04-02 (public-sysapps@w3.org from April 2013)

From: Marcos Caceres <w3c@marcosc.com>
Date: Tue, 2 Apr 2013 18:04:20 +0100
To: Robin Berjon <robin@w3.org>
Cc: Dave Raggett <dsr@w3.org>, public-sysapps@w3.org
Message-ID: <F98C85DACA604CBDACB50137D0FB5961@marcosc.com>

On Tuesday, 2 April 2013 at 16:46, Robin Berjon wrote:

> On 02/04/2013 13:30 , Dave Raggett wrote:
> > I would like to hear more about the issues around using signing.
>  
>  
>  
> I don't want to cast undue aspersions as to various ways in which  
> signing may be used in SysApps.
>  
> It's just that as a developer, my experience with anything that has  
> required signing (and for which I've been in the loop, as opposed to it  
> happening under the hood somewhere) has been nothing short of appalling.

I agree. Signing is hard on the dev side… let's go shopping. But handling it on the server may be a different story, but it's also fraught with a large number of security concerns (e.g., running your own CA is no easy thing).   
> As a result, when someone mentions signing, it's not so much that I  
> start shooting immediately. But I certainly angle my chair so as to  
> slightly draw open the curtains that normally hide the Angry Developer  
> Gun Rack behind me.

:)   
> It might be that it's mostly been a tooling issue. Signing is not  
> something you would normally do by hand, so it's always tool-leveraged.  
> It's therefore possible that my experience (and, I'm sure, that of  
> others) stems from the tools being terrible; and it might therefore be  
> possible to have non-horrible tools for this.

There have been some ok tools made… Yahoo widgets had a nice drag-drop-click-done one. But that's only a small part of the "experience"… for WAC, getting a certificate was a huge week long experience full of joy. Having to send personally identifying information, pay a bunch of money, manually sign some kind of contract, wait, fix whatever you screwed up, etc.   
> Switching from developer to standardista hat, my experience has also  
> been that there is a class of issues for which people just immediately  
> say "Yay, let's use signatures!!!!"

It seems that signatures are being used, at least, in FxOS. But I've not found the details… I assume JAR signer might be there somewhere.   
> So I'm just being wary. I understand that signing might be required in  
> places, but I am leery of making it required unless we're really, really  
> sure there is no alternative.
>  

Agreed. Unfortunately, I think we are going to need them for some APIs (most of the ones we are standardising in this WG).

Received on Tuesday, 2 April 2013 17:05:59 UTC