Re: [sysapps/runtime] cross origin XHR in packaged apps from Marcos Caceres on 2013-04-02 (public-sysapps@w3.org from April 2013)

From: Marcos Caceres <w3c@marcosc.com>
Date: Tue, 2 Apr 2013 19:16:02 +0100
To: John Lyle <john.lyle@cs.ox.ac.uk>
Cc: public-sysapps@w3.org
Message-ID: <A9333667A6814D30BA17B94616CDF221@marcosc.com>

On Tuesday, 2 April 2013 at 18:49, John Lyle wrote:

> On 02/04/13 18:04, Marcos Caceres wrote:
> > > > It might be that it's mostly been a tooling issue. Signing is not
> > > > something you would normally do by hand, so it's always tool-leveraged.
> > > > It's therefore possible that my experience (and, I'm sure, that of
> > > > others) stems from the tools being terrible; and it might therefore be
> > > > possible to have non-horrible tools for this.
> > >  
> >  
> >  
> > There have been some ok tools made… Yahoo widgets had a nice drag-drop-click-done one. But that's only a small part of the "experience"… for WAC, getting a certificate was a huge week long experience full of joy. Having to send personally identifying information, pay a bunch of money, manually sign some kind of contract, wait, fix whatever you screwed up, etc.
>  
> Yes, it tends to be the process of getting certificates that causes  
> problems. I do agree, though, that many of the tools for signing are  
> pretty bad.
>  
> On a more positive note, the existence of nearly a million signed  
> Android apps suggests that, while onerous, the addition of an author  
> signature isn't a show stopper on its own.

Absolutely. Also just had a look at the Chrome Extension one, and it's also three clicks… as long as you have the .pem already generated. There is also the google developer dashboard, but I haven't had a chance to play with it (though I did pay my 5 bucks).  
> Assuming, of course, that  
> there's a big enough incentive for developers to bother trying and no  
> easier alternative. Whether those signing keys are well protected and  
> serve a useful purpose is a completely different question…

Agreed. I raise it because I know how problematic all solutions are and the required infrastructure can make implementing these solutions practically impossible for anyone but really large organisations - that might not be an issue, but something to consider.   
  
--  
Marcos Caceres

http://datadriven.com.au

Received on Tuesday, 2 April 2013 18:16:33 UTC