- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Sun, 28 Jul 2013 09:22:38 +0200
- To: sysapps <public-sysapps@w3.org>
I hope you don't mind me continuing the SE API write-up... The current SE API "input document" seems to presume that web applications can invoke the SE API as is. I must confess that I do not fully understand (big understatement), how this is supposed to work with respect to Security, Privacy and GUIs. FWIW, the SKS/KeyGen2 "not-a-standard" doesn't expose a single SE API method to web applications, *EVER*. This sounds pretty strange for a "web solution", right? However, this is in fact only about reusing an already firmly established web concept; the "trusted agent" which currently exists for TLS client-certificate-authentication and in HTML5's <keygen>. A valid question arises: How could you create new exciting HTML5-based applications using the SE if you are restricted to pre-installed "trusted agents"? Since the SKS/KeyGen2 scheme anyway drills rather deep into the platform (eventually into the CPU itself), it felt natural *refreshing the browser as well with an additional trust- and security-model explicitly designed for keys* because keys usually express relationships which is quite different to for example "your location" according to GPS. The current idea is using a souped-up version of W3C's Web Crypto as the foundation for new SE-oriented web applications: http://webpki.org/papers/PKI/pki-webcrypto.pdf thanx, Anders
Received on Sunday, 28 July 2013 07:23:08 UTC