SE digsig requirement, was Re: [Manifest] use cases, was Re: [coord] Is there still a need for WebApps + SysApps meeting at TPAC? from Marcos Caceres on 2013-11-02 (public-sysapps@w3.org from November 2013)

From: Marcos Caceres <w3c@marcosc.com>
Date: Sat, 2 Nov 2013 09:44:25 +0000
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Wonsuk Lee <wonsuk11.lee@samsung.com>, sysapps <public-sysapps@w3.org>
Message-ID: <CAAwChxP=oo8z3ruXbp8+O7dze_72oiEWkG3E4-xSvjNh7SnJsQ@mail.gmail.com>

On Saturday, November 2, 2013, Anders Rundgren wrote:
>
> Since the current SE API draft _presumes_ signed apps, there must be some
> way of achieving this.

Without knowing anything about SE, why is it presumed? And who is expected
to be able to access this API and why would it not be generally available
to developers?

If it's already unsafe, then thinking that putting a digital signature on
it makes it somehow safer is a flawed assumption IMO (the app could be
XSS'd, keys could be stolen, etc.). The API should be designed initially
with the assumption that it should be available to all application
developers.

Received on Saturday, 2 November 2013 09:44:52 UTC