- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 30 Oct 2013 16:27:34 +0100
- To: sysapps <public-sysapps@w3.org>
I guess that my observer status doesn't permit me presenting anything so I take the liberty of pointing to a recently upgraded "concept specification", which introduces yet another app model which is with a bias towards web-based payments: http://webpki.org/papers/PKI/pki-webcrypto.pdf It is related to "trusted chrome" which usually is thought of in the context of signed applications. A generic problem with code-signing is that it doesn't protect the user particularly much unless the user is a geek and actually knows that "Acme Software" is a good company. It really only works well for system updates where the system itself is the [sole] relying party. This specification (which builds on WebCrypto extensions), differs by letting the critical resource itself (through the OS) decide if the invoking signed code will discover it or not. Although this surely doesn't work for arbitrary resources it seems to be a suitable match for a wide range of authentication keys since these usually represent a "relation" rather than a personal asset like your location. Using the devised trust model, each trust network can build and distribute their own trusted applications without burdening users with difficult trust questions. It effectively replaces SOP with a K2C (Key-to-Code) access control scheme which accomplishes "approximately" the same thing. Due to the key-specific application signature, such applications can be hosted on any site/domain. Because this specification spans over multiple standards in progress, from WebCrypto, SE APIs and App Packaging, to the not yet established W3C Payment effort, it is sort of "homeless" at this stage... Cheers Anders
Received on Wednesday, 30 October 2013 15:28:09 UTC