Re: W3C workshop on web apps and marketplaces? from Brian Thompson on 2014-01-21 (public-sysapps@w3.org from January 2014)

From: Brian Thompson <osyrisdc@gmail.com>
Date: Mon, 20 Jan 2014 20:19:39 -0500
To: Marcos Caceres <w3c@marcosc.com>
Cc: Dave Raggett <dsr@w3.org>, public-sysapps@w3.org
Message-ID: <CAKg2DaZ3gkmKq2nDixYefeX4gbymvDinjHB6kRAGznxqPKprvg@mail.gmail.com>

In regards to trust-

I do not think the concept of trusted web applications deviates away from
the "one web" vision in any way. There are plenty of existing frameworks
that can operate as a model for how the additional requirement for "trust"
can be satisfied that are currently active and standardized.

I deduce that the term trust, in the context of this thread, is analogous
to the common implementation of SSL. It is an added value to be able to
assert a higher level of assurance during interactions between parties that
never have and never will mutually authenticate each other's identity in
person. Something as simple as an embedded code signing element could add a
needed integrity check to validate that the code has not been altered since
it was published. In addition, an identity assertion from the developer
and/or the "web app vendor" (for lack of a better term) would reduce the
risk of compromised code being accepted as genuine by an end-user.

If the "vendor" has a certification and accreditation process, then they
too could add a signed element to assert that said code was compliant and
in accordance with their specified standards.

The implementation of controls as stated above are an absolute necessity
regardless if the scope of the current topic is to include it or not.

V/r,

Brian Thompson

On Mon, Jan 20, 2014 at 1:30 PM, Marcos Caceres <w3c@marcosc.com> wrote:

>
>
>
> On Monday, January 20, 2014 at 4:58 PM, Dave Raggett wrote:
>
> > I have extracted the comments made on this thread and copied them to the
> Headlights 2014 proposal that I was asked to make, see:
> >
> >
> https://www.w3.org/wiki/Headlights2014/W3C_Workshop_on_Web_Apps_and_Marketplaces#Feedback.2FQuestions_on_the_idea
> Thanks, Dave, for putting this summary together.
>
> I'm concerned about the mention of "trusted web applications". This makes
> it sound like there is some special type of web application that is somehow
> more trusted than any other web application. I think there is real risk of
> segregating the Web like this - and goes against the principle of "one web".
>
> Could you please drop that from the document?
>
> I'm also a bit, um, uncomfortable, about "Making it easier for users to
> discover and pay for Web apps". The idea of paying for a web site is weird
> (as they are not tangible bits of software) - maybe say, "Making it easier
> for users to discover and pay for online services"?
>
>
> >
> > This is essentially a request to W3C Management for the resources
> necessary to start planning for the workshop. More details at:
> >
> > http://www.w3.org/wiki/Headlights2014
> >
> > -- Dave Raggett <dsr@w3.org> (mailto:dsr@w3.org)
> http://www.w3.org/People/Raggett
>
>
>
>

-- 
Brian Thompson, CISSP
(c) 703-937-7122
(e) osyrisdc@gmail.com

Received on Tuesday, 21 January 2014 15:15:20 UTC