- From: Brian Thompson <osyrisdc@gmail.com>
- Date: Mon, 20 Jan 2014 20:19:39 -0500
- To: Marcos Caceres <w3c@marcosc.com>
- Cc: Dave Raggett <dsr@w3.org>, public-sysapps@w3.org
- Message-ID: <CAKg2DaZ3gkmKq2nDixYefeX4gbymvDinjHB6kRAGznxqPKprvg@mail.gmail.com>
In regards to trust- I do not think the concept of trusted web applications deviates away from the "one web" vision in any way. There are plenty of existing frameworks that can operate as a model for how the additional requirement for "trust" can be satisfied that are currently active and standardized. I deduce that the term trust, in the context of this thread, is analogous to the common implementation of SSL. It is an added value to be able to assert a higher level of assurance during interactions between parties that never have and never will mutually authenticate each other's identity in person. Something as simple as an embedded code signing element could add a needed integrity check to validate that the code has not been altered since it was published. In addition, an identity assertion from the developer and/or the "web app vendor" (for lack of a better term) would reduce the risk of compromised code being accepted as genuine by an end-user. If the "vendor" has a certification and accreditation process, then they too could add a signed element to assert that said code was compliant and in accordance with their specified standards. The implementation of controls as stated above are an absolute necessity regardless if the scope of the current topic is to include it or not. V/r, Brian Thompson On Mon, Jan 20, 2014 at 1:30 PM, Marcos Caceres <w3c@marcosc.com> wrote: > > > > On Monday, January 20, 2014 at 4:58 PM, Dave Raggett wrote: > > > I have extracted the comments made on this thread and copied them to the > Headlights 2014 proposal that I was asked to make, see: > > > > > https://www.w3.org/wiki/Headlights2014/W3C_Workshop_on_Web_Apps_and_Marketplaces#Feedback.2FQuestions_on_the_idea > Thanks, Dave, for putting this summary together. > > I'm concerned about the mention of "trusted web applications". This makes > it sound like there is some special type of web application that is somehow > more trusted than any other web application. I think there is real risk of > segregating the Web like this - and goes against the principle of "one web". > > Could you please drop that from the document? > > I'm also a bit, um, uncomfortable, about "Making it easier for users to > discover and pay for Web apps". The idea of paying for a web site is weird > (as they are not tangible bits of software) - maybe say, "Making it easier > for users to discover and pay for online services"? > > > > > > This is essentially a request to W3C Management for the resources > necessary to start planning for the workshop. More details at: > > > > http://www.w3.org/wiki/Headlights2014 > > > > -- Dave Raggett <dsr@w3.org> (mailto:dsr@w3.org) > http://www.w3.org/People/Raggett > > > > -- Brian Thompson, CISSP (c) 703-937-7122 (e) osyrisdc@gmail.com
Received on Tuesday, 21 January 2014 15:15:20 UTC