- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 18 Mar 2015 07:34:24 +0100
- To: sysapps <public-sysapps@w3.org>
- Message-ID: <55091C70.5000107@gmail.com>
Trusted Code for the Web
Existing security-related applications like authentication, payments, etc. are all based on that a core-part is executed by statically installed software that is supposed to be TRUSTED.
Since web-based applications are transiently downloaded, unsigned and come from any number of more or less unknown sources, such applications are by definition UNTRUSTED.
To compensate for this, web-based security-applications currently rely on a hodge-podge of non-standard methods where trusted code resides (and executes) somewhere outside of the actual web application.
However, because each browser-vendor have had their own idea on what is secure and useful, interoperability has proven to be a major hassle. In addition, the ongoing quest for locking down browsers (in order to make them more secure), tends to break applications after browser updates.
Although security-applications are interesting, they haven't proved to be a driver. Fortunately it has turned out that the desired capability ("Trusted Code"), is also used by massively popular music streaming services, cloud-based storage services and open source collaboration networks.
The goal for the proposed effort would be to define a vendor- and device-neutral solution for dealing with trusted code on the Web.
Received on Wednesday, 18 March 2015 06:35:15 UTC