- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 17 Oct 2013 10:10:45 +0200
- To: Dominique Hazael-Massieux <dom@w3.org>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>, Wendy Seltzer <wseltzer@w3.org>
On 2013-10-17 09:41, Dominique Hazael-Massieux wrote: > Hi Virginie, > > Le mercredi 16 octobre 2013 à 17:30 +0200, GALINDO Virginie a écrit : >> As announced by Wendy, I am now joining the Web Security IG team and I shared with Adam and Wendy few topics I believe this IG could discuss. So here is a proposal of topics we could focus in the coming months, to bring back this IG to life :) >> >> - Mobile security >> We should support the web & mobile IG [1] to understand what are the >> main security weaknesses in the web app model, compared to native app >> model. This would help W3C to fill the gap in terms of security >> feature for the mobile web. > > As you know, I'm very interested on this topic, and will be available to > help; a big part of the work that needs to be done here is identify what > content/servie providers see as gaps, and document which of these gaps > are real, and which have solutions but that are not sufficiently > well-know. Hi Dominique, Unfortunately it seems that this (IMO constructive approach) causes considerable annoyance on the vendor side since gaps can be interpreted as "faults" in existing products. Such gaps include the fact the there are hundreds of millions of secure payments cards in circulation but these cannot be used on the web where we essentially are using the same non-secure (and often quite awkward) methods as when the web was born some twenty years ago. Another gap is related to mobile bank-applications for consumers. I have yet to see a single such application using the built-in credentialing solutions of the mainstream platforms. But since gap analysis doesn't work for the vendors, we have to come up with something else. There's another problem with gap analysis and that is that service providers like banks do not generally participate (or fund) open standards. I have personally tried another way and that is to rather interview (one by one) potential users of a work-item and ask "could this work for you?". This is very time-consuming but waiting for a requirement specification is like "Waiting for Godot" :-) Cheers Anders > > Dom > > >
Received on Thursday, 17 October 2013 08:11:24 UTC