- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 09 Nov 2014 17:56:16 +0100
- To: "public-web-security@w3.org" <public-web-security@w3.org>
This somewhat [thought]provoking subject-line has a simple explanation: There is still no specification in spite of the topic being on the radar since years back. It doesn't appear possible creating such a specification as well: Imagine calling a method that does something like P11's C_Sign, what's supposed to happen? A browser-initiated dialog box saying: This application wants key XYZ to sign something but I don't know why and what, do you agree? Would installed and signed web applications help here? No, it would not because there is no obvious signer of such modules except the platform vendors which would severely impede innovation. Leaving the trust-decision to the user is not an option either, it would only open a floodgate to key miss-using malware. Anders
Received on Sunday, 9 November 2014 16:56:45 UTC