- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 09 Nov 2014 18:38:06 +0100
- To: Zijyfe Duufop <zdoofop@gmail.com>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 2014-11-09 18:02, Zijyfe Duufop wrote: > your claim about innovation is irrelevant because either one of the > platform vendors will be available for developers or they will use > other means of implementation. Now we know your solution to the problem I first mentioned. I.e. signed web apps. My hesitation with this is why would you build such a thing for Android or iOS that have much richer native environments? > Remember, there is no perfect solution to any problem I know, but smart cards were never designed for the web. Anders > > On Sun, Nov 9, 2014 at 11:56 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > This somewhat [thought]provoking subject-line has a simple explanation: > There is still no specification in spite of the topic being on the radar since years back. > > It doesn't appear possible creating such a specification as well: > > Imagine calling a method that does something like P11's C_Sign, what's supposed to happen? > A browser-initiated dialog box saying: This application wants key XYZ to sign something but I don't know why and what, do you agree? > > Would installed and signed web applications help here? > No, it would not because there is no obvious signer of such modules except the platform vendors which would severely impede innovation. > Leaving the trust-decision to the user is not an option either, it would only open a floodgate to key miss-using malware. > > Anders > > >
Received on Sunday, 9 November 2014 17:38:35 UTC