- From: Zijyfe Duufop <zdoofop@gmail.com>
- Date: Sun, 9 Nov 2014 12:02:08 -0500
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Received on Tuesday, 11 November 2014 00:01:47 UTC
your claim about innovation is irrelevant because either one of the platform vendors will be available for developers or they will use other means of implementation. Remember, there is no perfect solution to any problem On Sun, Nov 9, 2014 at 11:56 AM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > This somewhat [thought]provoking subject-line has a simple explanation: > There is still no specification in spite of the topic being on the radar > since years back. > > It doesn't appear possible creating such a specification as well: > > Imagine calling a method that does something like P11's C_Sign, what's > supposed to happen? > A browser-initiated dialog box saying: This application wants key XYZ to > sign something but I don't know why and what, do you agree? > > Would installed and signed web applications help here? > No, it would not because there is no obvious signer of such modules except > the platform vendors which would severely impede innovation. > Leaving the trust-decision to the user is not an option either, it would > only open a floodgate to key miss-using malware. > > Anders > > >
Received on Tuesday, 11 November 2014 00:01:47 UTC