Re: Please define user interests/priorities and the main question for smart cards. from Brad Hill on 2015-02-05 (public-web-security@w3.org from February 2015)

From: Brad Hill <hillbrad@fb.com>
Date: Thu, 5 Feb 2015 23:49:10 +0000
To: Martin Paljak <Martin.Paljak@ria.ee>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <D0F939BA.4325%hillbrad@fb.com>



From:  Martin Paljak <Martin.Paljak@ria.ee>
> Doing architecture astronautics "for the web" and assuming that
>everybody shall want to -
> and have to - build their devices and systems according to "the web" is
>similar to the chin problem.

Nobody said you can only build your systems "for the web".  We're only
saying if you want them to work *on the Web*, they must work *with* the
Web.  

If we're going to argue with silly analogies, I like my canoe.  Nobody
should get to tell me I should only ever drive a car.  But it is simply
not safe for me or anybody else to strap a skateboard to the bottom of my
canoe and paddle it into traffic on to the Autobahn.

The Web is an established ecosystem, now 25 years old, with billions of
users and millions of applications that work within an established
security and privacy architecture that has evolved carefully over time.
If you want the W3C to standardize something, its mission statement is to
"lead the World Wide Web to its full potential by developing protocols and
guidelines that ensure the long-term growth of the Web."  I am asserting
that proposed standards which damage or ignore the existing security and
privacy model, and/or which are not supportive of user choice and
continued open innovation and access, do not support that mission.


As for your assertion that users don't care about security and privacy, or
that we don't know if they care, I think that is patently wrong.  It is
one of the things that users are most concerned about.

E.g. The following recent survey of Americans by the Pew Research Center:

 http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/


Or a slightly older survey on European's privacy fears online:

http://www.truste.com/blog/2012/11/20/behind-the-statistics-%E2%80%93-respo

nding-to-eu-consumers%E2%80%99-online-privacy-concerns-2/


By the way, this is not just about legacy crypto devices.  Before *any*
new APIs or features are allowed on the Web, we expect them to demonstrate
that they are engineered in a manner that is safe to operate within the
existing Web security model, or extends that model in a manner that does
not do violence to core user expectations about security and privacy or
break the expectations of the installed base of existing applications.

-Brad

Received on Thursday, 5 February 2015 23:49:45 UTC