Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments from Anders Rundgren on 2015-03-12 (public-web-security@w3.org from March 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 12 Mar 2015 07:40:48 +0100
To: Harry Halpin <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto@w3.org>
CC: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>
Message-ID: <550134F0.6040700@gmail.com>

Hi,

Existing smart-card-using applications ranging from Windows login, SIM-cards in phones,
EMV-cards in payment terminals, HTTPS Client Certificate Authentication in browsers, to
the [now deprecated] custom signature browser-plugins, all share a common characteristic:
The smart card is accessed by "Trusted Code" which also holds associated UI.

Since the "Open Web" doesn't support this concept (transient web-code is by definition untrusted),
it is not possible to continue without first having a firm plan on how to deal with "Trusted Code".

Sincerely,
Anders Rundgren
Principal,
WebPKI.org

Received on Thursday, 12 March 2015 06:41:35 UTC