- From: Herve SIBERT <herve.sibert@st.com>
- Date: Thu, 12 Mar 2015 08:06:58 +0100
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Harry Halpin <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto@w3.org>
- CC: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>
Indeed, there seems to always be the assumption that the user-agent is secure and not compromised - and starting from that FIDO might be the cleanest possible design - but I don't see the perspective being on how to make internet usage more secure even if the user-agent is compromised, although there are technologies that will help if only they are brought to the open web. Is there a principle in W3C that states that the user-agent not being compromised is always the assumption? (maybe it's part of the "Web security principles"?) Cheers Hervé -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] Sent: jeudi 12 mars 2015 07:41 To: Harry Halpin; public-web-security@w3.org; public-webcrypto-comments@w3.org Cc: GALINDO Virginie; Wendy Seltzer Subject: Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments Hi, Existing smart-card-using applications ranging from Windows login, SIM-cards in phones, EMV-cards in payment terminals, HTTPS Client Certificate Authentication in browsers, to the [now deprecated] custom signature browser-plugins, all share a common characteristic: The smart card is accessed by "Trusted Code" which also holds associated UI. Since the "Open Web" doesn't support this concept (transient web-code is by definition untrusted), it is not possible to continue without first having a firm plan on how to deal with "Trusted Code". Sincerely, Anders Rundgren Principal, WebPKI.org
Received on Thursday, 12 March 2015 07:07:32 UTC