Re: Charter Proposal: "Trusted Code" for the Web from Hannes Tschofenig on 2015-03-18 (public-web-security@w3.org from March 2015)

From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Date: Wed, 18 Mar 2015 14:51:32 +0100
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
CC: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <550982E4.9030307@gmx.net>

Hi Anders,

what deliverables do you think this group should produce?

Ciao
Hannes

On 03/18/2015 01:58 PM, GALINDO Virginie wrote:
> Anders,
> 
> I don’t see how you can state that this is a replacement of the smart
> card effort, without even consulting the companies supporting it.
> 
> Virginie Galindo
> 
> Gemalto
> 
>  
> 
>  
> 
> *From:*Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
> *Sent:* mercredi 18 mars 2015 06:15
> *To:* public-web-security@w3.org
> *Cc:* Mike West; Anne van Kesteren
> *Subject:* Charter Proposal: "Trusted Code" for the Web
> 
>  
> 
> Trusted Code for the Web
> 
> Existing security-related applications like authentication, payments,
> etc. are all based on that a core-part is executed by statically
> installed software that is supposed to be TRUSTED.
> 
> Since web-based applications are transiently downloaded, unsigned and
> come from any number of more or less known sources, such applications
> are by definition UNTRUSTED.
> 
> To compensate for this, web-based security-related applications
> currently rely on a hodge-podge of non-standard methods where trusted
> code is located somewhere outside of the actual web application.
> 
> Since each browser-vendor have had their own idea on what is secure and
> useful, interoperability has proven to be a major hassle, including the
> fact that the quest for locking down browsers (in order to make them
> more secure), also tends to break applications after browser updates.
> 
> Although security-related applications are interesting, they haven't
> proved to be a driver.  Fortunately it has turned out that the desired
> capability ("Trusted Code"), is also used by massively popular music
> streaming services, cloud-based storage services and open source
> collaboration networks.
> 
> The goal for the proposed effort would be to define a vendor- and
> device-neutral solution for dealing with trusted code on the Web.
> 
> -----
> 
> This proposal is also supposed to be a replacement for a possible 
> "smart cards for the web" effort
> 
> ------------------------------------------------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable
> for the message if altered, changed or falsified. If you are not the
> intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.

Received on Wednesday, 18 March 2015 13:52:18 UTC