[packaging-on-the-web] Package signing and key continuity for trusted apps (#29)

I work on [OpenPGP.js](https://github.com/openpgpjs/openpgpjs) and would love to see a standard for signed packaged apps on the web. Much like how Chrome Apps work but without a central CA or app store to go through.

@diracdeltas suggested that the browser check for key continuity when verifying app updates. Much like how Android works. But in web's case there should be no central CA and the browser just does trust-on-first-use for the developer's public key on the initial installation. On subsequent updates the browser then verifies that the signature is indeed from the same key.

Especially with regards to client side crypto apps like WhisperSystems' Signal or encrypted webmail apps like Protonmail. I'm also working on an OpenPGP mail client (https://hoodiecrow.com) and could give feedback in terms of the security aspects for this use case.

Specifically, I' talking about the follwing problem: http://tonyarcieri.com/whats-wrong-with-webcrypto

Or Moxie's remarks here: https://news.ycombinator.com/item?id=11307992

In that case a packaged app would have to exist in its own sandbox much like Chrome Apps with its own origin and storage so that e.g. private PGP key material could be stored by the trusted app, and JavaScript from an untrusted hosted page could not access it.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/packaging-on-the-web/issues/29

Received on Sunday, 27 March 2016 14:45:25 UTC