W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: The futile war between Native and Web

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 16 Feb 2015 10:40:22 +0100
Message-ID: <54E1BB06.7060608@gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, noloader@gmail.com
CC: public-webapps WG <public-webapps@w3.org>
On 2015-02-16 09:34, Anne van Kesteren wrote:
> On Sun, Feb 15, 2015 at 10:59 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>> For the first point, Pinning with Overrides
>> (tools.ietf.org/html/draft-ietf-websec-key-pinning) is a perfect
>> example of the wrong security model. The organizations I work with did
>> not drink the Web 2.0 koolaide, its its not acceptable to them that an
>> adversary can so easily break the secure channel.
> What would you suggest instead?
>> For the second point, and as a security architect, I regularly reject
>> browser-based apps that operate on medium and high value data because
>> we can't place the security controls needed to handle the data. The
>> browser based apps are fine for low value data.
>> An example of the lack of security controls is device provisioning and
>> client authentication. We don't have protected or isolated storage,
>> browsers can't safely persist provisioning shared secrets, secret
>> material is extractable (even if marked non-extractable), browsers
>> can't handle client certificates, browsers are more than happy to
>> cough up a secret to any server with a certificate or public key (even
>> the wrong ones), ...
> So you would like physical storage on disk to be segmented by eTLD+1
> or some such?
> As for the certificate issues, did you file bugs?
> I think there definitely is interest in making the web suitable for
> this over time. It would help if the requirements were documented
> somewhere.

There are no universal and agreed-upon requirements for dealing with
client-certificates which is why this has been carried out in the past
through proprietary plugins.  These have now been outlawed (for good
reasons), but no replacement has been considered.

There were some efforts recently
which though were rejected by Mozilla, Google and Facebook.

And there we are...which I suggest a "short-cut":
which initially was pointed out by Ryan Sleevy:

Received on Monday, 16 February 2015 09:41:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:43 UTC