how to protect javascript codes from Mountie Lee on 2012-11-17 (public-webappsec@w3.org from November 2012)

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Sat, 17 Nov 2012 10:07:17 +0900
To: webcrypto-comments@w3.org
Cc: public-webappsec@w3.org, public-sysapps@w3.org
Message-ID: <CAE-+aY+iAS7Fo4hVv_Lfz9V+XxW=5DEZc2WuY=mThLdQ085ZsA@mail.gmail.com>

Hi.

I have a question.

how to protect javascript codes loaded from remote server or installed
webapps?

I were trying to find protecting mechanism. but fail to find exact
description from documents of webcrypto WG, WebAppSecWG and SysApp WG.

the reason why we need to protect javascript codes are as following
- javascript codes are easily changed on client side.
- service provider want to make sure the business logic implemented with
javascript is exactly same to server's

I think hosted JS model and installable webapp model has no different.

for installable webapp model,
before installing webapp, it have to be verified the integrity of webapp.

these requirements are mentioned in many email threads or usecases on
webcrypto WG
at "security of a client-side JS API" (
http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Nov/subject.html
)
at http://www.w3.org/2012/webcrypto/wiki/Use_Cases#Signed_web_applications

JOSE is focusing to json returned data itself. it can not cover js code
itself.

I have discussed with a member of SysApp WG.
and even by the joint session at TPAC with webappsec WG

I can not get proper answer.

do we need to consider protecting mechanism for loaded or installed
javascript codes?


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Saturday, 17 November 2012 01:08:02 UTC