W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: Charter Addition Proposal: "Trusted Code" for the Web

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 23 Mar 2015 22:35:10 +0100
Message-ID: <5510870E.8030001@gmail.com>
To: chaals@yandex-team.ru, Jeffrey Yasskin <jyasskin@google.com>, Marijn Kruisselbrink <mek@chromium.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-03-23 20:49, chaals@yandex-team.ru wrote:
> 23.03.2015, 20:32, "Anders Rundgren" <anders.rundgren.net@gmail.com>:
>> On 2015-03-23 19:49, chaals@yandex-team.ru wrote:
>>>   OK, it seems I have so far failed to understand what you are really trying to achieve,
>>>   so let me try again…
>>
>> NP.
>>>   23.03.2015, 19:43, "Anders Rundgren" <anders.rundgren.net@gmail.com>:
>>>>   On 2015-03-23 19:18, Jeffrey Yasskin wrote:
>>>>
>>>>   Hi Jeffrey,
>>>>>     Am I right in thinking that your proposal isn't about how to declare a
>>>>>     web-delivered piece of code as "trusted", but rather about defining
>>>>>     how to communicate between (untrusted) web code and (trusted) native
>>>>>     code delivered with the hardware or browser?
>>>>   Close.  In my take on this, trusted code is supplied in native level applications
>>>>   that have been specifically vetted for this usage.
>>>   Where there is a trusted application installed on a device, you want a web application
>>>   to be able to pass information to that app, and get it back?
>>
>> Yes, that is the core and is what hundreds of different applications already do,
>> albeit using non-standard methods.
>
> Whee! I think I understand the rough problem, at least…
>
>> If we take a subject you are involved in, Web Payments, a local wallet would be an
>> excellent target application.
>
> Sure. Some other possibilities to check I have roughly the right idea:
>
> One is a graphics application I happen to have bought might be what I want to use for editing my photos on Yandex disk, instead of the built-in online editor.
>
> One of the things that drives me nuts about online document editors is having them fall over when I am offline. I would rather be able to use an installed document editor, and pass edited documents, or changesets, back. Github

That might fit but I must admit that the primary ambition was getting away from standardizing
system-level APIs for the Open Web for the simple reason that it creates new (and often unresolvable)
problems like we saw in WebCrypto.Next.  SOP and Payments are also poor bedfellows.

Using mediating native applications seems like a much simpler and more extensible way to
get approximately the same functionality as you have in "Apps".  IMO, the Web sucks and
it got worse when plugins were deprecated.  I of course do not want them back but I believe
that there simply MUST be something to replace this functionality.  If somebody has a better
mousetrap that's just fine, the market doesn't care as long as it works :-)

>> Hopefully the referred web2native bridge presentation is also worth a brief peek.
>
> I already looked at it and didn't see what I was missing…

Try to build a web payment application using platform keys and you will see :-)


but I think I'm getting there now.

Good!  Actually you can try it, since Chrome has a substantial part of it already.

>
> cheers
>
> --
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
>
Received on Monday, 23 March 2015 21:36:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC