W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: Charter Addition Proposal: "Trusted Code" for the Web

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 24 Mar 2015 09:38:19 +0100
Message-ID: <5511227B.6060705@gmail.com>
To: Brad Hill <hillbrad@gmail.com>, chaals@yandex-team.ru, Jeffrey Yasskin <jyasskin@google.com>, Marijn Kruisselbrink <mek@chromium.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-03-23 21:40, Brad Hill wrote:
> Sounds like Web Intents.

Yes, Charles' application seems to fit Web Intents.

The Web2Native Bridge primary target is making App-like functionality available
to Web applications in a [hopefully] scalable and secure way.

Packaged single-purpose service-oriented subsystems can be created by anybody and
should generally not require weird security prompts which you get with low-level
multi-purpose APIs that were not designed to be used in the Open Web like ISO 7816.

A service-oriented approach also makes Web applications less entangled in platform-
specific details in the same way as HTTPS Client Certificate Authentication works
identically for Web applications regardless if keys are stored in "soft" containers,
smart cards, TPMs or TEEs.

Anders


>
> On Mon, Mar 23, 2015 at 12:52 PM <chaals@yandex-team.ru <mailto:chaals@yandex-team.ru>> wrote:
>
>     23.03.2015, 20:32, "Anders Rundgren" <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>__>:
>      > On 2015-03-23 19:49, chaals@yandex-team.ru <mailto:chaals@yandex-team.ru> wrote:
>      >>  OK, it seems I have so far failed to understand what you are really trying to achieve,
>      >>  so let me try again…
>      >
>      > NP.
>      >>  23.03.2015, 19:43, "Anders Rundgren" <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>__>:
>      >>>  On 2015-03-23 19:18, Jeffrey Yasskin wrote:
>      >>>
>      >>>  Hi Jeffrey,
>      >>>>    Am I right in thinking that your proposal isn't about how to declare a
>      >>>>    web-delivered piece of code as "trusted", but rather about defining
>      >>>>    how to communicate between (untrusted) web code and (trusted) native
>      >>>>    code delivered with the hardware or browser?
>      >>>  Close.  In my take on this, trusted code is supplied in native level applications
>      >>>  that have been specifically vetted for this usage.
>      >>  Where there is a trusted application installed on a device, you want a web application
>      >>  to be able to pass information to that app, and get it back?
>      >
>      > Yes, that is the core and is what hundreds of different applications already do,
>      > albeit using non-standard methods.
>
>     Whee! I think I understand the rough problem, at least…
>
>      > If we take a subject you are involved in, Web Payments, a local wallet would be an
>      > excellent target application.
>
>     Sure. Some other possibilities to check I have roughly the right idea:
>
>     One is a graphics application I happen to have bought might be what I want to use for editing my photos on Yandex disk, instead of the built-in online editor.
>
>     One of the things that drives me nuts about online document editors is having them fall over when I am offline. I would rather be able to use an installed document editor, and pass edited documents, or changesets, back. Github
>
>      > Hopefully the referred web2native bridge presentation is also worth a brief peek.
>
>     I already looked at it and didn't see what I was missing… but I think I'm getting there now.
>
>     cheers
>
>     --
>     Charles McCathie Nevile - web standards - CTO Office, Yandex
>     chaals@yandex-team.ru <mailto:chaals@yandex-team.ru> - - - Find more at http://yandex.com
>
Received on Tuesday, 24 March 2015 08:39:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:47 UTC