- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Tue, 30 Oct 2012 13:16:17 +0100
- To: Mark Watson <watsonm@netflix.com>
- CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On 2012-10-30 12:13, Mark Watson wrote: <snip> >> For practical comments, I feel that the current doc is full of >> hand-wavey ideas that provide no guidance or actual APIs that show how >> many of these concepts are to work or be used. I also think that, >> absent formal membership, the IPR policies likely prevent this being >> something that the WG could adopt. > > +1 Mark, it would be interesting hearing Netflix' take on WebCrypto access to pre-provisioned keys that are not bound to any particular domain. Think credit-cards. Anders > >> >>> >>> I have updated the document with a privacy consideration section. >>> >>> The scheme offers no privacy silver bullet but maybe a "workable solution". >>> >>> A generic Web Crypto issue seems to be that either you end-up with a standardized "key-picker" (probably pretty difficult to define) which would mark the selected key as usable by the application to use with the Web Crypto API, or you leave this responsibility to the [presumably well-written] application. The described solution bets on the latter because this is much more flexible and may even turn out to be a prerequisite for market acceptance. However, this introduces a potential privacy risk, since there's no platform-provided protection against key "misuse". >>> >>> BTW, I have recently been experimenting with the extension-scheme used by for example Google to access the Android Play-store which is based on stand-alone handlers for unique protocols like "market://". This is a strong challenger to Web Crypto solutions for pre-provisioned keys. This scheme also fits quite nicely with the described solution. >>> >>> -- Anders >>> >>> >> >> > > >
Received on Tuesday, 30 October 2012 12:16:51 UTC