- From: Jeffrey Walton <noloader@gmail.com>
- Date: Wed, 3 Apr 2013 14:26:33 -0400
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Hi Anders, On Tue, Apr 2, 2013 at 7:10 AM, Anders Rundgren <anders.rundgren@telia.com> wrote: > Since an issuer of a key has (if I didn't got it all wrong...) full "usage" access to a key it has issued including signing whatever it wants there are obviously some trust isolation limits of the Web Crypto API. Note: I don't see that as a big problem. > Sorry to rewind this. Has anyone form legal briefed you on the topic? Is it the case an issuer has full access to a credential issued to a user if its installed on a user's device? How about if the user re-provisions the key, so its used for another site too? I'm curious since I don't believe I've ever encountered it in the field. I am aware that remote wipes have some unanswered legal questions [1], and imagine wiping a credential used at another site might expose the firm to some legal risk. Jeff [1] http://www.forbes.com/sites/ciocentral/2012/07/10/mobile-security-the-fallacy-of-remote-wiping-your-phone-2/3/
Received on Wednesday, 3 April 2013 18:27:04 UTC