- From: Arun Ranganathan <arun@mozilla.com>
- Date: Mon, 8 Jul 2013 14:41:00 -0400
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: Arun Ranganathan <aranganathan@mozilla.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Hi Anders, Some words of clarification: On Jul 8, 2013, at 2:36 PM, Anders Rundgren wrote: > Hi Arun, > I read your response to Sangrae Cho regarding the use of BrowserID as the Korean solution: > > http://lists.w3.org/Archives/Public/public-webcrypto/2013Jul/0011.html > > There's nothing wrong with BrowserID but it is probably not compliant to banks' requirements since it does neither address PIN-codes nor secure storage. > IMO this is valid for the entire Web Crypto API scheme. > I wasn't proposing "BrowserID" as the solution! Rather, what I was proposing was: 1. The use of cross-origin messaging to allow cryptographic credentials such as certs to be used across origins and… 2. Re-imagining Sangrae Cho's problem statement in terms of SOP, with the possibliity of 1. above. I merely used BrowserID as a "template" for the type of thing that can be done when cryptography meets cross-origin messaging. > A related issue which has not been commented on is that the Web Crypto specification effectively "disintegrates" a platform with respect to key storage. > Immediately after (probably even before) Web Crypto passes through standardization, a frenzy of (all incompatible) schemes will emerge with the goal of restoring the platform again. > I'm not entirely sure I understand this point. -- A*
Received on Monday, 8 July 2013 18:41:27 UTC