Re: Exposing TLS & Certificate Information in Javascript

On Wed, May 29, 2013 at 10:37 PM, Ryan Sleevi <> wrote:
> ....
> Solving the "secure delivery of code" is a non-goal of this WG. Trust TLS
> (which your model, by design, does not) or use SysApps (as I earlier
> suggested) have been the two responses so far for this problem.
One does not have to solve the secure delivery problem to make the
enhancements useful.

An application loaded from an organization's application store (or
side loaded via a developer) does not suffer secure delivery - they
provide the initial secure delivery. Its not hard to imagine a large
organization with 150,000 employees using an in-house time keeping
application that takes advantage of the pre-existing relationship by
pinning the time server's certificate or public key. (It can also
sidestep the problems caused by the current definitions of SOP since
many enterprise apps don't fetch text based ads from a third party).

I believe App store application represent a non-trivial portion of
applications available to a user. But I've never seen statistics on
purely browser based apps versus app store apps.

These app stores are going to get more popular because: (1) they are a
source of revenue for the owners of the platform, and (2) they are
providing vendor lock-in. So I expect to see even more apps on these
app stores in the future, not fewer.


Received on Thursday, 30 May 2013 02:54:33 UTC