- From: Ryan Sleevi <sleevi@google.com>
- Date: Mon, 17 Feb 2014 21:53:10 -0800
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: public-webcrypto-comments@w3.org
- Message-ID: <CACvaWvYnK82MXyz4s-yz85a4ePYVMtXJOEo=q3N=TVOEYBOkFw@mail.gmail.com>
Thank you for the continued focus on out of scope work. Considering that this work began in 2011, I do not consider it a failing of the W3C. Nor do I consider it "proof" of the unsuitability of WebCrypto. Given that no UA has shipped an implementation without prefix or flag, nor has the ED advanced to LC, its entirely reasonable for businesses and site operators to make pragmatic and rational evaluations of the technology available to them. If you actually read the specifications, you would realize that its entirely possible for such a service to (eventually) migrate to a WebCrypto solution - for example, using registerProtocolHandler and/or Message Ports as an alternative. As always, I thank you for your feedback, and merely note that the facts do not support your conclusions. All the best, Ryan On Feb 17, 2014 9:04 PM, "Anders Rundgren" <anders.rundgren.net@gmail.com> wrote: > Since browser plugins are to be "outlawed" and W3C rejected all > suggestions for making WebCrypto useful in more traditional scenarios, the > Swedish banks are now rolling out non-web solutions. > > The only connection left to the browser is now through specific URL-schemes > > http://www.bankid.com/Global/wwwbankidcom/RP/BankID%20Relying%20Party%20Guidelines%20v2.2.pdf > which are used to invoke a local security application. > > Having explored this feature extensively in my SKS/KeyGen2 PoC, I can > attest that it is platform-dependent, unreliable, gives a poor > user-experience and introduces serious security disconnects. > > Anders > >
Received on Tuesday, 18 February 2014 05:53:37 UTC