Re: Web app permissions to access WebCrypto related components? from Ryan Sleevi on 2014-05-31 (public-webcrypto-comments@w3.org from May 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 30 May 2014 23:20:03 -0700
To: Jeffrey Walton <noloader@gmail.com>
Cc: WebCrypto Comments <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvbF9kN=bavttbFkqfXMA0v3DMmAki7NHra-vRhMgCdRVA@mail.gmail.com>

On May 30, 2014 11:14 PM, "Jeffrey Walton" <noloader@gmail.com> wrote:
>
> Are there any plans to require web apps to possess a permission to
> access, for example, key storage? Perhaps a read, write and delete
> permission?

There is no inter-origin key storage. Key storage is handled by standard
web storage APIs, whose privacy and security properties are well understood
and discussed.

>
> Are there other permissions that might apply in the scope of WebCrypto?
>
> http://www.w3.org/2012/sysapps/manifest/#permissions-member discusses
> a permission member, but I'm having trouble locating a comprehensive
> list of available permissions.
>

Please note, the sysapps security model is different than the webapps
security model, as the sysapps charter clearly spells out.

It is possible, in future work, that the WG may decide to expose
cryptographic hardware (currently out of chartered scope) or inter-origin
key storage (akin to the Key Discovery API). In these cases, user agents
may implement promoting (for webapps) and permissioning (for sysapps).

However, all of this is work we are NOT doing right now, so I would not
spend too much time on it.

Received on Saturday, 31 May 2014 06:20:30 UTC