- From: Jeffrey Walton <noloader@gmail.com>
- Date: Sat, 31 May 2014 02:50:42 -0400
- To: WebCrypto Comments <public-webcrypto-comments@w3.org>
Thanks Ryan. On Sat, May 31, 2014 at 2:20 AM, Ryan Sleevi <sleevi@google.com> wrote: > > On May 30, 2014 11:14 PM, "Jeffrey Walton" <noloader@gmail.com> wrote: >> >> Are there any plans to require web apps to possess a permission to >> access, for example, key storage? Perhaps a read, write and delete >> permission? > > There is no inter-origin key storage. Key storage is handled by standard web > storage APIs, whose privacy and security properties are well understood and > discussed. Well, I think there could be more to it. An (ab)use case I am thinking of: a web based flashlight app wants access to a keybag, keychain, keystore, etc. Should an application using WebCrypto be allowed to arbitrarily access the keybag, keychain, keystore, etc? Another (ab)use case I am thinking of: malicious SMS apps can silently swallow SMS messages. This is especially bad for those which insert themselves first in the chain via android:priority in the manifest, get their C&C via text, and then delete the message before anyone sees it. Should an application using WebCrypto be allowed to arbitrarily and silently delete local material in the keybag, keychain, keystore, etc? Another (ab)use case I am thinking of: Java applets, permissions and code signing. http://threatpost.com/javas-losing-security-legacy. In the case of Java, malware authors regularly code sign to break out of the sandbox. Applets are so over-permissed that its recommended the applet *not* to code sign to ensure they can be contained in the sandbox. Is there a WebApp/WebCrypto equivalent to drop permissions? Or do apps have to run fully bestowed with full access to the platform? >> Are there other permissions that might apply in the scope of WebCrypto? >> >> http://www.w3.org/2012/sysapps/manifest/#permissions-member discusses >> a permission member, but I'm having trouble locating a comprehensive >> list of available permissions. >> > > Please note, the sysapps security model is different than the webapps > security model, as the sysapps charter clearly spells out. OK, thanks. I started at Installable WebApps and tried to locate something discussing the permissions in the manifest. Does AOSP/Gogle consider a Hosted App a WebApp, SysApp or something different? (https://developers.google.com/chrome/apps/docs/developers_guide). > It is possible, in future work, that the WG may decide to expose > cryptographic hardware (currently out of chartered scope) or inter-origin > key storage (akin to the Key Discovery API). In these cases, user agents may > implement promoting (for webapps) and permissioning (for sysapps). Yes, that's another one that would make a good candidate for a permission or capability. Another that might make a good candidate: crypto algorithms. If an app only needs to store a fetch a random value or unique value to track an installation, then should the algorithms be partitioned separately? Its no different then segregating code and data. In this case, the crypto algorithms are essentially code, and the unique values and key material are essentially data. > However, all of this is work we are NOT doing right now, so I would not > spend too much time on it. OK, thanks. I'm trying to determine gaps in the current models. Jeff
Received on Saturday, 31 May 2014 06:51:10 UTC