- From: Jeffrey Walton <noloader@gmail.com>
- Date: Sat, 31 May 2014 03:45:27 -0400
- To: Ryan Sleevi <sleevi@google.com>
- Cc: WebCrypto Comments <public-webcrypto-comments@w3.org>
On Sat, May 31, 2014 at 3:10 AM, Ryan Sleevi <sleevi@google.com> wrote: > ... > Jeff, > > While I appreciate the feedback, it does seem you are fairly confused about > this API. While I hope the above is able to provide some clarification, I > would suggest that before you spend too much time worrying about the > security model - and such things like Java sandboxing and code signing - it > might help to focus a bit more on understanding the web security model and > the existing APIs that are part of the platform (eg: IndexedDB). > > I can't help but feel like the current comments stem from a place of > misunderstanding, that perhaps the cart was placed before the horse. I only > mention this to make sure that we don't spend too much time discussing the > above responses without first making sure we are on the same page as far as > how the platform works. > > This would avoid things like comparison to Java or native applications, give > an understanding of what permissions look like, give an understanding of > what the threats are, what malware conceptually looks like, and all of these > other important concepts. Once this is in place, then its a good position to > evaluate what or how WebCrypto alters this - with the answer clearly being > 'not at all, because it is all possible today, just not as securely as with > WebCrypto' Thanks Ryan. There is some mis-understandings, but I don't believe its as bad as you think. There's also a desire to understand what additional controls we have with new technologies like WebApps and WebCrypto so an HTML5/CSS/Javascript app can handle more than low value data. Jeff
Received on Saturday, 31 May 2014 07:45:54 UTC