Re: origin bound key generation

On 8/21/12 7:33 PM, "Ryan Sleevi" <<>> wrote:

>>I've been trying to find a way to propose text that balances these
>>concerns, but to be honest, I don't have a good solution. Part of this
>>is what lead to the proposal of requiring CSP, since this can mitigate
>>(some of) the security concerns, but I think there's still a lot of
>>security risks that have to be talked through and discussed before we
>>go too far.

>From my notes at the F2F, we had attributes of type scope (including access control and temporary/permanent). These were supposed to be set at the time of creation and read-only after that. Access control attribute was meant to allow the origin to specify which sites can access/use this key (may be we need granularity of purpose too).
I have not been following the conversations much lately, but I do not see the access control attribute in the draft (temporary is there). Has it been dropped because of some reason?


Received on Wednesday, 22 August 2012 15:30:49 UTC