[Bug 25721] extractable keys should be disabled by default from bugzilla@jessica.w3.org on 2014-07-28 (public-webcrypto@w3.org from July 2014)

From: <bugzilla@jessica.w3.org>
Date: Mon, 28 Jul 2014 20:01:21 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25721-7213-9vuNKbI84O@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721

--- Comment #22 from Harry Halpin <hhalpin@w3.org> ---
(In reply to Ryan Sleevi from comment #19)
> (In reply to Harry Halpin from comment #18)
> > Quick note Elijah and any others interested in this bug,
> > 
> > Per Virginie's comment, if we formally bring this larger issue up with the
> > Web Security Model up to the WebAppSec (Web Application Security Model) WG,
> > would that satisfy the reviewer?
> > 
> 
> Harry,
> 
> For the sake of the members of the WG, I don't see that in Virginie's
> comment, so could you please provide an example of what issue you believe
> should be brought to WebAppSec? Virginie's response correctly identified
> that UI is out of scope, and I'm not sure what you would want from WebAppSec
> to provide, other than "Yes, this is how the Internet works, ergo this is
> not a valid threat model".


Virginie noted it was out of scope for WebCrypto but you noticed that the issue
is more suitable for discussion in WebAppSec
(https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721#c11). Thus, the issue is
something valid for discussion and possible future work. However, you already
noted that is not how the Web itself is designed right now, as shown by the
current design of the Web Crypto API. 


> (In reply to Harry Halpin from comment #18)
> > Quick note Elijah and any others interested in this bug,
> > 
> > Per Virginie's comment, if we formally bring this larger issue up with the
> > Web Security Model up to the WebAppSec (Web Application Security Model) WG,
> > would that satisfy the reviewer?
> > 
> 
> Harry,
> 
> For the sake of the members of the WG, I don't see that in Virginie's
> comment, so could you please provide an example of what issue you believe
> should be brought to WebAppSec? Virginie's response correctly identified
> that UI is out of scope, and I'm not sure what you would want from WebAppSec
> to provide, other than "Yes, this is how the Internet works, ergo this is
> not a valid threat model".

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Monday, 28 July 2014 20:01:23 UTC