Re: google proposing to deprecate KEYGEN

My email was a slightly facetious poke at Anders' assertion that developing
for the Web is a pointless exercise because everything will eventually be
done in apps. Nonetheless it's worth a conversation.



> What is not clear to me from these statistics is if these count web apps
> as apps.
> These are standards developed by the W3C
>   http://www.w3.org/2008/webapps/
>
>
I assume that any activity done via a Web browser is not considered use of
apps.


> I suppose the tricky bit for apps is that as far as authentication goes
> there
> are always two players: the (web)App and the user.  As (web)Apps get more
> complex they are usually written by a specific group of people that need
> to be
> trusted ( and that mostly do not deserve as much trust as they ask for
> IMHO ).
> In each case the Apps are run inside a sandboxed environment:
>
>  - in the case of Mobile Apps the environment is the OS:
>   +  For OSX apps you have to trust the OSX review process and their
> sandboxing system
>   +  I am not sure how much review the Android apps get, and I am not sure
> how much remains
>     of the JAVA security framework that would allow rights to be given per
> application by a user
>  - in the case of Web apps the environment is the browser
>
> It should not be surprising that these two will converge, as it was always
> the
> intent of Netscape to replace the OS with the web.
>

I think the challenge here is that it is near impossible today to establish
trust of an app on the Web because you have no guarantee that the code of
that app will not change. In contrast, if you download a native app you are
trusting that particular release.

There is work going on in the W3C WebAppSec WG as far as I know to
establish a mechanism for verifying resources (including scripts) by a hash
of their content so one can, to some extent, start to establish trust
systems in the browser that are based on specific code not just a blanket
trust of a publisher.

>
>
> For WebApp development currently the identity seems to be given by the
> Origin,
> which sadly confuses the web  site publishing the code and the author of
> the code.
>

+1 - this is a major drawback of the Web platform vs the app in the app
store which has gone through some kind of review and the publisher is known.


> As a result the server owner needs a top level domain per code author if
> he is not to confuse all the
> different authors of the different apps with each other, and therefore
> give rights to
> the least trustworthy app that he only wanted to give to the most
> trustworthy ones.
>

+1 - How is this dealt with in WebApps (if at all)? I don't know the WebApp
standard very well at all.

>
> But an end user cannot know about this policy as it will differ across web
> sites ( and the
> browser vendors are trying to even hide that information by removing URL
> bars!).  So
> as a result security on the web seems currently very problematic to me.
>

Is the "green address bar" really adding any value? It seems to me to be
mostly just a way to earn more money for CAs.


>
> Projects such as http://cowl.ws/ seem to want to provide some answers,
> but I am not
> sure if they are being adopted.
>
>
Looks very interesting!


>
> On 4 August 2015 at 09:18, Anders Rundgren <anders.rundgren.net@gmail.com>
> wrote:
>
>> On 2015-08-04 08:01, Henry Story wrote:
>>
>>>
>>> On 30 Jul 2015, at 16:44, Anders Rundgren <anders.rundgren.net@gmail.com>
>>>> wrote:
>>>>
>>>> On 2015-07-30 16:32, Melvin Carvalho wrote:
>>>>
>>>>> :(
>>>>>
>>>>>
>>>>> https://groups.google.com/forum/#!msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ
>>>>>
>>>>
>>>> Since none of the big users of client-side PKI have ever bothered with
>>>> this crap
>>>> it won't be missed.   This signifies the (expected) end of WebID-TLS as
>>>> well.
>>>>
>>>
>>> Not quite, as it depends on what happens in the TLS 3.0 group. But
>>> WebID-TLS can still
>>> work very well for server to server communication. It seems that in any
>>> case that is what
>>> is going to have to happen, as browser vendors seem to have lost their
>>> marbles somewhere
>>> along the way from Netscape to here.
>>>
>>
>> The browser folks have lost the war against "Apps".  They don't realize
>> (or acknowledge) the
>> obvious either: By bridging the Web and App worlds you could COMBINE the
>> power of BOTH worlds.
>>
>> The Web advocates are rather betting on that Apps is a fad, completely
>> ignoring the fact
>> that Google, Apple, and Microsoft are putting giant resources into their
>> App platforms.
>>
>> Anders
>>
>>
>>
>>> Henry
>>>
>>>
>>>> Anders
>>>>
>>>>
>>>
>>
>>
>
>

Received on Tuesday, 4 August 2015 10:06:14 UTC