- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 05 Dec 2014 16:26:01 +0100
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- CC: Kingsley Idehen <kidehen@openlinksw.com>, Web Payments <public-webpayments@w3.org>
On 2014-12-05 15:48, Melvin Carvalho wrote: <snip> > There are two issues which currently are not addressed. > > 1. This storage is usually not comparable in robustness to the > HW-based solutions. Or to be fully correct this is outside of > the WebCrypto spec which is a problem in itself. > > However, the biggest hurdle is that such data is governed by SOP > which of course is fine from a security and privacy point of view > but is at odds with payment systems. Well, the WebPayment CG has > a method for "neutralizing" SOP but I feel uneasy about it since > it appears to be very complex. Somebody ought to spend a bit more > time on this spec. > > > Are you saying that all key material is governed by same origin policy? Yes. > So what's the difference between this and just using localStorage? The biggest difference is that key-pair are generated inside of the UA (or something the UA uses) which means that private keys are never exposed to the web-code. This is great but maybe a little bit less significant if the keys anyway only can be used by a single domain. > Sounds like a bit of a train smash, if so, for web payments and the > decentralized social web in general. Are there any ways round it? Yes, the WebPayment CG has a workaround which I don't understand :-( https://web-payments.org/specs/source/web-commerce-api/ This thing ("breaking away from SOP") is currently my only line of work. WebCrypto++ is an example. I'm currently considering a revision that would combine it with SysApps since the latter seems to be running out of gas due to Google's exodus but I have no idea how this will go. Touching the web security / privacy architecture is not an easy task no matter what perspective you have... Anders > > > > > Seen from that perspective the web is effectively going *backwards* while > the App-environment is security-wise getting stronger and stronger, with > Apple Pay as a recent example. > > > Apple Pay treats the device as the user-agent. Apple understands the > importance of the host operating system i.e., that browser based > user-agents != only kind of user agent. > > The Web is not about one kind of user agent, far from it, as mobile > platforms continue to demonstrate. > > > Sure. > > > In theory the WebCrypto.Next project could address this "deficit" but > I have > to date not seen anything that has even the slightest chance of > getting adoption. > > > There is more than one kind of user-agent that can operate on the World > Wide Web or any other HTTP based network. Web Browser are overrated, if > you ask me :) > > > If you take out the browser from the equation life gets much simpler but I > don't want to do that unless I have to. > > Anders > > > > > > Kingsley > > > Anders > > > I do know of the Architecture of the World Wide Web (AWWW) which covers > the key components for building a Web-like abstraction atop the > Internet, comprised of: > > 1. URIs -- for denotation > 2. HTTP URIs -- for implicit denotation and identification (courtesy of > implicit Name->Address indirection for URI meaning interpretation) > 3. HTML - language and notation combo for describing and representing > documents > 4. RDF - language for representing entity relations using a variety of > loosely-coupled notations. > > 1-4 are the basis of the Web as we know it. > > #4 in regards to the "RDF" moniker is just a formalization (by the W3C) > of what was always intrinsic to the Web's original design [1][2]. > > Being "Standard Web Technology" based (as I understand it) is a little > different from you continue frame this matter. > > Links: > > [1] > http://bit.ly/evidence-that-__the-world-wide-web-was-based-__on-linked-data-from-inception <http://bit.ly/evidence-that-the-world-wide-web-was-based-on-linked-data-from-inception> > > [2] http://bit.ly/world-wide-web-__25-years-later <http://bit.ly/world-wide-web-25-years-later> > [3] http://www.openlinksw.com/__data/turtle/general/__GlossaryOfTerms.ttl <http://www.openlinksw.com/data/turtle/general/GlossaryOfTerms.ttl> -- > Glossary of Terms > > > > > > > > >
Received on Friday, 5 December 2014 15:26:32 UTC