- From: Mike West <mkwst@google.com>
- Date: Thu, 6 Nov 2014 15:56:03 +0100
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
- Cc: chairs@w3.org, Wendy Seltzer <wseltzer@w3.org>, Harry Halpin <hhalpin@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <CAKXHy=fqcALf6pPHG0GMxdr_4C7M5KXAHQr5gsgH+aLoRo3y0g@mail.gmail.com>
Regarding the definitional question, https://w3c.github.io/webappsec/specs/mixedcontent/#powerful-features attempts to formalize the constraints, based mostly on what Chrome has implemented for Service Workers. -mike (from a phone; terribly sorry for top-posting) On Nov 6, 2014 3:37 PM, "GALINDO Virginie" <Virginie.Galindo@gemalto.com> wrote: > Hello TAG (and W3C chairs, copied), > > > > I am contacting you as chair of the Web Crypto WG. > > > > Last week in TPAC, we have been addressing the question whether the Web > Crypto API should be usable only with secure origin [1]. We have need > encountering several problems while discussing, which were : > > - Does the TAG recommends a specific strategy (I heard from > informal discussion with Mark Nottingham no, I heard from Alex Russel, yes) > ? > > - Does the W3C has a common definition of what is secure origin > ? > > - Is there any possible granularity to require secure origin > (e.g. use secure origin only for specific feature in a specification, which > usage is particularly sensitive)? > > - What are the feedback from service eproviders on secure origin > (we heard about Netflix, but what about the others) ? > > - Is there any easy migration path for W3C (and browser makers) > to issue specifications without requiring secure origin, and later moving > to mandating it. > > FYI, in the end, we concluded that, provided the number of questions, > provided the low interest of browser maker in the room to support secure > origin, the fact that the web crypto is about to move to CR, we would not > mandate the secure origin in the Web Crypto API. > > > > I believe that those questions could apply to any new sensitive feature > currently under development in W3C. Without asking the TAG to solve all the > secure origin related bugs raised in github/tracker/bugzilla W3C WG, I > think that it would be highly productive if the TAG could centralize and > publish information helping to solve questions above. This would help all > W3C WG to take the decision to endorse or not secure origin, based on a > common level of understanding of what it is. > > > > Do you think this would be feasible in a short term ? > > (I let other chairs confirming if they need or not such common framework). > > > > Regards, > > Virginie > > Chair of web crypto WG > > > > [1] Web Crypto WG minutes, see discussion related to bug 25972 > http://www.w3.org/2014/10/30-crypto-minutes.html#item04 > > > ------------------------------ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. >
Received on Thursday, 6 November 2014 14:56:33 UTC