W3C home > Mailing lists > Public > www-tag@w3.org > September 2015

Re: Same Origin Policy - Re: Agenda: <keygen> being destroyed when we need it

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 14 Sep 2015 12:19:54 -0400
To: www-tag@w3.org
Message-ID: <55F6F3AA.5020702@openlinksw.com>
On 9/14/15 10:11 AM, Alex Russell wrote:
> On Mon, Sep 14, 2015 at 6:59 AM, Kingsley Idehen
> <kidehen@openlinksw.com <mailto:kidehen@openlinksw.com>> wrote:
>
>     On 9/12/15 1:54 PM, Alex Russell wrote:
>     > But that's all indulgent thinking. JavaScript is a core part of the
>     > web stack today. We live in a world where it exists. We cannot
>     pretend
>     > it doesn't.
>
>     Anyone should still be able to use the Web modulo Javascript.
>
>
> We agree! I'm a massive supporter of the Progressive Enhancement
> approach to app/site construction.
>  
>
>     Javascript is simply a popular programming language, supported by
>     browsers. It isn't core Web Technology, as far as I understand what
>     constitutes core Web Technology:
>
>     1. URIs
>     2. HTTP
>     3. HTML -- this doesn't make Javascript core Web technology (IMHO).
>
>
> While this formulation might be useful in some circumstances, it
> doesn't really clarify anything here. The security model of the web is
> about what the full set of commonly supported tech (together) can
> accomplish and is about setting limits on that behavior. For the same
> reason that CSS needs to be factored into security/privacy
> considerations, so does JavaScript.
>

Yes, but there's a difference in scope. Javascript cannot define the
scope of security for the core Web Stack, so to speak. These items must
be compartmentalized. The Web's architecture has loose-coupling at its
core, so compartmentalization is vital.

"The security model of the Web" has to be a composite rather than a
compound. Currently, your Javascript view is treating the Web security
model as a compound rather than composite.

A user should have the ability to save crypto data to their local OS
hosted keystore if they choose. There are no virtues in restricting that
to local browser storage, solely, at this stage in the game (browsers
with host OS interaction is already a common usage pattern). None of the
main operating systems (desktop or mobile) allow interactions with their
respective keystores without OS level authentication challenges, by
default.


-- 
Regards,

Kingsley Idehen	      
Founder & CEO 
OpenLink Software     
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this


Received on Monday, 14 September 2015 16:20:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:12 UTC