Trusted Code for the Web
Existing security-related applications like authentication, payments, etc. are
all based on that a core-part is executed by statically installed software that
is supposed to be TRUSTED.
Since web-based applications are transiently downloaded, unsigned and come from
any number of more or less unknown sources, such applications are by definition
UNTRUSTED.
To compensate for this, web-based security applications currently rely on a
hodge-podge of non-standard methods [1] where trusted code resides (and
executes) somewhere outside of the actual web application.
However, because each browser-vendor have their own idea on what is secure and
useful [2], interoperability has proven to be a major hassle. In addition, the
ongoing quest for locking down browsers (in order to make them more secure),
tends to break applications after browser updates.
Although security applications are interesting, they haven't proved to be a driver.
Fortunately it has turned out that the desired capability ("Trusted Code"), is
also used by massively popular music streaming services, cloud-based storage systems,
on-line gaming sites and open source collaboration networks.
The goal for the proposed effort would be to define a vendor- and
device-neutral solution for dealing with trusted code on the Web.
*References**
*
1] An non-exhaustive list include:
- Custom protocol handlers. Primarily used on Android and iOS. GitHub also
uses it on Windows
- Local web services on 127.0.0.1. Used by lots of services, from Spotify to
digital signatures
- Browser plugins like NPAPI/ActiveX. Used (for example) by millions of people
in Korea for PKI support but is now being deprecated
- Chrome native messaging. Fairly recent solution which enables Native <=> Web
communication
2] https://code.google.com/p/chromium/issues/detail?id=378566
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
