On 2015-03-19 19:15, John Bradley wrote:
It sounds like WebCrypto or something more related to it. http://www.w3.org/2012/webcrypto/
I would rather characterize this as the opposite to WebCrypto since the referred schemes all are based on the idea that "The Web is not enough". That is, the Web needs (as proven any number of times), to be extended with its more powerful native/platform companion for a lot of reasons including access to platform- resident keys as well as breaking away from the crippling SOP notion. The W3C does not appear to be a suitable home for such an effort, they rather prefer continuing the so far pretty unsuccessful efforts DUPLICATING the native level into the Web [1], instead of recognizing the power of COMBINING these worlds. Cheers, Anders 1] https://lists.w3.org/Archives/Public/public-sysapps/2014Dec/0000.html
On Mar 19, 2015, at 3:05 PM, Jim Schaad <[email protected] <mailto:[email protected]>> wrote: To me this sounds more like a W3C activity than an IETF activity. Jim *From:*jose [mailto:[email protected]]*On Behalf Of*Anders Rundgren *Sent:*Wednesday, March 18, 2015 10:41 PM *To:*[email protected] <mailto:[email protected]> *Subject:*[jose] Charter Proposal: "Trusted Code" for the Web Trusted Code for the Web Existing security-related applications like authentication, payments, etc. are all based on that a core-part is executed by statically installed software that is supposed to be TRUSTED. Since web-based applications are transiently downloaded, unsigned and come from any number of more or less unknown sources, such applications are by definition UNTRUSTED. To compensate for this, web-based security applications currently rely on a hodge-podge of non-standard methods [1] where trusted code resides (and executes) somewhere outside of the actual web application. However, because each browser-vendor have their own idea on what is secure and useful [2], interoperability has proven to be a major hassle. In addition, the ongoing quest for locking down browsers (in order to make them more secure), tends to break applications after browser updates. Although security applications are interesting, they haven't proved to be a driver. Fortunately it has turned out that the desired capability ("Trusted Code"), is also used by massively popular music streaming services, cloud-based storage systems, on-line gaming sites and open source collaboration networks. The goal for the proposed effort would be to define a vendor- and device-neutral solution for dealing with trusted code on the Web. *References * 1] An non-exhaustive list include: - Custom protocol handlers. Primarily used on Android and iOS. GitHub also uses it on Windows - Local web services on 127.0.0.1. Used by lots of services, from Spotify to digital signatures - Browser plugins like NPAPI/ActiveX. Used (for example) by millions of people in Korea for PKI support but is now being deprecated - Chrome native messaging. Fairly recent solution which enables Native <=> Web communication 2]https://code.google.com/p/chromium/issues/detail?id=378566 _______________________________________________ jose mailing list [email protected] <mailto:[email protected]> https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
