On 2015-03-29 17:31, Siva Narendra wrote:
Dead-end because the data used to arrive are myths and are grossly inaccurate.
> See my presentation from the workshop: > http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/slides/hardwaretokens/tyfone.pdf
Hi Siva, The "Box" as you express it would of course work, the problem is that each application would (in order to work in a similar fashion to HTTPS Client Cert Auth) need their own box. HTTPS Client Cert Auth does not expose any "Crypto API", Keys or UI to untrusted web-code and is therefore in my (recently revised) opinion the "right" approach. Since we probably are not anyway near ready for specifying the boxes (applications), I have put the boxes *outside* of the browser. The payment application shown in the writeup is such a box. This particular box should preferably be designed by payments specialists which is yet another advantage with having the boxes on the outside: let each community define what they are best at. The announced closing of W3C's SysApps without reaching REC, is essentially saying the same thing: Putting sensitive system-level APIs in the Web is probably the "wrong" approach. It took thousands of hard working hours by *very qualified engineers* to reach this conclusion which says a thing or two about the complexity of these issues. We should IMO build on this experience and research! Regards, Anders
