On Thursday, September 11, 2014 12:55:58 AM UTC+2, Jonas Sicking wrote: > On Wed, Sep 10, 2014 at 12:16 PM, Ben Francis <[email protected]> wrote: > > It seems that the W3C proposal is incompatible with arguably the main use > > case of packaged apps in Firefox OS, which is the cryptographic signing of > > source code by a trusted party. > > There are quite a few use cases that the W3C proposal is incompatible > with. I'm currently working with various people to try to make the > "!//" a reality, but since it's a change in how URLs, i.e. a change in > one of the fundamental building blocks of the web, it's a change > that's taking quite some time and quite some convincing. > > So so far I wouldn't count out "!//" as a contender for the final > standardized solution. But of course it's also not certain that it > will work. > > I'd rather not bring this proposal to W3C or IETF yet without working > through it with various stake holders to make sure that we iron out > more issues, as well as more thoroughly evaluate more alternatives. > > / Jonas
There is a huge set of "security-sensitive" applications that IMO should use an entirely different trust-model but they could probably use the same package format. In spite of relying on signed packages this model would NOT require any user interaction (due to the package NB...), because it is the RESOURCE they refer to that authenticates the package: https://mobilepki.org/WebCryptoPlusPlus The described scheme requires substantial upgrades to the OS and browser but this is anyway required by related stuff like: http://defensesystems.com/articles/2014/11/10/comment-can-derived-credentials-replace-cacs.aspx Firefox OS cannot (AFAICT) enroll two-factor authentication credentials which is a prerequisite for virtualization of PIV/CAC/eID/EMV etc. AndersR _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
