Hervé, There is no Web Security Principle maintained on a regular basis by W3C.
All security principles are relying on the Same Origin Policy defined by IETF https://tools.ietf.org/html/rfc6454, plus security behavior designed in the WebAppSec WG, to which the UA can be compliant or not http://www.w3.org/2011/webappsec/. The implementation of security in UA is left to the UA implementers and that is why in all W3C specification, you will find some security recommendations to the web app users, web app developers and UA implementers. UA implementers will find a message warning them that they have to implement things in a secure way, plus some obvious threats. Based on that, all the W3C specifications are taking the assumption that UA implementers are doing their best to deliver safe environments. Hope it helps, Virginie -----Original Message----- From: Herve SIBERT [mailto:herve.sib...@st.com] Sent: jeudi 12 mars 2015 08:07 To: Anders Rundgren; Harry Halpin; public-web-security@w3.org; public-webcrypto-comme...@w3.org Cc: GALINDO Virginie; Wendy Seltzer Subject: RE: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments Indeed, there seems to always be the assumption that the user-agent is secure and not compromised - and starting from that FIDO might be the cleanest possible design - but I don't see the perspective being on how to make internet usage more secure even if the user-agent is compromised, although there are technologies that will help if only they are brought to the open web. Is there a principle in W3C that states that the user-agent not being compromised is always the assumption? (maybe it's part of the "Web security principles"?) Cheers Hervé -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren....@gmail.com] Sent: jeudi 12 mars 2015 07:41 To: Harry Halpin; public-web-security@w3.org; public-webcrypto-comme...@w3.org Cc: GALINDO Virginie; Wendy Seltzer Subject: Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments Hi, Existing smart-card-using applications ranging from Windows login, SIM-cards in phones, EMV-cards in payment terminals, HTTPS Client Certificate Authentication in browsers, to the [now deprecated] custom signature browser-plugins, all share a common characteristic: The smart card is accessed by "Trusted Code" which also holds associated UI. Since the "Open Web" doesn't support this concept (transient web-code is by definition untrusted), it is not possible to continue without first having a firm plan on how to deal with "Trusted Code". Sincerely, Anders Rundgren Principal, WebPKI.org ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
