Trusted Code for the Web
Existing security-related applications like authentication, payments, etc. are
all based on that a core-part is executed by statically installed software that
is supposed to be TRUSTED.
Since web-based applications are transiently downloaded, unsigned and come from
any number of more or less known sources, such applications are by definition
UNTRUSTED.
To compensate for this, web-based security-related applications currently rely
on a hodge-podge of non-standard methods where trusted code is located
somewhere outside of the actual web application.
Since each browser-vendor have had their own idea on what is secure and useful,
interoperability has proven to be a major hassle, including the fact that the
quest for locking down browsers (in order to make them more secure), also tends
to break applications after browser updates.
Although security-related applications are interesting, they haven't proved to be a
driver. Fortunately it has turned out that the desired capability ("Trusted
Code"), is also used by massively popular music streaming services, cloud-based
storage services and open source collaboration networks.
The goal for the proposed effort would be to define a vendor- and
device-neutral solution for dealing with trusted code on the Web.
-----
This proposal is also supposed to be a replacement for a possible "smart cards for
the web" effort
