> The "installation" security model of asking the user up-front to grant > trust just doesn't work because users don't understand the question, and > the "installation" security model of curating apps and trying to determine > by empirical examination whether an application is trustworthy or not just > doesn't scale.
Installing an application doesn't mean up-front grant of permissions. It merely means that we offer a way to get away from a mere "visit document" mode to a "run interactive applications" mode. In our Boot 2 Gecko implementation we use the fact that the user installed a web app as a general grant of some low-risk privileges such as "yep, you can use app cache and we won't bother you with quota dialogs". Beyond that, we use the regular web security model wherever possible (e.g. geolocation). The UX crowd seems to think that offering the ability to grant these permissions at install time as an option (opt-in) is good practice, so thats a good additional way to handle this. But the general principle is to stick with the web's pay-as-you-go model (doorhangers etc). I definitely agree with you that thats the better model. As for using curation, I agree that it doesn't scale if all web content needs high risk privileges that rely on curation. In practice most web apps need minimal or no privileges that can be handled with the traditional model, and very few web apps rely on curation to get access to risky privileges. Andreas > > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' >
