[whatwg] Proposal for secure key-value data stores
Aryeh Gregor
Simetrical+w3c at gmail.com
Wed Dec 1 11:43:29 PST 2010
On Tue, Nov 30, 2010 at 6:15 PM, Ian Hickson <ian at hixie.ch> wrote:
> It cannot, and should not. It's a user concern. If as a user I want all
> data that you send me to be printed unencrypted and dropped out of my
> office window for anyone to read, then I should be allowed to do that. :-)
It's legitimate for an organization to require people to handle data
in a certain way if they want web access to it. For instance, a
company could reasonably require that if users want to work from home,
they have to obey certain security practices to avoid leaking private
data -- e.g., information about the company's clients or users that
might be protected by privacy laws or company privacy policies. This
might include using full-disk encryption to prevent physical theft, as
well as other measures.
However, as with DRM, I don't think such requirements can be checked
in a standard way. If it's openly specified, users can evade it
easily -- it only takes one person to write a browser extension to
disable the check for everyone's workplace. Barring a
down-to-the-metal chain of trust, you can never avoid this completely,
but it's a lot harder to break an obfuscated company-specific binary
blob than something standardized. So I think non-standard programs
(plus perhaps physical inspection) will remain the only way to even
attempt this kind of checking.
More information about the whatwg
mailing list