search

GlobalPlatform / WebApis-for-SE

Open source Apis to access a Secure Element from a Web application
Apache License 2.0
18 stars 5 forks source link

Identifier needs to be trustworthy #34

Closed hchavers closed 8 years ago

hchavers commented 8 years ago

Comments from Trusted Computing Group - Item # 15

Section: 6.2 Client Application Identifier

Comment: Re “This identifier needs to be trustworthy so that only authorized applications may have a given identifier.”

Proposed Resolution: This sentence seems to be stating a relationship between “trustworthiness”, “authorization” and “identifiers”, but the relationship is not clear. “Trustworthy” is a characteristic usually associated with actor, i.e. the actor can be trusted to exhibit proper behavior. But an identifier is an object; it doesn’t exhibit any behavior. And what is the significance of “only authorized applications”? Can unauthorized applications have a given identifier?

serianox commented 8 years ago

This sentence could be removed.

I assume it is a reference to the fact that DNS can easily be subverted e.g. in public Wi-Fi, and that origin alone should not be trusted, see RFC 6454 §8.1. This is already handled in §6.3 by relying on TLS.