Ian wrote: > There was some talk on the list a couple months ago about this -- not for > file-transfer specifically, > but the general idea of supporting custom certificates, or CAs in Cordova.
This came up yesterday in the office. > I think that, after a number of emails, we concluded that for users who > have legitimate custom certificate requirements, that there should be > os-policy-level mechanisms for adding custom certs, and that the individual > application was the wrong level to be managing them. I made the opposite argument. Users will not be able to do anything useful with global stores. The result is that unrelated applications will still / misappropriate certificates. Google is supporting zero trust: http://www.scmagazine.com.au/News/367057,googles-plan-to-kill-the-corporate-network.aspx http://www.darkreading.com/perimeter/forrester-pushes-zero-trust-model-for-se/227500145 While you might be OK with a prompt to enter an RSA token, you could easily not recognize that the requesting party shouldn't be given it. Browser developers failed miserably the first time that client certificate UI was designed - Neither the "automatic selection" nor the "prompt user for certificate" choices work safely. --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
