W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Crypto HW Requirements (why it is out of scope)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Wed, 23 Nov 2011 07:02:05 +0100
Message-ID: <4ECC8C5D.5080400@telia.com>
To: "public-identity@w3.org" <public-identity@w3.org>
The main point with crypto hardware is strong protection of secret/private keys, right?

If an API doesn't make it possible to distinguish if keys are created in crypto hardware
or are stored in a file on the harddisk, such an API seems fairly useless from an issuer
perspective.

I'm pretty sure that this is addressed in the Google Wallet but this scheme is currently
secret so I don't see how we (at this stage) could even have a meaningful dialog
about methods and requirements regarding schemes for supporting crypto hardware.

Microsoft has also publicly demonstrated Win8/TPM and U-Prove/smart card schemes
without disclosing any details on how keys are provisioned.

Trying to create related standards under these circumstances is IMHO simply put silly.

I don't consider my own effort in this space a "standardization effort" since it doesn't
build on existing crypto hardware or software standards.  I don't believe the latter is
even workable as a starting point for both political and technical reasons.

Anders
Received on Wednesday, 23 November 2011 06:02:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 23 November 2011 06:02:42 GMT