W3C home > Mailing lists > Public > public-identity@w3.org > November 2011

Re: The "korean bank" use-case

From: Ron Garret <ron@flownet.com>
Date: Sun, 27 Nov 2011 10:44:50 -0800
Cc: "public-identity@w3.org" <public-identity@w3.org>
Message-Id: <BFE8C8A1-9F87-41CB-B137-63D9E2BFE9FF@flownet.com>
To: Anders Rundgren <anders.rundgren@telia.com>

On Nov 27, 2011, at 9:52 AM, Anders Rundgren wrote:

> On 2011-11-27 17:31, Ron Garret wrote:
> <snip>
> 
>>> I.e. my quest for a simpler "web token" is a more realistic take on this topic in spite of
>>> the fact that you need new hardware.
>> 
>> Why do you think you need new hardware?  There are existing hardware solutions that are simpler than full-blown smart cards:
>> 
>> https://www.swekey.com/
>> http://www.safenet-inc.com/products/data-protection/two-factor-authentication/certificate-based-pki-usb-authenticators/
>> http://www.cryptomate.com/
> 
> These are good "solutions" but are unsuitable as foundations for standards.

That depends on what you mean by being a foundation for a standard.  But I don't want to quibble over terminology, I'm just pointing these things out so we can make sure we're all on the same page about what is the current state of the art.

> If we take the eToken for example, it has existed for a decade but it cannot
> be provisioned from a browser.

Why not?  Is there something inherent in the design of the eToken that makes this fundamentally impossible, or is this merely a missing feature in current browsers?  And if it's the latter, isn't that exactly (part of) the problem we're supposed to be here to solve?

> A system that is supposed to be browser-friendly must IMHO support browser provisioning.

Swekey can be provisioned within a browser.  I'm not advocating swekey; I think it has other problems.  I'm just pointing to it as an existence proof that provisioning at least one kind of secure token within a browser is currently possible.

> I believe that requires hardware that is designed for this use-case.
> Progress is zero in this space.  Only dedicated stuff like the Google
> Wallet seems to work.  Maybe the fact that Google intends to make money
> on the Wallet is the differentiating factor :-)

Just because progress is zero doesn't mean it has to remain zero.  If "progress has been zero" necessarily entailed "progress will continue to be zero" nothing new would ever get done.

Nowadays it is possible to prototype hardware almost as easily as software.  Designing a simple spec and building, say, an arduino-based reference implementation of that spec is something that could conceivably be done by this WG.  Having a spec and a reference implementation might be enough for some scrappy startup to decide to turn that spec and reference implementation into a business.

Once again, I'm not necessarily advocating this course of action.  I'm just saying it should not be ruled out a priori.

rg
Received on Sunday, 27 November 2011 18:45:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 27 November 2011 18:45:26 GMT