- From: Wonsuk Lee <wonsuk11.lee@samsung.com>
- Date: Tue, 02 Jul 2013 20:09:20 +0900
- To: 'Anders Rundgren' <anders.rundgren@telia.com>
- Cc: 'sysapps' <public-sysapps@w3.org>
Hi. Anders. Thanks for your input. > -----Original Message----- > From: Anders Rundgren [mailto:anders.rundgren@telia.com] > Sent: Tuesday, July 02, 2013 3:38 PM > To: sysapps > Subject: Why the Security Element API should be shelved > > http://www.fidoalliance.org/faqs.html > > The FIDO authentication protocol needs to be part of a standardized, > interoperable ecosystem to be successful. Building this ecosystem requires > the active commitment of everybody from hardware chipset vendors, to the > manufacturers of back-end server systems. Coordination across the > divergent interests of these players is a complex affair, and one that > current technical standards bodies are not well suited to handle. > > The FIDO Alliance will refine the protocol, and monitor the extensions > required to meet market needs and to make the protocol robust and mature. > Implementation will not be undertaken by the FIDO Alliance. The mature > protocol will be presented to the IETF, W3C or similar body after which it > will be open to all industry players to implement. > > ------------------- > > IMO, the very same considerations apply to a Security Element API. > The current W3C input document does not come with a description of what > the anticipated applications are which makes standardization of a possible > Security Element API a true guesswork (t appears to be an opaque protocol > which by definition is "universal" but that's hardly going to make it > particularly interoperable). Do you mean secure element API? It's a little bit confusing to me because you said as security element API ;) Secure Element API is phase 2 items in our WG. So that's why we don't discuss actively for this so far. I agreed we need to make a standards based on use cases. It's quite important and we will do that in the WG. For current input doc, it is just input doc. In general some part of input doc would be helpful to us, but some part of this maybe not. > The lack of a discussion around these issues is also an indication that > something is missing from the plot. It might be "interest", but it may > also be "openness". > In fact, just getting the datasheet for most Security Elements including > the one embedded in many high-end Android phones requires a signed NDA! Typically W3C API is high level APIs because it should be interoperable among all of platforms. So I don't think we need NDA consideration. > True standardization is probably at least 5 years down the road and there > will be multiple and competing standards as well. > FIDO Alliance will presumably provide one of the candidates although > standardization at this stage will essentially be a formality. We can start with small set of APIs for essential feature of this and then we can continuously extend the coverage based on additional use cases. It's quite general approach in W3C. > Don't get me wrong; standardization is great but some targets aren't > suited for standardization. That's ture. But I don't think secure element is part of that category. Kr, Wonsuk. > Anders
Received on Tuesday, 2 July 2013 11:09:55 UTC