- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 27 Feb 2014 18:30:20 +0100
- To: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, Wonsuk Lee <wonsuk11.lee@samsung.com>, "public-sysapps@w3.org" <public-sysapps@w3.org>
On 2014-02-27 17:32, GALINDO Virginie wrote: > Anders, and all, > > Thanks for your take on the industry trends. > > Your idea to remove secure element from the charter is not supported by gemalto. > This gives me the opportunity to remind the people that security concerns raised by the parties were addressed in the recent draft (see http://opoto.github.io/secure-element/). We are expecting comments from the WG participants. This spec. targets a very low-level API which I doubt any of the big vendors would be interested in supporting. In addition the API's integration in the client platform is unspecified. > This is also a chance for me to inform the WG that discussions about integrating secure services provided by technologies like SE, TEE, TrsuZone, FIDO will be discussed this year in a W3C workshop, for which I have proposed a draft scope here : https://www.w3.org/2012/webcrypto/wiki/WG_Future_Work_hardware_token_workshop_2014 Unfortunately you cannot support all these things in a single standard unless the goal is creating a monster. U2F has two methods specified down to the bit-level. Anders > > > Regards, > Virginie > Gemalto > > Note : correction to few facts claimed below > - FIDO U2F javascript has been proposed to Web Crypto WG few weeks ago (FIDO Alliance is managing the complete solution of protocols, message format and APDU values, which can not be standardized in W3C, obviously) > - Web Crypto WG exists since 2 years (not 3) > > -----Original Message----- > From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] > Sent: jeudi 27 février 2014 17:15 > To: Wonsuk Lee; public-sysapps@w3.org > Subject: SE API. Re: Draft agenda for upcoming f2f meeting > > On 2014-02-27 13:11, Wonsuk Lee wrote: >> Hi. All. >> >> I made the draft agenda for upcoming f2f meeting as below. Please review this and share your opinions. > > Although I won't be able to attend the F2F I guess I can provide some feedback anyway? > IMO, the case for the original take on the SE API has been severely weakened due to the following: > - The security model has been found to be awkward by several reviewers. > - The payment industry have given up on SE solutions in general due to "unavailability" and Google's launch of HCE. > - Proprietary TrustZone-based security solutions where showcased everywhere on MobileWorldCongress 2014 including in shipping Samsung devices. > - Google's U2F and yours truly's SKS/KeyGen2 point in an entirely different SE direction where the web was designed-in from the beginning, using a fixed API as well a building on a security architecture. > > Although you are [all] free to disagree, my experiences with the TrustedComputingGroup as well as the recent introduction of U2F though FIFO alliance rather than W3C indicate that W3C may indeed standardize some kind of SE API one day but that will be a system that is already recognized as a de-facto standard. > In addition, 2-3 years of WebCryptoing haven't lead to any kind of SE interface proposal in spite of being requested by multiple parties. > > Based on these facts, I think this topic should be dropped from the charter and agenda. > There may be other venues which are more suited for this work as well. > > Sincerely > Anders Rundgren > > >> >> >> >> [1] https://www.w3.org/wiki/System_Applications:_4th_F2F_Meeting_Agenda >> >> >> >> Kr, Wonsuk. >> >> ========================================= >> >> *이 원 석(Wonsuk, Lee) / *Principal Engineer, Ph.D >> >> *SAMSUNG ELECTRONICS Co., LTD. (**三星電子)* >> >> Mobile: +82-10-5800-3997 >> >> E-mail: wonsuk11.lee@samsung.com <mailto:wonsuk11.lee@samsung.com> >> >> http://www.wonsuk73.com/, twitter: @wonsuk73 >> >> ----------------------------------------- >> >> *Inspire the World, Create the Future !!!* >> >> ========================================= >> >> >> > > > > This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus >
Received on Thursday, 27 February 2014 17:30:53 UTC