Re: Rationale? Re: General objection regarding Web NFC from Anders Rundgren on 2015-04-15 (public-web-nfc@w3.org from April 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 15 Apr 2015 09:15:44 +0200
To: "Kis, Zoltan" <zoltan.kis@intel.com>
CC: "Web NFC (W3C)" <public-web-nfc@w3.org>
Message-ID: <552E1020.8000702@gmail.com>

On 2015-04-15 09:05, Kis, Zoltan wrote:
> Hi Anders,
>
> On Wed, Apr 15, 2015 at 6:10 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2015-04-14 13:41, Anders Rundgren wrote:
>
>         When I read issues like https://github.com/w3c/web-nfc/issues/16
>         I get the impression that you expect connecting clients to use Web-technology.
>
>         IMO, this assumption will severely limit the value of Web NFC.
>         The only "standard" that's really lacking, is a way for untrusted Web-pages to interact with connecting client devices.
>         http://ipt.intel.com/Home/How-it-works/network-security-identity-management/ipt-with-near-field-communications
>
>         How Web-based OSes expose NFC to the outer world should IMO be left to another forum to cater for including
>         security considerations.
>
>     Just in order to get this discussion in a better shape, would it be possible
>     getting a rationale for the fact that your work assumes that the connecting
>     client device is based on Web technology?
>
>
> We are using a web-specific NFC format because major browser makers wanted to avoid threats described in
> https://github.com/w3c/web-nfc/issues/2

Hi Zoltan,
I think you misunderstood me.

Since Android is not a "WebOS", the issue https://github.com/w3c/web-nfc/issues/16
doesn't apply to Android (or iOS or Windows), making the spec and scope hard to understand.

Best regards,
Anders


>
> But it is still NFC. Any native NFC app can read any web-NFC messages, and can forge web-NFC messages. So being web-NFC is hardly any limitation for native apps. The point is that untrusted web pages cannot write (destroy) tags if their origin is not allowed to. That, and other policies make it possible to access NFC from the web at all. Again, the use cases are described in
> http://w3c.github.io/web-nfc/use-cases.html
> and you are right, the payment related use cases need some updating.
>
> What you have been presenting is an interesting idea, but somewhat disconnected from the current focus. Nevertheless, let's open at least an issue about it in order to track it and get the opinion of major browser makers. I can create the issue. If there is interest, we can draft a report about this, and even better, as Wayne said, start a new CG about it - it is big.
>
> Best regards,
> Zoltan

Received on Wednesday, 15 April 2015 07:16:19 UTC