W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

Re: [Web Crypto Next] Lets start discussing !

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 06 Nov 2014 14:53:31 +0100
Message-ID: <545B7D5B.1070402@gmail.com>
To: helpcrypto helpcrypto <helpcrypto@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
CC: s2.verma@samsung.com, Virginie.Galindo@gemalto.com
On 2014-11-06 09:43, helpcrypto helpcrypto wrote:
> Hi
> Anders: as you seem to have the decisive voice in here, since our last talk, what has changed?

Hi helpcrypto,

I have no decisive power here, I only aired my opinion and have also tried (in vain so far...) making folks aware of the quite different projects that are on the table.
Combining these projects is something I wouldn't do since for example ISO 7816 and the WebCrypto API have no clear relationship.

> As you know, I'm of the opinion that is better to keep smartcards as secure elements where keys can be stored, than throwing all to the recycle bin.
> In our case we have a JavaCard, so we could even stablish a mutual trust channel between server and card for population process. Older cards are probably a bigger problem ;)
> It's true that PKI doesnt support "key usages for specific domains", something FIDO does. Does anyone know a way to implement this using traditional PKI?
> Can you imagine/describe a secure/valid scenario where smartcards are one possible secure keystore for a PKI cert, being possible to auth+sign documents using Javascript? (do it with all the effort/strengh of your imagination!!!)

I'm probably not the right person to ask...since we IMO are still waiting for a credible write-up on how to use EMV-cards on the web which seems like a suitable task for the card industry.

It appears that Microsoft may be on to something that could be useful for you:


> Sanjeev: AFAIK, FIDO group is not open neither open to community participation.
> IIRC, there was a possibility of loading a FIDO applet inside my Javacard+requesting a PIN to login, even a RAW/APDU spec.
> As FIDO is not PKI based, will that mean I have to dump what I already have? (millions of certs from different CAs used by millions of users to auth and sign documents?
> Actually we do this using an awful applet, and thats what we want to avoid.
> Perfect is the enemy of good. Perhaps we should reach an agreement-solution.
> PS: Virgine (): based on your experience, does people from the Webcrypto WG have anything to say related to this? I know smartcards were out of scope. were the different viewpoints the reason? do they 'like' the idea of including smartcards on spec? Do manufacturer/providers/vendors/big actors have something to say? is FIDO what they say?
> Regards
Received on Thursday, 6 November 2014 13:54:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC