- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 06 Nov 2014 14:53:31 +0100
- To: helpcrypto helpcrypto <helpcrypto@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
- CC: s2.verma@samsung.com, Virginie.Galindo@gemalto.com
On 2014-11-06 09:43, helpcrypto helpcrypto wrote: > Hi > > > Anders: as you seem to have the decisive voice in here, since our last talk, what has changed? Hi helpcrypto, I have no decisive power here, I only aired my opinion and have also tried (in vain so far...) making folks aware of the quite different projects that are on the table. Combining these projects is something I wouldn't do since for example ISO 7816 and the WebCrypto API have no clear relationship. > As you know, I'm of the opinion that is better to keep smartcards as secure elements where keys can be stored, than throwing all to the recycle bin. > In our case we have a JavaCard, so we could even stablish a mutual trust channel between server and card for population process. Older cards are probably a bigger problem ;) > It's true that PKI doesnt support "key usages for specific domains", something FIDO does. Does anyone know a way to implement this using traditional PKI? > > Can you imagine/describe a secure/valid scenario where smartcards are one possible secure keystore for a PKI cert, being possible to auth+sign documents using Javascript? (do it with all the effort/strengh of your imagination!!!) I'm probably not the right person to ask...since we IMO are still waiting for a credible write-up on how to use EMV-cards on the web which seems like a suitable task for the card industry. It appears that Microsoft may be on to something that could be useful for you: http://www.w3.org/2014/10/30-crypto-minutes.html Cheers Anders > > Sanjeev: AFAIK, FIDO group is not open neither open to community participation. > IIRC, there was a possibility of loading a FIDO applet inside my Javacard+requesting a PIN to login, even a RAW/APDU spec. > > As FIDO is not PKI based, will that mean I have to dump what I already have? (millions of certs from different CAs used by millions of users to auth and sign documents? > > Actually we do this using an awful applet, and thats what we want to avoid. > > > Perfect is the enemy of good. Perhaps we should reach an agreement-solution. > > PS: Virgine (): based on your experience, does people from the Webcrypto WG have anything to say related to this? I know smartcards were out of scope. were the different viewpoints the reason? do they 'like' the idea of including smartcards on spec? Do manufacturer/providers/vendors/big actors have something to say? is FIDO what they say? > > > Regards > >
Received on Thursday, 6 November 2014 13:54:23 UTC