W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

Re: [WebCrypto.Next] Why there won't be support for smart cards

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 09 Nov 2014 18:38:06 +0100
Message-ID: <545FA67E.7080103@gmail.com>
To: Zijyfe Duufop <zdoofop@gmail.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
On 2014-11-09 18:02, Zijyfe Duufop wrote:
> your claim about innovation is irrelevant because either one of the
 > platform vendors will be available for developers or they will use
 > other means of implementation.

Now we know your solution to the problem I first mentioned.
I.e. signed web apps.

My hesitation with this is why would you build such a thing
for Android or iOS that have much richer native environments?


> Remember, there is no perfect solution to any problem

I know, but smart cards were never designed for the web.

Anders


>
> On Sun, Nov 9, 2014 at 11:56 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     This somewhat [thought]provoking subject-line has a simple explanation:
>     There is still no specification in spite of the topic being on the radar since years back.
>
>     It doesn't appear possible creating such a specification as well:
>
>     Imagine calling a method that does something like P11's C_Sign, what's supposed to happen?
>     A browser-initiated dialog box saying: This application wants key XYZ to sign something but I don't know why and what, do you agree?
>
>     Would installed and signed web applications help here?
>     No, it would not because there is no obvious signer of such modules except the platform vendors which would severely impede innovation.
>     Leaving the trust-decision to the user is not an option either, it would only open a floodgate to key miss-using malware.
>
>     Anders
>
>
>
Received on Sunday, 9 November 2014 17:38:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC