W3C home > Mailing lists > Public > public-web-security@w3.org > October 2014

[WebCrypto.Next] Rethinking the 7816/APDU SE interface

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 16 Oct 2014 06:21:36 +0200
Message-ID: <543F47D0.7090904@gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
I have sort of "dissed" the idea to making a 7816/APDU-level SE-interface
for the web.  Still, Mozilla is building such a thing for Firefox OS.

After thinking a bit more on this, I believe we are both right!

Firefox OS is a "Web OS" and therefore everything is exposed through
web interfaces but that doesn't necessarily mean that the same methods
must be used in for example Android. In fact, probably all of the myriad of
payment apps available for Android are based on the native (Java) API.

AFAICT  the only applications that actually *need* to operate at the 7816/APDU-
level do it through NFC which in turn can be driven by whatever the platform offers.

That the Google Wallet or Apple Pay would
   1. be rewritten as web apps
   2. be 100% portable and thus be distributed from a single source is a cool idea
but it won't happen for a bunch of reasons (even including aesthetics and branding),
and therefore there's no point *standardizing* a web-based 7816/APDU API.

No, we won't be able making EMV-payments on the traditional web but there's
no need for that either; the WebCrypto API (with proper backing) is entirely
sufficient and much better suited for web-payments than schemes that were
designed for local usage in specific certified payment terminals. Since the
WebCryoto API isn't really there yet, I suggest that we continue on that path
instead of trying to compete with something which is already working and
close to being established.

Cheers,
AndersR
Received on Thursday, 16 October 2014 04:22:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:21 UTC