W3C home > Mailing lists > Public > public-web-security@w3.org > March 2015

Closure of "SysApps" motivates rethink of "Smart Cards for the Web"

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 27 Mar 2015 06:49:21 +0100
Message-ID: <5514EF61.2010502@gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
Apparently the W3C SysApps WG is closing without reaching the target of having two independent implementations.

I think this is yet another indication that putting feature-rich system-level APIs in the Web maybe isn't as workable as once thought.  Some people claims that permissions is the solution but I doubt that they have tried to visualize that on for example EMV-payments:  "merchant.com wants to access your smart card, do you agree?" would never pass EMV certification.

An obvious work-around is instead of exposing sensitive low-level APIs to the Open Web, define a generic solution for EXTERNAL, "web-callable", trusted, packaged, service-oriented, subsystems which:
1) are not crippled by SOP
2) offer abstraction so that variances in low-level APIs and architectures doesn't bother web developers
3) provide UIs that matches the specific use-case (service)
4) can be written by third-parties
5) can be standardized when needed

The lack of a standard for this is recognized:
https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0155.html

A tel-con could be handy at this stage.

Anders
Received on Friday, 27 March 2015 05:49:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 March 2015 05:49:53 UTC