Re: Security standards for Mobile Device vs "PCs"

Anders:

Have you seen the draft charter for the SysApps WG?  http://www.w3.org/2012/05/sysapps-wg-charter.html

"Secure Elements API
An API enabling the discovery, introspection, and interaction with hardware tokens (Secure Elements) that offer secure services such as tamper-proof storage, cryptographic operations, etc. Example: Gemalto Secure Elements."

This looks like it might be a nice complement to the web crypto API

Cheers,

david

----- Original Message -----
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Ryan Sleevi" <sleevi@google.com>
Cc: public-webcrypto-comments@w3.org
Sent: Monday, July 30, 2012 1:34:10 AM
Subject: Re: Security standards for Mobile Device vs "PCs"

On 2012-07-29 09:59, Ryan Sleevi wrote:
> Thank you for your feedback, Anders.
> 
> I'm not sure I understand how this relates to the work of the Web
> Cryptography Working Group. As has been mentioned before, smart card
> provisioning is out of scope for the efforts of this working group.
> While I realize you and others may have many thoughts to offer on the
> matter, I think it is important for the continued progress of the
> working group that we're able to focus our efforts on in-scope work.
> For general comments about the future of (PKI, certificates, keys,
> arbitrary crypto schemes), there may be other forums better suited for
> such thoughts and ruminations.

Ryan,
You should look at this as a comment from the outside.

The term "Smart Card" is misnomer.

*Nobody* is trying to make traditional smart cards usable in PCs.

*Everybody* is working with provisioning of embedded SEs including Google.

That's about it.  It might be a future step for Web Crypto or it might
be something entirely different.

br
ar

> 
> In addition, speculation about Apple's motives does not seem
> appropriate, the least of all being that it's not at all an accurate
> representation. Apple has made it very clearly publicly that they're
> moving away from the CDSA and CSSM framework that underpinned the
> TokenD effort (as well as underpinning their X.509 and PKI handling),
> so naturally it means that every TokenD written is incompatible with
> the new APIs (eg: Security Tranforms). This is not at all an issue
> with "smart cards" vs "non-smart-cards", but instead simply a matter
> of cryptographic APIs and the need to deprecate the legacy APIs.
> 
> While feedback is very much welcome on the ongoing Editor's Drafts,
> please do try to keep comments in scope, and please keep in mind that
> there will be problems and use cases that we cannot and will not
> address within the either the FPWD or within the first delivered
> version of this API.
> 
> Regards,
> Ryan
> 
> On Sat, Jul 28, 2012 at 10:53 PM, Anders Rundgren
> <anders.rundgren@telia.com> wrote:
>> A thing that I feel will affect the outcome of many security standardization initiatives is how they relate to the two major platforms.
>>
>> If we for example take the smart card issue, it has proven beyond doubt to be unsolvable in the PC while being piece of cake in mobile devices.
>> What do I mean with unsolvable?  The ability to enroll credentials in smart card via a browser.  It is actually so difficult just getting a "standard" smart card to work for logging in that Apple removed support for all cards but the US PIV card in their latest MacOS!
>>
>> How come it is piece of cake in a mobile devices?  Because embedded SEs like the NXP chip powering the Google Wallet eliminate readers, third-party middleware and the mapping guesswork.
>> IMO this is the only way to make smart cards "first class citizens" in consumer computers.
>>
>> Web Crypto haven't taken a position on these issues in an attempt to keep neutrality.   Personally, I'm more interested in the 80% than in supporting a very difficult < 5% audience.
>>
>> http://news.cnet.com/8301-1023_3-57481166-93/oauth-2.0-leader-resigns-says-standard-is-bad
>>
>> Anders
>>
>>
>>
>>
>>
>>
> 
>

Received on Monday, 30 July 2012 16:09:20 UTC