Re: Security standards for Mobile Device vs "PCs" from David Dahl on 2012-07-30 (public-webcrypto-comments@w3.org from July 2012)

From: David Dahl <ddahl@mozilla.com>
Date: Mon, 30 Jul 2012 10:00:56 -0700 (PDT)
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: public-webcrypto-comments@w3.org, Ryan Sleevi <sleevi@google.com>
Message-ID: <885193934.1534222.1343667656437.JavaMail.root@mozilla.com>
I think an psuedo-example of how this might work with the Web Crypto API is:

1. A page uses the Secure Element API to query for hardware devices
2. The script finds the SE to use, sets it as default for the current page
3. The Web Crypto API is employed for a crypto operation: the current default hardware module is used instead of the browser-supplied software, to create a signature, etc.

Again, this is just a stab in the dark at how these two APIs *might* work together.

Regards,

David

----- Original Message -----
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "David Dahl" <ddahl@mozilla.com>
Cc: public-webcrypto-comments@w3.org, "Ryan Sleevi" <sleevi@google.com>
Sent: Monday, July 30, 2012 11:45:50 AM
Subject: Re: Security standards for Mobile Device vs "PCs"

On 2012-07-30 18:08, David Dahl wrote:
> Anders:
> 
> Have you seen the draft charter for the SysApps WG?  http://www.w3.org/2012/05/sysapps-wg-charter.html

Thank you David!
I hadn't heard about one.  There's too much noise out there :-)

I also took a peek at Gemalto's API write-up.
Personally, I don't see that 7816 and APDUs have a mission to carry out on the web.

In fact, in my take on this topic there is no (web) API at all!

This will *very* interesting...

Cheers,
Anders


> 
> "Secure Elements API
> An API enabling the discovery, introspection, and interaction with hardware tokens (Secure Elements) that offer secure services such as tamper-proof storage, cryptographic operations, etc. Example: Gemalto Secure Elements."
> 
> This looks like it might be a nice complement to the web crypto API
> 
> Cheers,
> 
> david
> 
> ----- Original Message -----
> From: "Anders Rundgren" <anders.rundgren@telia.com>
> To: "Ryan Sleevi" <sleevi@google.com>
> Cc: public-webcrypto-comments@w3.org
> Sent: Monday, July 30, 2012 1:34:10 AM
> Subject: Re: Security standards for Mobile Device vs "PCs"
> 
> On 2012-07-29 09:59, Ryan Sleevi wrote:
>> Thank you for your feedback, Anders.
>>
>> I'm not sure I understand how this relates to the work of the Web
>> Cryptography Working Group. As has been mentioned before, smart card
>> provisioning is out of scope for the efforts of this working group.
>> While I realize you and others may have many thoughts to offer on the
>> matter, I think it is important for the continued progress of the
>> working group that we're able to focus our efforts on in-scope work.
>> For general comments about the future of (PKI, certificates, keys,
>> arbitrary crypto schemes), there may be other forums better suited for
>> such thoughts and ruminations.
> 
> Ryan,
> You should look at this as a comment from the outside.
> 
> The term "Smart Card" is misnomer.
> 
> *Nobody* is trying to make traditional smart cards usable in PCs.
> 
> *Everybody* is working with provisioning of embedded SEs including Google.
> 
> That's about it.  It might be a future step for Web Crypto or it might
> be something entirely different.
> 
> br
> ar
> 
>>
>> In addition, speculation about Apple's motives does not seem
>> appropriate, the least of all being that it's not at all an accurate
>> representation. Apple has made it very clearly publicly that they're
>> moving away from the CDSA and CSSM framework that underpinned the
>> TokenD effort (as well as underpinning their X.509 and PKI handling),
>> so naturally it means that every TokenD written is incompatible with
>> the new APIs (eg: Security Tranforms). This is not at all an issue
>> with "smart cards" vs "non-smart-cards", but instead simply a matter
>> of cryptographic APIs and the need to deprecate the legacy APIs.
>>
>> While feedback is very much welcome on the ongoing Editor's Drafts,
>> please do try to keep comments in scope, and please keep in mind that
>> there will be problems and use cases that we cannot and will not
>> address within the either the FPWD or within the first delivered
>> version of this API.
>>
>> Regards,
>> Ryan
>>
>> On Sat, Jul 28, 2012 at 10:53 PM, Anders Rundgren
>> <anders.rundgren@telia.com> wrote:
>>> A thing that I feel will affect the outcome of many security standardization initiatives is how they relate to the two major platforms.
>>>
>>> If we for example take the smart card issue, it has proven beyond doubt to be unsolvable in the PC while being piece of cake in mobile devices.
>>> What do I mean with unsolvable?  The ability to enroll credentials in smart card via a browser.  It is actually so difficult just getting a "standard" smart card to work for logging in that Apple removed support for all cards but the US PIV card in their latest MacOS!
>>>
>>> How come it is piece of cake in a mobile devices?  Because embedded SEs like the NXP chip powering the Google Wallet eliminate readers, third-party middleware and the mapping guesswork.
>>> IMO this is the only way to make smart cards "first class citizens" in consumer computers.
>>>
>>> Web Crypto haven't taken a position on these issues in an attempt to keep neutrality.   Personally, I'm more interested in the 80% than in supporting a very difficult < 5% audience.
>>>
>>> http://news.cnet.com/8301-1023_3-57481166-93/oauth-2.0-leader-resigns-says-standard-is-bad
>>>
>>> Anders
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
> 
> 
>
Received on Monday, 30 July 2012 17:01:24 UTC