Re: Proposed API extension for Fido U2F devices from Siva Narendra on 2014-02-09 (public-webcrypto-comments@w3.org from February 2014)

From: Siva Narendra <siva@tyfone.com>
Date: Sun, 9 Feb 2014 07:58:01 -0800
To: Harry Halpin <hhalpin@w3.org>
Cc: Juan Lang <juanlang@google.com>, public-webcrypto-comments@w3.org
Message-ID: <CAJhTYQwZRLCe2vXfeMDSi-rwpdEmoCkx-s=8T37UJTnfHv=-rQ@mail.gmail.com>

Hi Juan and everyone.

Smart Card support which is already a hardware standard and it is well know
what language it speaks (ISO7816) should be considered as an alternative to
new and yet to be common U2F hardware standard.

As you all know smart cards are not only already a standard, it has sold in
the billions and costs as little as $0.60.

In addition,  Public key methods (without using PKI) is already well
supported with repurposed smart card security applets such as PKCS #15 that
can work with existing server infrastructure with very minimal change, to
enable for eg mutually authenticated TLS connection with no need for
3-party PKI. We already have this working in Firefox where the smart card
is connected to the device in one of many possible ways.

Not to mention smart card applets are extensible to any future standard
such as the yet to be released NIST standards on derived credentials for
government use.

In addition smart cards are the only security hardware that have well
defined and well followed security certification across multiple industry
verticals.

It would be unproductive to consider hardware without smart cards as part
of it.

Dear Harry - What is the expected timing of considering hardware extension?
We will take ownership in writing an alternative to U2F that is smart card
based.

Best regards,
Siva
 On Feb 9, 2014 2:05 AM, "Harry Halpin" <hhalpin@w3.org> wrote:

>  On 02/04/2014 10:41 PM, Juan Lang wrote:
>
> Hi folks,
> I'm aware that hardware-backed keys are out of scope for the current round
> of WebCrypto work, so I don't expect this to be ready for standardization
> for some time. Nevertheless, I've got a proposed extension to WebCrypto to
> support Fido Alliance (fidoalliance.org) universal second factor (U2F)
> devices:
>
> https://docs.google.com/a/chromium.org/document/d/1EEFAMIYNqZ7XHCntghD9meJwKgNOX7ZN-jl5LJQxOVQ/edit#
>
>  I apologize that the proposal may lack some context, like, just what is
> a U2F device, and what language does it speak? I promise update it with
> pointers to public docs once they are made public. In the meantime, I'll
> act as a poor substitute by answering questions myself, either in the doc
> or in email.
>
>  I'd appreciate any feedback you might have. Thanks very much,
>  --Juan
>
>
> I haven't had to look at this in detail, but upon first look it seems
> sensible. The general direction is one that the W3C is actively interested
> in. While this would be outside the current charter, we will re-charter the
> Working Group once the current version of WebCrypto (at earliest) has
> exited Last Call and working with FIDO Alliance would likely be mutually
> beneficial.
>
>     cheers,
>       harry
>
>

Received on Monday, 10 February 2014 08:23:48 UTC