Re: Proposed API extension for Fido U2F devices from Harry Halpin on 2014-02-11 (public-webcrypto-comments@w3.org from February 2014)

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 11 Feb 2014 17:36:28 +0100
To: Siva Narendra <siva@tyfone.com>
CC: anders.rundgren.net@gmail.com, public-webcrypto-comments@w3.org, GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Message-ID: <52FA518C.8030304@w3.org>
On 02/11/2014 05:32 PM, Siva Narendra wrote:
>
> Harry. Thank you for the clarification. We look forward to 
> participating if and when hardware becomes relevant.
>

To clarify for those on this list new to W3C mailing lists:

* public-webcrypto-comments@w3.org is for the general public and 
comments on the spec. Anyone can post.
* public-webcrypto@w3.org is for the Working Group working on the spec. 
Only Working Group members can post.

   cheers,
     harry

> Until then best wishes to the group for the current tasks at hand.
>
> Siva
>
> On Feb 11, 2014 8:28 AM, "Harry Halpin" <hhalpin@w3.org 
> <mailto:hhalpin@w3.org>> wrote:
>
>     On 02/11/2014 04:37 PM, Siva Narendra wrote:
>>
>>     Anders & Co.  SIM cards are not the only secure element solution
>>     or form factor. There are microSD, USB,  Bluetooth interface form
>>     factors that are not locked by carriers and they are device
>>     agnostic. In fact some of them can be used across multiple
>>     devices. And Smart cards that run Java card OS can be used to
>>     load virtually any security applet.
>>
>>     There seems to be some preconceived notions of what smart cards
>>     are. I would request all of you to have an open mind based on the
>>     fact that smart card silicon is the one of the only, if not the
>>     only, globally standard hardware that exists today that is
>>     certified by ISO, Global Platform and Common Compliance standards.
>>
>>     Let me reiterate - the proposal is not smart cards instead of
>>     other hardware. But rather the proposal is smart card be
>>     supported in this community if hardware is in scope.
>>
>>     Irrespective of W3C community support or not smart card interface
>>     to Webcrypto API will happen. There is a community of companies
>>     that will build it. We already are, based on work that was done
>>     with Firefox. It is really up to all of you to decide if W3C will
>>     take the dogmatic position of not supporting smart cards, which
>>     seems to be the prevailing position.
>>
>
>     The W3C is of course open to a smartcard interface and is *not*
>     against supporting smart cards in future versions or extensions to
>     Web Crypto - this work is only out of scope for the current
>     version. We fully expect this to be discussed also at the future
>     workshop I mentioned in Sept.
>
>     Anders is not an Invited Expert or a member of the Working Group
>     as well, so his emails are in not representative of the WG. While
>     he sometimes makes contributions over the comment mailing list, he
>     also has made incorrect and provocative statements in the past.
>
>     The key is to discuss with the Working Groups, other vendors, and
>     help build critical mass. Thus, the key point is to build a draft
>     of those extensions of the API and convince vendors that this
>     should be implemented uniformly.
>
>        cheers,
>            harry
>
>
>>     On Feb 11, 2014 7:06 AM, "Anders Rundgren"
>>     <anders.rundgren.net@gmail.com
>>     <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>>         http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0009.html
>>
>>         "The U2F use case is one specific use case which is bringing
>>         new features to the web crypto API. I do not see why the
>>         existence of the U2F would preclude the discussion related to
>>         the integration of hardware token (or any secure element) in
>>         the web crypto, for which we have imagined to have a workshop
>>         this year. Note that It is still on my side to propose a
>>         strawman proposal for the workshop"
>>
>>         Since SIM-cards are locked by operators there's little point
>>         with an SE interface to WebCrypto, it will most certainly go
>>         the same way the WAP/WSIM interface once did; in the toilet.
>>         As Ryan mentioned in
>>         http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>>         ISO 7816 is probably not the right technical foundation either.
>>
>>         If the operators (=the actual customers) and Gemalto still
>>         believe this is interesting it seems more logical running a
>>         combined standardization/open source effort together with them.
>>
>>         Related:
>>         http://letstalkpayments.com/google-says-goodbye-carrier-based-nfc-systems
>>
>>         Anders
>>
>
Received on Tuesday, 11 February 2014 16:36:39 UTC