W3C home > Mailing lists > Public > public-webcrypto@w3.org > June 2012

Re: Need for Smart Card support

From: Wan-Teh Chang <wtc@google.com>
Date: Mon, 11 Jun 2012 11:45:39 -0700
Message-ID: <CALTJjxGBWeNNx78H5BHz6FKUPXSAf7sKFsyAa2i-C-2VeTr7+Q@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: David Dahl <ddahl@mozilla.com>, Ali Asad <Asad.Ali@gemalto.com>, "James L. Davenport" <jdavenpo@mitre.org>, public-webcrypto@w3.org
On Fri, Jun 8, 2012 at 11:44 AM, Ryan Sleevi <sleevi@google.com> wrote:
>
> I would prefer that, in our first draft, and consistent with the charters
> goals, that any awareness of smart cards or secure elements be left out.
> Simply dealing in key IDs is, I believe, sufficient enough to support the
> core use cases and primary goals, and also gives implementors the
> flexibility to expose keys stored in secure elements in an
> implementation-independent way that is compatible with the core API.

+1. I also prefer this.

I've given this some thought over the weekend. The only problem I came
up with is the operations that do not take a key:
* hashing
* generating random bytes

Even for these two operations, I don't think we should burden a web
application with the selection of a crypto module to compute a hash or
generate random bytes. The browser should select the best crypto
module for these operations. Any "secure element" should be configured
either in the browser or in the OS to be used for their strengths
(either for strong physical protection of keys or true random number
generation).

Wan-Teh
Received on Monday, 11 June 2012 18:46:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 June 2012 18:46:25 GMT