- From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
- Date: Sun, 11 Dec 2011 18:20:38 +0100
- To: "hhalpin@w3.org" <hhalpin@w3.org>, "public-identity@w3.org" <public-identity@w3.org>
Dear all, you will find here my comments on the current version of the Web Crypto API Scope. - On the primary features I feel quite comfortable with the existing list. - Nevertheless I can not imagine that the charter is classifying as a secondary feature the multiple key container configuration. Mobile do have multiple secure storage today (UICC, plus SD, plus sometimes Trusted Execution Environment or MTM, plus local mobile memory), PC do have multiple storage today (TPM, plus smart card, plus local PC memory). In June 2013 this will be a common configuration. How will the browser monitor the location of the credentials ? If this WG is only envisaging the storage of credentials in a local memory of the device, then I dont see where the security improvement is. --> As a consequence, I would recommend to migrate the multiple key container configuration as a primary feature. - The out of scope session is fair and will definitely the group to stay in the right boundaries. But frankly speaking I can not agree with the vague wording "sophisticated access control mechanism, advanced smartcard or other device-specific features". This boundary will definitely not help the group to make the decision of what is, and what is not in the scope. I do have thousands of advanced smart card feature which will fall in the scope of this API :-). Depending on where industry you come from, you might interpret differently. --> This section definitely need some wording : which feature do you want to avoid ? (I guess there must be an historical background somewhere in the 500 mails exchanged over the public mailing list, but in 6 months it will not be clear to new comers). Hope this makes sense to you, guys. Regards, Virginie gemalto
Received on Sunday, 11 December 2011 17:23:37 UTC