- From: Harry Halpin <hhalpin@w3.org>
- Date: Thu, 17 Nov 2011 14:48:24 -0000 (GMT)
- To: "Anders Rundgren" <anders.rundgren@telia.com>
- Cc: public-identity@w3.org
> IMO it doesn't make sense to include explicit support for Crypto HW
> in a W3C WG.
>
> Rationale: This is already a lost case since the smart card industry
> haven't even begun thinking about this issue although quite a bunch
> of their favorite customers including the financial sector and
> Government actually do request solutions that allow them to get
> away from all the proprietary plugins they currently use.
>
> These guys have developed a "de jure" standard:
> http://www.w3.org/2008/security-ws/papers/ISO24727-for-secure-mobile-web-applications-2008-10-30.pdf
> Nobody outside of their backyard cares about it.
>
> BTW, I have yet to see a single proposal that bridges the gap
> between the JS/JSON people and the ISO-7816/GP folks. They have
> probably never met :-)
>
> Please don't take this as criticism, it is just a friendly advice.
Currently the charter does not explicitly include smartcard support or
reference to any of the ISO standards around smartcards.
However, the charter does include "key storage on the device" but puts out
of scope "device-specific access to keying material" [1]
The idea is that through some platform-specific tool, it might be possible
to load a key from a smartcard from the JS API, but that the API itself
would not include "special smartcard" specific instructions. Thus, the
burden of doing that would lie on the smartcard programmers, not the
browsers.
Is that enough? Is there any different terminology you would prefer?
cheers,
harry
[1] http://www.w3.org/wiki/IdentityCharter
>
> Anders
>
>
Received on Thursday, 17 November 2011 14:48:35 UTC