- From: Harry Halpin <hhalpin@w3.org>
- Date: Wed, 23 Nov 2011 22:37:12 +0100
- To: Anders Rundgren <anders.rundgren@telia.com>
- CC: "public-identity@w3.org" <public-identity@w3.org>
On 11/23/2011 07:02 AM, Anders Rundgren wrote: > The main point with crypto hardware is strong protection of secret/private keys, right? > > If an API doesn't make it possible to distinguish if keys are created in crypto hardware > or are stored in a file on the harddisk, such an API seems fairly useless from an issuer > perspective. Anders, Note that distinguishing where a key came from is in the "secondary" features list that has to be given a concrete use-case, requirements, and have agreement from implementors. I would suggest you read the current version of the charter (both on wiki and in HTML now) before making commentary. This has been a problem in the past. However, I would note that there are plenty of non-smartcard use-cases for a common JS crypto API, but I do hope we can accomdate smartcards in a way that actually has uptake from implementers or make any spec smartcard-specific. > I'm pretty sure that this is addressed in the Google Wallet but this scheme is currently > secret so I don't see how we (at this stage) could even have a meaningful dialog > about methods and requirements regarding schemes for supporting crypto hardware. > > Microsoft has also publicly demonstrated Win8/TPM and U-Prove/smart card schemes > without disclosing any details on how keys are provisioned. > > Trying to create related standards under these circumstances is IMHO simply put silly. > > I don't consider my own effort in this space a "standardization effort" since it doesn't > build on existing crypto hardware or software standards. I don't believe the latter is > even workable as a starting point for both political and technical reasons. > > Anders >
Received on Wednesday, 23 November 2011 21:37:06 UTC