Re: The "korean bank" use-case from Channy Yun on 2011-11-27 (public-identity@w3.org from November 2011)

From: Channy Yun <channy@gmail.com>
Date: Mon, 28 Nov 2011 00:54:24 +0900
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: "public-identity@w3.org" <public-identity@w3.org>
Message-ID: <CAG5Kj5HLRS+mkcfb=Cmv4NoV9n1PYPKYDQz7cdnNS45y0rp=AQ@mail.gmail.com>

Dear all,

Avoiding confusing ... please refer to
http://www.w3.org/community/webcryptoapi/2011/09/15/why-web-crypto-api/
Korean's use-cases and web cryptography.

There has been a guideline of security grade for internet banking in Korea
by transaction of amount of money.

Grade I: USD 420,000 per day = *Personal Certificate*+ Secure Code(with SMS
auth) + One-time password(device)
Grade II: USD 210,000 per day = *Personal Certificate* + Secure Code (with
SMS auth)
Grade III: USD 42,000 per day = *Personal Certificate* + Secure Code

Actually, there is no HSM/Smartcard use cases in Korea. I don't know why
smart card is Korean's use-cases.
I guess some of vendors in Korea wrote Mozilla's DOMCrypt use-case page and
in fact considered by government agency.
This is why personal certificate is very insecure for hacking because the
key store is located in c:\Program Files\NPKI.

Over 15 million personal certificates by Korean national CA chains are
issued and renewed based on Active X plugin in every year.
Recently it transferred to iOS and Android application to treat
certificates. As well as, some of banks made NPPlugins for non-IE browsers.

So, the rapid implementation of Web Crypto (key issue and digital sigining)
is very important for Korean use cases in real problem.

Channy
---------------------
Tech Evangelist : Web 2.0, Web Standards, Open Source and Firefox
http://channy.creation.net





2011/11/28 Anders Rundgren <anders.rundgren@telia.com>

> Just to get the discussion going...
>
> in case devices are in scope you should know that the
>
> GlobalPlatform Card Specification 2.2.1
> http://www.globalplatform.org/specificationscard.asp
>
> is well over 300 pages and in turn refers to 500 pages+ of additional
> information.
>
> IMO, this is also the reason why the *current* smart card technology is
> unsuitable
> for browser integration.
>
> FYI, I recently tested the JRE 1.6 standard library "javax.smartcardio.*"
> and found
> that it worked extremely bad on the 3 platforms I tried it on.
>
> As often pointed out, smart cards *do* work with certain combinations of
> operating
> systems, readers and middleware but as a foundation for consumers it
> simply doesn't
> cut  it.
>
> I.e. my quest for a simpler "web token" is a more realistic take on this
> topic in spite of
> the fact that you need new hardware.
>
> Anders
>
>
>

Received on Sunday, 27 November 2011 15:55:21 UTC