- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Sat, 11 Feb 2012 10:09:07 +0100
- To: "public-identity@w3.org" <public-identity@w3.org>
This is a follow-up to my previous (enclosed) posting. I don't see that the keys provisioned in the second section have much relevance for the signatures mentioned in the first section. That is, we are effectively talking about two free-standing work-items although they both build on JavaScript. Creating a scheme that combines the requirements would be an entirely different mission. Taking a simple example: Mozilla's "soft token" doesn't support individual PIN-codes. AFAIK, the situation is roughly the same for Internet Explorer. PIN-codes are more or less mandatory in bank-contexts and it is always the *bank* that sets the policy. That's why (for example) the Swedish banks that are into strong authentication roll their own PKI clients which (of course) support their own "hard-coded" PIN-policies. Not very universal but that's what we got... Anders -------- Original Message -------- Subject: Web Cryptography Working Group Charter Resent-Date: Thu, 09 Feb 2012 21:07:36 +0000 Resent-From: public-identity@w3.org Date: Thu, 09 Feb 2012 22:07:02 +0100 From: Anders Rundgren <anders.rundgren@telia.com> To: public-identity@w3.org <public-identity@w3.org> http://www.w3.org/2011/11/webcryptography-charter.html "The ability to select credentials and sign statements can be necessary to perform high-value transactions such as those involved in finance, corporate security, and identity-related claims about personal data" "The provisioning and use of keys within Web applications can be used for scenarios like increasing the security of user authentication and determining whether a particular device is authenticated for particular services" If you combine these high-level requirements you essentially get a "webbified" Google wallet (and more). However, the Google wallet is not an API, it is a system and architecture. For financial transactions and key provisioning the DOMCrypt stuff that Mozilla showcased last summer, IMO doesn't even come close to the already shipping Google product so we are apparently (?) talking about something entirely different. "Out of scope: features include special handling directly for non-opaque key identification schemes, access control mechanisms beyond the enforcement of the same-origin policy, and functions in the API that require smartcard or other device-specific behavior" The Google wallet builds on smart card technology. Anders
Received on Saturday, 11 February 2012 09:09:40 UTC