- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Thu, 25 Jul 2013 12:40:38 +0200
- To: Marcos Caceres <w3c@marcosc.com>
- CC: sysapps <public-sysapps@w3.org>
On 2013-07-25 11:10, Marcos Caceres wrote: > Hi Anders, Hi Marcos, > On Thursday, July 25, 2013 at 7:12 AM, Anders Rundgren wrote: > >> There are already hundreds of millions users of mobile devices featuring embedded SEs. >> There are also numerous mobile bank apps in active use. >> >> However, there's no practical way using the embedded SEs of the aforementioned devices for storing keys for the mobile bank apps. >> This is not due to a lack of an SE API, it is rather rooted in the SE concept itself. >> >> Some people claim that this is the "intended business model" for SEs, while another camp (including myself) point out inferior SE technology as the culprit. >> Creating a useful SE API under these circumstances is probably no easier than resolving the middle-east conflict. > I think it's good hear that there are multiple views on SEs - has Telia (and members of the other camp) thought of joining the group and providing an alternative API? Most people who have actually tried the SE-waters agree (through silence...) that the situation is pretty much as I just described. Why bother fighting a war you can't win? >> If "losing face" is the primary consideration for keeping the SE API in the charter, the only realistic option is "rubber-stamping" Gemalto's proposal. > We don't do "rubber-stamping" and we have no face to lose, as we haven't actually started work on the SE API:) - the SE API is a "Phase 2" deliverable, which means it won't start until we've done significant work on the phase 1 items of the WG (see http://www.w3.org/2012/sysapps/). Right, the group has postponed the face-loss alternatively the rubber-stamping to some unknown point in time :-) > So, now is a great time to contribute alternative API proposals and ideas. Even if we standardize 2 solutions, then we just leave it to the market to decide. The W3C doesn't enforce standards - it leaves it to the market. >> I don't have a problem with that but it doesn't have much to do with what you generally mean when you refer to something as a "standard". > Well, as the above is not happening, then you got nothing to worry about. Anyway, I invite you be constructive and put together an alternative proposal. It doesn't matter if you have a proposal or not, none of the big vendors that define some 99% of our client platforms have any intentions standardizing an SE API in W3C unless it is their already established take on that. Since the latter haven't hardly begun yet, a guesstimate is that we are talking about a 5-10 year delay here. As a comparison it took TrustedComputingGroup 13 years reaching TPM 2.0 which is a kind of SE. A web interface is currently not in the works. FYI: I do have have a complete proposal but since it haven't a single bit in common with the current "input document" it would rather be considered as *contra-constructive* discussing/promoting it in a W3C context; I gladly settle for the rubber-stamping and spend my precious cycles on implementations instead! Best regards, Anders > Kind regards, > Marcos > > >
Received on Thursday, 25 July 2013 10:41:15 UTC