RE: SE API. Re: Draft agenda for upcoming f2f meeting

Anders, and all,

Thanks for your take on the industry trends.

Your idea to remove secure element from the charter is not supported by gemalto.
This gives me the opportunity to remind the people that security concerns raised by the parties were addressed in the recent draft (see http://opoto.github.io/secure-element/). We are expecting comments from the WG participants.

This is also a chance for me to inform the WG that discussions about integrating secure services provided by technologies like SE, TEE, TrsuZone, FIDO will be discussed this year in a W3C workshop, for which I have proposed a draft scope here : https://www.w3.org/2012/webcrypto/wiki/WG_Future_Work_hardware_token_workshop_2014



Regards,
Virginie
Gemalto

Note : correction to few facts claimed below
- FIDO U2F javascript has been proposed to Web Crypto WG few weeks ago (FIDO Alliance is managing the complete solution of protocols, message format and APDU values, which can not be standardized in W3C, obviously)
- Web Crypto WG exists since 2 years (not 3)

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
Sent: jeudi 27 février 2014 17:15
To: Wonsuk Lee; public-sysapps@w3.org
Subject: SE API. Re: Draft agenda for upcoming f2f meeting

On 2014-02-27 13:11, Wonsuk Lee wrote:
> Hi. All.
>
> I made the draft agenda for upcoming f2f meeting as below. Please review this and share your opinions.

Although I won't be able to attend the F2F I guess I can provide some feedback anyway?
IMO, the case for the original take on the SE API has been severely weakened due to the following:
- The security model has been found to be awkward by several reviewers.
- The payment industry have given up on SE solutions in general due to "unavailability" and Google's launch of HCE.
- Proprietary TrustZone-based security solutions where showcased everywhere on MobileWorldCongress 2014 including in shipping Samsung devices.
- Google's U2F and yours truly's SKS/KeyGen2 point in an entirely different SE direction where the web was designed-in from the beginning, using a fixed API as well a building on a security architecture.

Although you are [all] free to disagree, my experiences with the TrustedComputingGroup as well as the recent introduction of U2F though FIFO alliance rather than W3C indicate that W3C may indeed standardize some kind of SE API one day but that will be a system that is already recognized as a de-facto standard.
In addition, 2-3 years of WebCryptoing haven't lead to any kind of SE interface proposal in spite of being requested by multiple parties.

Based on these facts, I think this topic should be dropped from the charter and agenda.
There may be other venues which are more suited for this work as well.

Sincerely
Anders Rundgren


>
>
>
> [1] https://www.w3.org/wiki/System_Applications:_4th_F2F_Meeting_Agenda
>
>
>
> Kr, Wonsuk.
>
> =========================================
>
> *이 원 석(Wonsuk, Lee) / *Principal Engineer, Ph.D
>
> *SAMSUNG ELECTRONICS Co., LTD. (**三星電子)*
>
> Mobile: +82-10-5800-3997
>
> E-mail: wonsuk11.lee@samsung.com <mailto:wonsuk11.lee@samsung.com>
>
> http://www.wonsuk73.com/, twitter: @wonsuk73
>
> -----------------------------------------
>
> *Inspire the World, Create the Future !!!*
>
> =========================================
>
>
>



This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Received on Thursday, 27 February 2014 16:33:24 UTC