RE: SE API. Re: Draft agenda for upcoming f2f meeting

Anders, 

> - The payment industry have given up on SE solutions in general due to "unavailability" and Google's launch of HCE.
Are speaking here on behalf of the payment industry, or can you point us to evidences to support this statement ? 

> - Proprietary TrustZone-based security solutions where showcased everywhere on MobileWorldCongress 2014 including in shipping Samsung devices.
Can you please point us to the standards supporting these solutions ? Are they neutral, interoperable or just proprietary ? 

> - Google's U2F and yours truly's SKS/KeyGen2 point in an entirely different SE direction where the web was designed-in from the beginning, using a fixed API as well a building on a security architecture.
Again, you cannot compare the SE API (basically a transport channel) to a crypto/authentication API. It would be like saying nobody needs TCP since we have twitter. 

Thanks,

Erwan

-----Message d'origine-----
De : Anders Rundgren [mailto:anders.rundgren.net@gmail.com] 
Envoyé : jeudi 27 février 2014 17:15
À : Wonsuk Lee; public-sysapps@w3.org
Objet : SE API. Re: Draft agenda for upcoming f2f meeting

On 2014-02-27 13:11, Wonsuk Lee wrote:
> Hi. All.
> 
> I made the draft agenda for upcoming f2f meeting as below. Please review this and share your opinions.

Although I won't be able to attend the F2F I guess I can provide some feedback anyway?
IMO, the case for the original take on the SE API has been severely weakened due to the following:
- The security model has been found to be awkward by several reviewers.
- The payment industry have given up on SE solutions in general due to "unavailability" and Google's launch of HCE.
- Proprietary TrustZone-based security solutions where showcased everywhere on MobileWorldCongress 2014 including in shipping Samsung devices.
- Google's U2F and yours truly's SKS/KeyGen2 point in an entirely different SE direction where the web was designed-in from the beginning, using a fixed API as well a building on a security architecture.

Although you are [all] free to disagree, my experiences with the TrustedComputingGroup as well as the recent introduction of U2F though FIFO alliance rather than W3C indicate that W3C may indeed standardize some kind of SE API one day but that will be a system that is already recognized as a de-facto standard.
In addition, 2-3 years of WebCryptoing haven't lead to any kind of SE interface proposal in spite of being requested by multiple parties.

Based on these facts, I think this topic should be dropped from the charter and agenda.
There may be other venues which are more suited for this work as well.

Sincerely
Anders Rundgren


> 
>  
> 
> [1] https://www.w3.org/wiki/System_Applications:_4th_F2F_Meeting_Agenda

> 
>  
> 
> Kr, Wonsuk.
> 
> =========================================
> 
> *이 원 석(Wonsuk, Lee) / *Principal Engineer, Ph.D
> 
> *SAMSUNG ELECTRONICS Co., LTD. (**三星電子)*
> 
> Mobile: +82-10-5800-3997
> 
> E-mail: wonsuk11.lee@samsung.com <mailto:wonsuk11.lee@samsung.com>
> 
> http://www.wonsuk73.com/, twitter: @wonsuk73
> 
> -----------------------------------------
> 
> *Inspire the World, Create the Future !!!*
> 
> =========================================
> 
>  
> 

Received on Friday, 28 February 2014 08:07:48 UTC