Re: SE API. Re: Draft agenda for upcoming f2f meeting

On 2014-02-28 09:05, erwan.louet@orange.com wrote:
> Anders, 

Hi Erwan,
I provided a detailed response off-list.  Here is an entirely different take on this [interesting] subject:

http://webpki.org/papers/key-access.pdf

The core of this is already available in Android 4.4.

This part alone makes the SE API task a "misfit" with respect to sysapps since the trust model is different.
An SE API clearly requires its own WG although it should be able to build on signed web apps.

It would be nice if Google and/or Microsoft in some way indicated their interest in an SE API standardization effort.
Google's recent handling of U2F is IMO an indirect way of saying "no".  I believe they did the right thing BTW.

Actually the whole idea of innovating and standardizing at the same time is wrong because innovating is a fuzzy process and combining that with another activity which has its own fuzziness is bound to create a lot of friction and delays.
You should only (try to) standardize things that are ready at least on a conceptual stage.  Although WebCrypto doesn't look very similar to DOMCrypt (one of the input documents), the concept survived unaltered.

For the SE API we are not even close regarding the concept.

Regards,
Anders

> 
>> - The payment industry have given up on SE solutions in general due to "unavailability" and Google's launch of HCE.
> Are speaking here on behalf of the payment industry, or can you point us to evidences to support this statement ? 
> 
>> - Proprietary TrustZone-based security solutions where showcased everywhere on MobileWorldCongress 2014 including in shipping Samsung devices.
> Can you please point us to the standards supporting these solutions ? Are they neutral, interoperable or just proprietary ? 
> 
>> - Google's U2F and yours truly's SKS/KeyGen2 point in an entirely different SE direction where the web was designed-in from the beginning, using a fixed API as well a building on a security architecture.
> Again, you cannot compare the SE API (basically a transport channel) to a crypto/authentication API. It would be like saying nobody needs TCP since we have twitter. 
> 
> Thanks,
> 
> Erwan
> 
> -----Message d'origine-----
> De : Anders Rundgren [mailto:anders.rundgren.net@gmail.com] 
> Envoyé : jeudi 27 février 2014 17:15
> À : Wonsuk Lee; public-sysapps@w3.org
> Objet : SE API. Re: Draft agenda for upcoming f2f meeting
> 
> On 2014-02-27 13:11, Wonsuk Lee wrote:
>> Hi. All.
>>
>> I made the draft agenda for upcoming f2f meeting as below. Please review this and share your opinions.
> 
> Although I won't be able to attend the F2F I guess I can provide some feedback anyway?
> IMO, the case for the original take on the SE API has been severely weakened due to the following:
> - The security model has been found to be awkward by several reviewers.
> - The payment industry have given up on SE solutions in general due to "unavailability" and Google's launch of HCE.
> - Proprietary TrustZone-based security solutions where showcased everywhere on MobileWorldCongress 2014 including in shipping Samsung devices.
> - Google's U2F and yours truly's SKS/KeyGen2 point in an entirely different SE direction where the web was designed-in from the beginning, using a fixed API as well a building on a security architecture.
> 
> Although you are [all] free to disagree, my experiences with the TrustedComputingGroup as well as the recent introduction of U2F though FIFO alliance rather than W3C indicate that W3C may indeed standardize some kind of SE API one day but that will be a system that is already recognized as a de-facto standard.
> In addition, 2-3 years of WebCryptoing haven't lead to any kind of SE interface proposal in spite of being requested by multiple parties.
> 
> Based on these facts, I think this topic should be dropped from the charter and agenda.
> There may be other venues which are more suited for this work as well.
> 
> Sincerely
> Anders Rundgren
> 
> 
>>
>>  
>>
>> [1] https://www.w3.org/wiki/System_Applications:_4th_F2F_Meeting_Agenda
>>
>>  
>>
>> Kr, Wonsuk.
>>
>> =========================================
>>
>> *이 원 석(Wonsuk, Lee) / *Principal Engineer, Ph.D
>>
>> *SAMSUNG ELECTRONICS Co., LTD. (**三星電子)*
>>
>> Mobile: +82-10-5800-3997
>>
>> E-mail: wonsuk11.lee@samsung.com <mailto:wonsuk11.lee@samsung.com>
>>
>> http://www.wonsuk73.com/, twitter: @wonsuk73
>>
>> -----------------------------------------
>>
>> *Inspire the World, Create the Future !!!*
>>
>> =========================================
>>
>>  
>>
> 
> 

Received on Saturday, 1 March 2014 06:46:58 UTC