- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 15 Oct 2014 06:51:59 +0200
- To: "public-web-security@w3 org" <public-web-security@w3.org>
AFAIK, integration of security hardware in the web can be performed in (at least) three entirely different ways: - ISO-7816/APDU access. This solution applies to existing smart cards. It doesn't have any ties to the WebCrypto API. Gemalto/W3C draft specification: http://opoto.github.io/secure-element - PKCS #11 and "cousins". This solution is primarily about supporting PKI cards like PIV/eID and presumably supporting the WebCrypto API. http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers/Using_the_W3C_WebCrypto_API_for_Document_Signing.html It is worth noting that FIDO's U2F cannot be supported by PKCS #11. - FIDO/U2F and forward. New form-factor-independent security hardware designed for the web and presumably supporting the WebCrypto API. IMO, these solutions have little or nothing in common from a standardization and web application developer point of view. They can of course co-exist. It is obvious that the FIDO approach has the current "mind-share": http://fidoalliance.org/membership/members However, it is not equally obvious how the W3C could deal with the enhanced security hardware which (IMO) is required for transforming a diverse set of legacy smart card applications relying on soon-to-be-outlawed "plugins", into first class citizens on the web. The current solution is rather converting these application to run as native applications outside of the browser. Regarding Secure AND Convenient Web-payments ("the killer application"?), there's not an abundance of material out there telling how the FIDO bunch or the APDU connoisseurs envision such except on a very high level ("yes, we can pay"), which clearly is insufficient for deciding which horse you should bet on. Cheers, Anders
Received on Wednesday, 15 October 2014 04:52:33 UTC