Re: Restarting the "Smart Cards for the Web" Discussions from Anders Rundgren on 2015-03-21 (public-web-security@w3.org from March 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 21 Mar 2015 09:12:07 +0100
To: Siva Narendra <siva@tyfone.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <550D27D7.9070803@gmail.com>

On 2015-03-20 17:58, Siva Narendra wrote:
> I think this discussion needs to be led by the browser developers and them come to a
 > conclusion on what they want to do. In my opinion, rest of the community talking about
 > it will continue to be futile.


I believe you are right but that won't happen in W3C but in FIDO Alliance since they
already have a big and apparently very committed community for such matters.

Personally I'm moderately fond of the idea that a single company [in practice] "owns"
a market due to the fact that browsers cannot be updated by third-party vendors like Tyfone.
In fact, this is one (but definitely not the only) reason why I'm advocating an
*entirely different direction* for dealing with smart cards and lots of other things
including web-payment schemes (which also lacks any visible/known browser-vendor buy-in).

Anders

>
> -Siva
>
> /
>
> /--/
> //Siva G. Narendra Ph.D.
> /CEO - //Tyfone, Inc.
> Portland | Bangalore | Taipei/
> www.tyfone.com <http://www.tyfone.com>/
> /Voice: +1.661.412.2233/
> /
> /
>
> On Thu, Mar 19, 2015 at 11:35 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     Since these discussions seem to end-up in veritable "flame-wars", without any technical substance whatsoever, I suggest that we try (to the best of our ability...), to take one issue at a time and see where that leads us.  I'm counting on Virginie collecting and monitoring the issues.
>
>     May I start with one issue?
>
>     "Dealing with different security hardware"
>
>     There are many types of Security HW and systems.  Their interfaces are ranging from low-level ISO 7816 APDUs to high-level TEE schemes[1,2] where the input may be a transaction request and the output a transaction response while device I/O is taken over by the TEE.
>
>     Question: How is this variation supposed to be dealt with?
>
>     Cheers,
>     Anders
>
>     1] http://www.globalplatform.org/__specificationsdevice.asp <http://www.globalplatform.org/specificationsdevice.asp>
>     2] http://ipt.intel.com/__Libraries/Documents/__Technology_Overview_-_Intel%__C2%AE_Identity_Protection___Technology_with_PKI.pdf <http://ipt.intel.com/Libraries/Documents/Technology_Overview_-_Intel%C2%AE_Identity_Protection_Technology_with_PKI.pdf>
>
>

Received on Saturday, 21 March 2015 08:13:01 UTC