- From: Ryan Sleevi <sleevi@google.com>
- Date: Sun, 29 Jul 2012 00:59:25 -0700
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Thank you for your feedback, Anders. I'm not sure I understand how this relates to the work of the Web Cryptography Working Group. As has been mentioned before, smart card provisioning is out of scope for the efforts of this working group. While I realize you and others may have many thoughts to offer on the matter, I think it is important for the continued progress of the working group that we're able to focus our efforts on in-scope work. For general comments about the future of (PKI, certificates, keys, arbitrary crypto schemes), there may be other forums better suited for such thoughts and ruminations. In addition, speculation about Apple's motives does not seem appropriate, the least of all being that it's not at all an accurate representation. Apple has made it very clearly publicly that they're moving away from the CDSA and CSSM framework that underpinned the TokenD effort (as well as underpinning their X.509 and PKI handling), so naturally it means that every TokenD written is incompatible with the new APIs (eg: Security Tranforms). This is not at all an issue with "smart cards" vs "non-smart-cards", but instead simply a matter of cryptographic APIs and the need to deprecate the legacy APIs. While feedback is very much welcome on the ongoing Editor's Drafts, please do try to keep comments in scope, and please keep in mind that there will be problems and use cases that we cannot and will not address within the either the FPWD or within the first delivered version of this API. Regards, Ryan On Sat, Jul 28, 2012 at 10:53 PM, Anders Rundgren <anders.rundgren@telia.com> wrote: > A thing that I feel will affect the outcome of many security standardization initiatives is how they relate to the two major platforms. > > If we for example take the smart card issue, it has proven beyond doubt to be unsolvable in the PC while being piece of cake in mobile devices. > What do I mean with unsolvable? The ability to enroll credentials in smart card via a browser. It is actually so difficult just getting a "standard" smart card to work for logging in that Apple removed support for all cards but the US PIV card in their latest MacOS! > > How come it is piece of cake in a mobile devices? Because embedded SEs like the NXP chip powering the Google Wallet eliminate readers, third-party middleware and the mapping guesswork. > IMO this is the only way to make smart cards "first class citizens" in consumer computers. > > Web Crypto haven't taken a position on these issues in an attempt to keep neutrality. Personally, I'm more interested in the 80% than in supporting a very difficult < 5% audience. > > http://news.cnet.com/8301-1023_3-57481166-93/oauth-2.0-leader-resigns-says-standard-is-bad > > Anders > > > > > >
Received on Sunday, 29 July 2012 07:59:53 UTC