Re: Security standards for Mobile Device vs "PCs"

Thank you for your feedback, Anders.

I'm not sure I understand how this relates to the work of the Web
Cryptography Working Group. As has been mentioned before, smart card
provisioning is out of scope for the efforts of this working group.
While I realize you and others may have many thoughts to offer on the
matter, I think it is important for the continued progress of the
working group that we're able to focus our efforts on in-scope work.
For general comments about the future of (PKI, certificates, keys,
arbitrary crypto schemes), there may be other forums better suited for
such thoughts and ruminations.

In addition, speculation about Apple's motives does not seem
appropriate, the least of all being that it's not at all an accurate
representation. Apple has made it very clearly publicly that they're
moving away from the CDSA and CSSM framework that underpinned the
TokenD effort (as well as underpinning their X.509 and PKI handling),
so naturally it means that every TokenD written is incompatible with
the new APIs (eg: Security Tranforms). This is not at all an issue
with "smart cards" vs "non-smart-cards", but instead simply a matter
of cryptographic APIs and the need to deprecate the legacy APIs.

While feedback is very much welcome on the ongoing Editor's Drafts,
please do try to keep comments in scope, and please keep in mind that
there will be problems and use cases that we cannot and will not
address within the either the FPWD or within the first delivered
version of this API.


On Sat, Jul 28, 2012 at 10:53 PM, Anders Rundgren
<> wrote:
> A thing that I feel will affect the outcome of many security standardization initiatives is how they relate to the two major platforms.
> If we for example take the smart card issue, it has proven beyond doubt to be unsolvable in the PC while being piece of cake in mobile devices.
> What do I mean with unsolvable?  The ability to enroll credentials in smart card via a browser.  It is actually so difficult just getting a "standard" smart card to work for logging in that Apple removed support for all cards but the US PIV card in their latest MacOS!
> How come it is piece of cake in a mobile devices?  Because embedded SEs like the NXP chip powering the Google Wallet eliminate readers, third-party middleware and the mapping guesswork.
> IMO this is the only way to make smart cards "first class citizens" in consumer computers.
> Web Crypto haven't taken a position on these issues in an attempt to keep neutrality.   Personally, I'm more interested in the 80% than in supporting a very difficult < 5% audience.
> Anders

Received on Sunday, 29 July 2012 07:59:53 UTC