Re: Security standards for Mobile Device vs "PCs"

On 2012-07-29 09:59, Ryan Sleevi wrote:
> Thank you for your feedback, Anders.
> I'm not sure I understand how this relates to the work of the Web
> Cryptography Working Group. As has been mentioned before, smart card
> provisioning is out of scope for the efforts of this working group.
> While I realize you and others may have many thoughts to offer on the
> matter, I think it is important for the continued progress of the
> working group that we're able to focus our efforts on in-scope work.
> For general comments about the future of (PKI, certificates, keys,
> arbitrary crypto schemes), there may be other forums better suited for
> such thoughts and ruminations.

You should look at this as a comment from the outside.

The term "Smart Card" is misnomer.

*Nobody* is trying to make traditional smart cards usable in PCs.

*Everybody* is working with provisioning of embedded SEs including Google.

That's about it.  It might be a future step for Web Crypto or it might
be something entirely different.


> In addition, speculation about Apple's motives does not seem
> appropriate, the least of all being that it's not at all an accurate
> representation. Apple has made it very clearly publicly that they're
> moving away from the CDSA and CSSM framework that underpinned the
> TokenD effort (as well as underpinning their X.509 and PKI handling),
> so naturally it means that every TokenD written is incompatible with
> the new APIs (eg: Security Tranforms). This is not at all an issue
> with "smart cards" vs "non-smart-cards", but instead simply a matter
> of cryptographic APIs and the need to deprecate the legacy APIs.
> While feedback is very much welcome on the ongoing Editor's Drafts,
> please do try to keep comments in scope, and please keep in mind that
> there will be problems and use cases that we cannot and will not
> address within the either the FPWD or within the first delivered
> version of this API.
> Regards,
> Ryan
> On Sat, Jul 28, 2012 at 10:53 PM, Anders Rundgren
> <> wrote:
>> A thing that I feel will affect the outcome of many security standardization initiatives is how they relate to the two major platforms.
>> If we for example take the smart card issue, it has proven beyond doubt to be unsolvable in the PC while being piece of cake in mobile devices.
>> What do I mean with unsolvable?  The ability to enroll credentials in smart card via a browser.  It is actually so difficult just getting a "standard" smart card to work for logging in that Apple removed support for all cards but the US PIV card in their latest MacOS!
>> How come it is piece of cake in a mobile devices?  Because embedded SEs like the NXP chip powering the Google Wallet eliminate readers, third-party middleware and the mapping guesswork.
>> IMO this is the only way to make smart cards "first class citizens" in consumer computers.
>> Web Crypto haven't taken a position on these issues in an attempt to keep neutrality.   Personally, I'm more interested in the 80% than in supporting a very difficult < 5% audience.
>> Anders

Received on Monday, 30 July 2012 06:34:38 UTC