- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Mon, 30 Jul 2012 08:34:10 +0200
- To: Ryan Sleevi <sleevi@google.com>
- CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On 2012-07-29 09:59, Ryan Sleevi wrote: > Thank you for your feedback, Anders. > > I'm not sure I understand how this relates to the work of the Web > Cryptography Working Group. As has been mentioned before, smart card > provisioning is out of scope for the efforts of this working group. > While I realize you and others may have many thoughts to offer on the > matter, I think it is important for the continued progress of the > working group that we're able to focus our efforts on in-scope work. > For general comments about the future of (PKI, certificates, keys, > arbitrary crypto schemes), there may be other forums better suited for > such thoughts and ruminations. Ryan, You should look at this as a comment from the outside. The term "Smart Card" is misnomer. *Nobody* is trying to make traditional smart cards usable in PCs. *Everybody* is working with provisioning of embedded SEs including Google. That's about it. It might be a future step for Web Crypto or it might be something entirely different. br ar > > In addition, speculation about Apple's motives does not seem > appropriate, the least of all being that it's not at all an accurate > representation. Apple has made it very clearly publicly that they're > moving away from the CDSA and CSSM framework that underpinned the > TokenD effort (as well as underpinning their X.509 and PKI handling), > so naturally it means that every TokenD written is incompatible with > the new APIs (eg: Security Tranforms). This is not at all an issue > with "smart cards" vs "non-smart-cards", but instead simply a matter > of cryptographic APIs and the need to deprecate the legacy APIs. > > While feedback is very much welcome on the ongoing Editor's Drafts, > please do try to keep comments in scope, and please keep in mind that > there will be problems and use cases that we cannot and will not > address within the either the FPWD or within the first delivered > version of this API. > > Regards, > Ryan > > On Sat, Jul 28, 2012 at 10:53 PM, Anders Rundgren > <anders.rundgren@telia.com> wrote: >> A thing that I feel will affect the outcome of many security standardization initiatives is how they relate to the two major platforms. >> >> If we for example take the smart card issue, it has proven beyond doubt to be unsolvable in the PC while being piece of cake in mobile devices. >> What do I mean with unsolvable? The ability to enroll credentials in smart card via a browser. It is actually so difficult just getting a "standard" smart card to work for logging in that Apple removed support for all cards but the US PIV card in their latest MacOS! >> >> How come it is piece of cake in a mobile devices? Because embedded SEs like the NXP chip powering the Google Wallet eliminate readers, third-party middleware and the mapping guesswork. >> IMO this is the only way to make smart cards "first class citizens" in consumer computers. >> >> Web Crypto haven't taken a position on these issues in an attempt to keep neutrality. Personally, I'm more interested in the 80% than in supporting a very difficult < 5% audience. >> >> http://news.cnet.com/8301-1023_3-57481166-93/oauth-2.0-leader-resigns-says-standard-is-bad >> >> Anders >> >> >> >> >> >> > >
Received on Monday, 30 July 2012 06:34:38 UTC