Re: Security standards for Mobile Device vs "PCs"

On 2012-07-30 18:08, David Dahl wrote:
> Anders:
> 
> Have you seen the draft charter for the SysApps WG?  http://www.w3.org/2012/05/sysapps-wg-charter.html

Thank you David!
I hadn't heard about one.  There's too much noise out there :-)

I also took a peek at Gemalto's API write-up.
Personally, I don't see that 7816 and APDUs have a mission to carry out on the web.

In fact, in my take on this topic there is no (web) API at all!

This will *very* interesting...

Cheers,
Anders


> 
> "Secure Elements API
> An API enabling the discovery, introspection, and interaction with hardware tokens (Secure Elements) that offer secure services such as tamper-proof storage, cryptographic operations, etc. Example: Gemalto Secure Elements."
> 
> This looks like it might be a nice complement to the web crypto API
> 
> Cheers,
> 
> david
> 
> ----- Original Message -----
> From: "Anders Rundgren" <anders.rundgren@telia.com>
> To: "Ryan Sleevi" <sleevi@google.com>
> Cc: public-webcrypto-comments@w3.org
> Sent: Monday, July 30, 2012 1:34:10 AM
> Subject: Re: Security standards for Mobile Device vs "PCs"
> 
> On 2012-07-29 09:59, Ryan Sleevi wrote:
>> Thank you for your feedback, Anders.
>>
>> I'm not sure I understand how this relates to the work of the Web
>> Cryptography Working Group. As has been mentioned before, smart card
>> provisioning is out of scope for the efforts of this working group.
>> While I realize you and others may have many thoughts to offer on the
>> matter, I think it is important for the continued progress of the
>> working group that we're able to focus our efforts on in-scope work.
>> For general comments about the future of (PKI, certificates, keys,
>> arbitrary crypto schemes), there may be other forums better suited for
>> such thoughts and ruminations.
> 
> Ryan,
> You should look at this as a comment from the outside.
> 
> The term "Smart Card" is misnomer.
> 
> *Nobody* is trying to make traditional smart cards usable in PCs.
> 
> *Everybody* is working with provisioning of embedded SEs including Google.
> 
> That's about it.  It might be a future step for Web Crypto or it might
> be something entirely different.
> 
> br
> ar
> 
>>
>> In addition, speculation about Apple's motives does not seem
>> appropriate, the least of all being that it's not at all an accurate
>> representation. Apple has made it very clearly publicly that they're
>> moving away from the CDSA and CSSM framework that underpinned the
>> TokenD effort (as well as underpinning their X.509 and PKI handling),
>> so naturally it means that every TokenD written is incompatible with
>> the new APIs (eg: Security Tranforms). This is not at all an issue
>> with "smart cards" vs "non-smart-cards", but instead simply a matter
>> of cryptographic APIs and the need to deprecate the legacy APIs.
>>
>> While feedback is very much welcome on the ongoing Editor's Drafts,
>> please do try to keep comments in scope, and please keep in mind that
>> there will be problems and use cases that we cannot and will not
>> address within the either the FPWD or within the first delivered
>> version of this API.
>>
>> Regards,
>> Ryan
>>
>> On Sat, Jul 28, 2012 at 10:53 PM, Anders Rundgren
>> <anders.rundgren@telia.com> wrote:
>>> A thing that I feel will affect the outcome of many security standardization initiatives is how they relate to the two major platforms.
>>>
>>> If we for example take the smart card issue, it has proven beyond doubt to be unsolvable in the PC while being piece of cake in mobile devices.
>>> What do I mean with unsolvable?  The ability to enroll credentials in smart card via a browser.  It is actually so difficult just getting a "standard" smart card to work for logging in that Apple removed support for all cards but the US PIV card in their latest MacOS!
>>>
>>> How come it is piece of cake in a mobile devices?  Because embedded SEs like the NXP chip powering the Google Wallet eliminate readers, third-party middleware and the mapping guesswork.
>>> IMO this is the only way to make smart cards "first class citizens" in consumer computers.
>>>
>>> Web Crypto haven't taken a position on these issues in an attempt to keep neutrality.   Personally, I'm more interested in the 80% than in supporting a very difficult < 5% audience.
>>>
>>> http://news.cnet.com/8301-1023_3-57481166-93/oauth-2.0-leader-resigns-says-standard-is-bad
>>>
>>> Anders
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
> 
> 
>

Received on Monday, 30 July 2012 16:46:20 UTC