Re: W3C takes on Web+SecurityElements from Richard Barnes on 2012-10-08 (public-webcrypto-comments@w3.org from October 2012)

From: Richard Barnes <rbarnes@bbn.com>
Date: Mon, 8 Oct 2012 13:04:55 -0400
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-Id: <2A2C895F-61CA-4ADA-84D4-F7967077FD99@bbn.com>

In particular, this part of the charter seems relevant, given the possibility of the crypto API providing access to "secure elements" [1]:

"
Secure Elements API
An API enabling the discovery, introspection, and interaction with hardware tokens (Secure Elements) that offer secure services such as tamper-proof storage, cryptographic operations, etc. Example: Gemalto Secure Elements.
"

Virginie, could you comment on how this [2] differs from what we're working on here?  Presumably it would be desirable for the "commands" and callbacks used in the Secure Elements "channels" to have some relation to the methods exposed by the WebCrypto API?  Or are they different enough that Secure Element / hardware stuff should be handled through Secure Elements, and WebCrypto can ignore hardware issues?

[1] Note that in this case "element" != "DOM Element".  
[2] <http://lists.w3.org/Archives/Public/public-sysapps/2012Jun/0058.html>

On Oct 6, 2012, at 5:00 AM, Anders Rundgren wrote:

> On 2012-10-06 10:47, Ryan Sleevi wrote:
>> I believe you meant to send this to the SysApps list, which would be a more appropriate place to provide feedback on the SysApps charter.
> 
> SysApps do not have a "-comments" list.
> 
> Anyway, WebCrypto and Security Elements are (hopefully) not completely unrelated.
> 
> Anders
> 
>> 
>> On Oct 6, 2012 1:29 AM, "Anders Rundgren" <anders.rundgren@telia.com <mailto:anders.rundgren@telia.com>> wrote:
>> 
>>    http://www.w3.org/2012/09/sysapps-wg-charter
>> 
>>    I can't on top of my head come up with anything that could possibly be
>>    more difficult uniting vendors around.  If you for example want to
>>    do something with smart cards you typically have to sign an NDA.
>> 
>>    Trying to squeeze in GlobalPlatform, TPMs, PIV, etc. in an API and calling
>>    that a standard will give a completely new meaning to the word standard :-)
>> 
>>    Due to this, I have come to the conclusion that it is faster, better,
>>    and less politically awkward starting in the opposite end:
>> 
>>        Defining a truly "webbish" Security Element.
>> 
>>    Anders
>> 
> 
>

Received on Monday, 8 October 2012 17:05:41 UTC