Re: comments on web crypto API: Lack of smart card support [2/6]

On 2013-05-23 19:08, Ryan Sleevi wrote:

> Please note that this topic has been discussed at great length in this
> WG, including a variety of proposals and issues.

Dear Ryan,

A better description is that the WG have slashed/ignored all proposals
like the for example Samuel Erdman's excellent idea: Optionally adding
an origin specifier to a pre-provisioned key.  A revamped Key Discovery
draft offering _key_enumeration_ and _key_attribute_retrieval_ could
easily support both Netflix' and the "eID community's" use-cases.

It should of course continue to be an add-on specification so that
Google wouldn't have to implement it :-)

> Our archives are public -
> - and may prove
> instructive for understanding why there are serious security and
> usability issues with what you propose.
> Further, short of a rechartering, I do not think it would be a
> fruitful venue to continue the discussion of smart cards.

It seems that this issue popped up at "home" as well:

Rechartering is not necessary since explicit provisioning of smart cards
would be more complex than the entire Web Crypto specification is to date.

Based on my experience I would even claim that this isn't possible to
standardize smart card provisioning unless you do as I propose (and
Google soon will as well...), which is defining a specific "Web Token".
This will get its own standard some day.


> Cheers

Received on Friday, 24 May 2013 03:26:23 UTC