- From: Harry Halpin <hhalpin@w3.org>
- Date: Mon, 10 Feb 2014 19:07:36 +0100
- To: Siva Narendra <siva@tyfone.com>
- CC: Juan Lang <juanlang@google.com>, public-webcrypto-comments@w3.org
- Message-ID: <52F91568.6060509@w3.org>
On 02/09/2014 09:11 PM, Siva Narendra wrote:
>
> Hi Juan and everyone.
>
> Smart Card support which is already a hardware standard and it is well
> know what language it speaks (ISO7816) should be considered as an
> alternative to new and yet to be common U2F hardware standard.
>
> As you all know smart cards are not only already a standard, it has
> sold in the billions and costs as little as $0.60.
>
> In addition, Public key methods (without using PKI) is already well
> supported with repurposed smart card security applets such as PKCS #15
> that can work with existing server infrastructure with very minimal
> change, to enable for eg mutually authenticated TLS connection with no
> need for 3-party PKI. We already have this working in Firefox where
> the smart card is connected to the device in one of many possible ways.
>
> Not to mention smart card applets are extensible to any future
> standard such as the yet to be released NIST standards on derived
> credentials for government use.
>
> In addition smart cards are the only security hardware that have well
> defined and well followed security certification across multiple
> industry verticals.
>
> It would be unproductive to consider hardware without smart cards as
> part of it.
>
> Dear Harry - What is the expected timing of considering hardware
> extension? We will take ownership in writing an alternative to U2F
> that is smart card based.
>
For W3C, a draft that get produced that show how WebCrypto would work
with smartcards would be welcome. That can be done at any time. A Google
Doc is a fine way to begin. Once people have gone a bit further and if
they are really serious, it can be a W3C Member Submission.
http://www.w3.org/2005/10/Process-20051014/submission
If we are doing the workshop in Sept., then we'd like to get member
submissions in before the workshop, ideally by July.
At the same time, the real priority should be getting Web Crypto into
Last Call ASAP and then dealing with those comments.
Putting the work should around Sept.
cheers,
harry
> Best regards,
> Siva
>
> /
>
> /--/
> //Siva G. Narendra Ph.D.
> /CEO - //Tyfone, Inc.
> Portland | Bangalore | Taipei/
> www.tyfone.com <http://www.tyfone.com>/
> /Voice: +1.661.412.2233/
> /
> /
>
>
> On Sun, Feb 9, 2014 at 2:04 AM, Harry Halpin <hhalpin@w3.org
> <mailto:hhalpin@w3.org>> wrote:
>
> On 02/04/2014 10:41 PM, Juan Lang wrote:
>> Hi folks,
>> I'm aware that hardware-backed keys are out of scope for the
>> current round of WebCrypto work, so I don't expect this to be
>> ready for standardization for some time. Nevertheless, I've got a
>> proposed extension to WebCrypto to support Fido Alliance
>> (fidoalliance.org <http://fidoalliance.org>) universal second
>> factor (U2F) devices:
>> https://docs.google.com/a/chromium.org/document/d/1EEFAMIYNqZ7XHCntghD9meJwKgNOX7ZN-jl5LJQxOVQ/edit#
>>
>> I apologize that the proposal may lack some context, like, just
>> what is a U2F device, and what language does it speak? I promise
>> update it with pointers to public docs once they are made public.
>> In the meantime, I'll act as a poor substitute by answering
>> questions myself, either in the doc or in email.
>>
>> I'd appreciate any feedback you might have. Thanks very much,
>> --Juan
>
> I haven't had to look at this in detail, but upon first look it
> seems sensible. The general direction is one that the W3C is
> actively interested in. While this would be outside the current
> charter, we will re-charter the Working Group once the current
> version of WebCrypto (at earliest) has exited Last Call and
> working with FIDO Alliance would likely be mutually beneficial.
>
> cheers,
> harry
>
>
Received on Monday, 10 February 2014 18:07:45 UTC