Re: Proposed API extension for Fido U2F devices

On 02/11/2014 04:37 PM, Siva Narendra wrote:
>
> Anders & Co.  SIM cards are not the only secure element solution or 
> form factor. There are microSD, USB, Bluetooth interface form factors 
> that are not locked by carriers and they are device agnostic. In fact 
> some of them can be used across multiple devices. And Smart cards that 
> run Java card OS can be used to load virtually any security applet.
>
> There seems to be some preconceived notions of what smart cards are. I 
> would request all of you to have an open mind based on the fact that 
> smart card silicon is the one of the only, if not the only, globally 
> standard hardware that exists today that is certified by ISO, Global 
> Platform and Common Compliance standards.
>
> Let me reiterate - the proposal is not smart cards instead of other 
> hardware. But rather the proposal is smart card be supported in this 
> community if hardware is in scope.
>
> Irrespective of W3C community support or not smart card interface to 
> Webcrypto API will happen. There is a community of companies that will 
> build it. We already are, based on work that was done with Firefox. It 
> is really up to all of you to decide if W3C will take the dogmatic 
> position of not supporting smart cards, which seems to be the 
> prevailing position.
>

The W3C is of course open to a smartcard interface and is *not* against 
supporting smart cards in future versions or extensions to Web Crypto - 
this work is only out of scope for the current version. We fully expect 
this to be discussed also at the future workshop I mentioned in Sept.

Anders is not an Invited Expert or a member of the Working Group as 
well, so his emails are in not representative of the WG. While he 
sometimes makes contributions over the comment mailing list, he also has 
made incorrect and provocative statements in the past.

The key is to discuss with the Working Groups, other vendors, and help 
build critical mass. Thus, the key point is to build a draft of those 
extensions of the API and convince vendors that this should be 
implemented uniformly.

    cheers,
        harry


> On Feb 11, 2014 7:06 AM, "Anders Rundgren" 
> <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> 
> wrote:
>
>     http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0009.html
>
>     "The U2F use case is one specific use case which is bringing new
>     features to the web crypto API. I do not see why the existence of
>     the U2F would preclude the discussion related to the integration
>     of hardware token (or any secure element) in the web crypto, for
>     which we have imagined to have a workshop this year. Note that It
>     is still on my side to propose a strawman proposal for the workshop"
>
>     Since SIM-cards are locked by operators there's little point with
>     an SE interface to WebCrypto, it will most certainly go the same
>     way the WAP/WSIM interface once did; in the toilet.
>     As Ryan mentioned in
>     http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>     ISO 7816 is probably not the right technical foundation either.
>
>     If the operators (=the actual customers) and Gemalto still believe
>     this is interesting it seems more logical running a combined
>     standardization/open source effort together with them.
>
>     Related:
>     http://letstalkpayments.com/google-says-goodbye-carrier-based-nfc-systems
>
>     Anders
>

Received on Tuesday, 11 February 2014 16:28:21 UTC