W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > February 2014

Re: Proposed API extension for Fido U2F devices

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 12 Feb 2014 08:27:45 +0100
Message-ID: <52FB2271.9070707@gmail.com>
To: Harry Halpin <hhalpin@w3.org>
CC: public-webcrypto-comments@w3.org, siva@tyfone.com, GALINDO Virginie <Virginie.GALINDO@gemalto.com>
On 2014-02-11 17:28, Harry Halpin wrote:
> On 02/11/2014 04:37 PM, Siva Narendra wrote:
>>
>> Anders & Co.  SIM cards are not the only secure element solution or form factor. There are microSD, USB,  Bluetooth interface form factors that are not locked by carriers and they are device agnostic. In fact some of them can be used across multiple devices. And Smart cards that run Java card OS can be used to load virtually any security applet.
>>
>> There seems to be some preconceived notions of what smart cards are. I would request all of you to have an open mind based on the fact that smart card silicon is the one of the only, if not the only, globally standard hardware that exists today that is certified by ISO, Global Platform and Common Compliance standards.
>>
>> Let me reiterate - the proposal is not smart cards instead of other hardware. But rather the proposal is smart card be supported in this community if hardware is in scope.
>>
>> Irrespective of W3C community support or not smart card interface to Webcrypto API will happen. There is a community of companies that will build it. We already are, based on work that was done with Firefox. It is really up to all of you to decide if W3C will take the dogmatic position of not supporting smart cards, which seems to be the prevailing position. 
>>
>
> The W3C is of course open to a smartcard interface and is *not* against supporting smart cards in future versions or extensions to Web Crypto - this work is only out of scope for the current version. We fully expect this to be discussed also at the future workshop I mentioned in Sept.
>
> Anders is not an Invited Expert or a member of the Working Group as well, so his emails are in not representative of the WG. While he sometimes makes contributions over the comment mailing list, he also has made incorrect and provocative statements in the past.

Sure, Anders is a self-proclaimed expert in this space.  Since he's not employed by a large vendor, he can talk and write about things that none of the big-guy representatives are allowed to do including tiny "flies in the soup" like the fact that SIM-cards are useless for the bulk of the authentication market which in his (occasionally provoking) opinion means that U2F may very well mark the start of the end of the SIM-card itself.

Unless the vendors adapt (in time) to this completely new situation, SIM-cards will most likely follow the downward path Nokia once did.

Regarding the workshop, I must confess that I don't really see the point; wouldn't it be easier just publishing position papers or specifications on the subject?  Google have now presented their take on security hardware.  The U2F specs are BTW really nice reading since they contain considerable amounts of use-case information and rationale that even a layman can understand!

Anders

>
> The key is to discuss with the Working Groups, other vendors, and help build critical mass. Thus, the key point is to build a draft of those extensions of the API and convince vendors that this should be implemented uniformly.
>
>    cheers,
>        harry
>
>
>> On Feb 11, 2014 7:06 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>>     http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0009.html
>>
>>     "The U2F use case is one specific use case which is bringing new features to the web crypto API. I do not see why the existence of the U2F would preclude the discussion related to the integration of hardware token (or any secure element) in the web crypto, for which we have imagined to have a workshop this year. Note that It is still on my side to propose a strawman proposal for the workshop"
>>
>>     Since SIM-cards are locked by operators there's little point with an SE interface to WebCrypto, it will most certainly go the same way the WAP/WSIM interface once did; in the toilet.
>>     As Ryan mentioned in http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html ISO 7816 is probably not the right technical foundation either.
>>
>>     If the operators (=the actual customers) and Gemalto still believe this is interesting it seems more logical running a combined standardization/open source effort together with them.
>>
>>     Related: http://letstalkpayments.com/google-says-goodbye-carrier-based-nfc-systems
>>
>>     Anders
>>
>
Received on Wednesday, 12 February 2014 07:28:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:03:27 UTC