- From: Ryan Sleevi <sleevi@google.com>
- Date: Wed, 12 Feb 2014 00:13:13 -0800
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: Harry Halpin <hhalpin@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Siva Narendra <siva@tyfone.com>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>
- Message-ID: <CACvaWvamP6xVHUddOVWL+hB4ynQ5oRck01m5JLPGqntcg7zMBA@mail.gmail.com>
On Tue, Feb 11, 2014 at 11:27 PM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > On 2014-02-11 17:28, Harry Halpin wrote: > > On 02/11/2014 04:37 PM, Siva Narendra wrote: > > Anders & Co. SIM cards are not the only secure element solution or form > factor. There are microSD, USB, Bluetooth interface form factors that are > not locked by carriers and they are device agnostic. In fact some of them > can be used across multiple devices. And Smart cards that run Java card OS > can be used to load virtually any security applet. > > There seems to be some preconceived notions of what smart cards are. I > would request all of you to have an open mind based on the fact that smart > card silicon is the one of the only, if not the only, globally standard > hardware that exists today that is certified by ISO, Global Platform and > Common Compliance standards. > > Let me reiterate - the proposal is not smart cards instead of other > hardware. But rather the proposal is smart card be supported in this > community if hardware is in scope. > > Irrespective of W3C community support or not smart card interface to > Webcrypto API will happen. There is a community of companies that will > build it. We already are, based on work that was done with Firefox. It is > really up to all of you to decide if W3C will take the dogmatic position of > not supporting smart cards, which seems to be the prevailing position. > > > The W3C is of course open to a smartcard interface and is *not* against > supporting smart cards in future versions or extensions to Web Crypto - > this work is only out of scope for the current version. We fully expect > this to be discussed also at the future workshop I mentioned in Sept. > > Anders is not an Invited Expert or a member of the Working Group as well, > so his emails are in not representative of the WG. While he sometimes makes > contributions over the comment mailing list, he also has made incorrect and > provocative statements in the past. > > > Sure, Anders is a self-proclaimed expert in this space. Since he's not > employed by a large vendor, he can talk and write about things that none of > the big-guy representatives are allowed to do including tiny "flies in the > soup" like the fact that SIM-cards are useless for the bulk of the > authentication market which in his (occasionally provoking) opinion means > that U2F may very well mark the start of the end of the SIM-card itself. > > Unless the vendors adapt (in time) to this completely new situation, > SIM-cards will most likely follow the downward path Nokia once did. > > Regarding the workshop, I must confess that I don't really see the point; > wouldn't it be easier just publishing position papers or specifications on > the subject? Google have now presented their take on security hardware. > The U2F specs are BTW really nice reading since they contain considerable > amounts of use-case information and rationale that even a layman can > understand! > > Anders > > Just to correct Anders' overly broad/general statement - It's not Google, it is the FIDO Alliance that have now presented their take on security hardware. This is not simply a Google effort, and continually presenting it as so does a great disservice to the many members and may create undue conflict or hostility. As you can see via http://fidoalliance.org/membership/members , membership is comprised not just of Google, but a variety of others - which, among UA vendors, includes Blackberry and Microsoft, among hardware vendors includes CrucialTec, NXP, Oberthur, RSA, Synaptics, and Yubico, and among finance includes Discover, Mastercard, and PayPal. > > > The key is to discuss with the Working Groups, other vendors, and help > build critical mass. Thus, the key point is to build a draft of those > extensions of the API and convince vendors that this should be implemented > uniformly. > > cheers, > harry > > > On Feb 11, 2014 7:06 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com> > wrote: > >> >> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0009.html >> >> "The U2F use case is one specific use case which is bringing new features >> to the web crypto API. I do not see why the existence of the U2F would >> preclude the discussion related to the integration of hardware token (or >> any secure element) in the web crypto, for which we have imagined to have a >> workshop this year. Note that It is still on my side to propose a strawman >> proposal for the workshop" >> >> Since SIM-cards are locked by operators there's little point with an SE >> interface to WebCrypto, it will most certainly go the same way the WAP/WSIM >> interface once did; in the toilet. >> As Ryan mentioned in >> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.htmlISO 7816 is probably not the right technical foundation either. >> >> If the operators (=the actual customers) and Gemalto still believe this >> is interesting it seems more logical running a combined >> standardization/open source effort together with them. >> >> Related: >> http://letstalkpayments.com/google-says-goodbye-carrier-based-nfc-systems >> >> Anders >> >> > >
Received on Wednesday, 12 February 2014 08:13:40 UTC