- From: Harry Halpin <hhalpin@w3.org>
- Date: Wed, 12 Feb 2014 10:46:03 -0000
- To: "Anders Rundgren" <anders.rundgren.net@gmail.com>
- Cc: "Harry Halpin" <hhalpin@w3.org>, public-webcrypto-comments@w3.org, siva@tyfone.com, "GALINDO Virginie" <virginie.galindo@gemalto.com>
> On 2014-02-11 17:28, Harry Halpin wrote:
>> On 02/11/2014 04:37 PM, Siva Narendra wrote:
>>>
>>> Anders & Co. SIM cards are not the only secure element solution or
>>> form factor. There are microSD, USB, Bluetooth interface form factors
>>> that are not locked by carriers and they are device agnostic. In fact
>>> some of them can be used across multiple devices. And Smart cards that
>>> run Java card OS can be used to load virtually any security applet.
>>>
>>> There seems to be some preconceived notions of what smart cards are. I
>>> would request all of you to have an open mind based on the fact that
>>> smart card silicon is the one of the only, if not the only, globally
>>> standard hardware that exists today that is certified by ISO, Global
>>> Platform and Common Compliance standards.
>>>
>>> Let me reiterate - the proposal is not smart cards instead of other
>>> hardware. But rather the proposal is smart card be supported in this
>>> community if hardware is in scope.
>>>
>>> Irrespective of W3C community support or not smart card interface to
>>> Webcrypto API will happen. There is a community of companies that will
>>> build it. We already are, based on work that was done with Firefox. It
>>> is really up to all of you to decide if W3C will take the dogmatic
>>> position of not supporting smart cards, which seems to be the
>>> prevailing position.
>>>
>>
>> The W3C is of course open to a smartcard interface and is *not* against
>> supporting smart cards in future versions or extensions to Web Crypto -
>> this work is only out of scope for the current version. We fully expect
>> this to be discussed also at the future workshop I mentioned in Sept.
>>
>> Anders is not an Invited Expert or a member of the Working Group as
>> well, so his emails are in not representative of the WG. While he
>> sometimes makes contributions over the comment mailing list, he also has
>> made incorrect and provocative statements in the past.
>
> Sure, Anders is a self-proclaimed expert in this space. Since he's not
> employed by a large vendor, he can talk and write about things that none
> of the big-guy representatives are allowed to do including tiny "flies in
> the soup" like the fact that SIM-cards are useless for the bulk of the
> authentication market which in his (occasionally provoking) opinion means
> that U2F may very well mark the start of the end of the SIM-card itself.
>
> Unless the vendors adapt (in time) to this completely new situation,
> SIM-cards will most likely follow the downward path Nokia once did.
>
Anders,
Like any other member of the public, we are happy for you to comment on
this mailing list. There was simply confusion about whether or not you
were speaking on behalf of the W3C or the Working Group, which you do not.
In particular, we are seeking independent review of the spec and encourage
experts to do so regardless of who they work for, and in particular are
seeking vendor-neutral expertise.
The W3C of course prefers concrete reviews with suggested solutions rather
than prognostications, given that prognostications are often wrong.
cheers,
harry
> Regarding the workshop, I must confess that I don't really see the point;
> wouldn't it be easier just publishing position papers or specifications on
> the subject? Google have now presented their take on security hardware.
> The U2F specs are BTW really nice reading since they contain considerable
> amounts of use-case information and rationale that even a layman can
> understand!
>
> Anders
>
>>
>> The key is to discuss with the Working Groups, other vendors, and help
>> build critical mass. Thus, the key point is to build a draft of those
>> extensions of the API and convince vendors that this should be
>> implemented uniformly.
>>
>> cheers,
>> harry
>>
>>
>>> On Feb 11, 2014 7:06 AM, "Anders Rundgren"
>>> <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
>>> wrote:
>>>
>>> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0009.html
>>>
>>> "The U2F use case is one specific use case which is bringing new
>>> features to the web crypto API. I do not see why the existence of
>>> the U2F would preclude the discussion related to the integration of
>>> hardware token (or any secure element) in the web crypto, for which
>>> we have imagined to have a workshop this year. Note that It is
>>> still on my side to propose a strawman proposal for the workshop"
>>>
>>> Since SIM-cards are locked by operators there's little point with
>>> an SE interface to WebCrypto, it will most certainly go the same
>>> way the WAP/WSIM interface once did; in the toilet.
>>> As Ryan mentioned in
>>> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2014Feb/0008.html
>>> ISO 7816 is probably not the right technical foundation either.
>>>
>>> If the operators (=the actual customers) and Gemalto still believe
>>> this is interesting it seems more logical running a combined
>>> standardization/open source effort together with them.
>>>
>>> Related:
>>> http://letstalkpayments.com/google-says-goodbye-carrier-based-nfc-systems
>>>
>>> Anders
>>>
>>
>
>
Received on Wednesday, 12 February 2014 10:46:10 UTC