RE: Paper on Summary of ISO12812 by Alan Thiemann

Hello,

While we definitely support the importance of security hardware for the use of privacy-risky technology, I suppose to not explicitly ask for a technology, but rather talk about its capabilities. For several uses an SE might still be okay, though TEE might be desirable for the future. In fact, it might take a long time for TEEs to proliferate until then, we should allow existing solutions to kick in as soon as possible. I'd probably try to even think about how TPM/ MTM could be helpful too.

In this case, I'd propose to just refer to a "technology to store and validate fingerprint templates in separate security hardware on the device or physically connected to it".

Cheers,
 Jörg

-----Original Message-----
From: 孙倩(雪迪) [mailto:sunqian.sq@alibaba-inc.com] 
Sent: Montag, 18. Mai 2015 09:10
To: 'David Ezell'; public-webpayments-ig@w3.org
Cc: 'Alan J. Thiemann'
Subject: 答复: Paper on Summary of ISO12812 by Alan Thiemann

Thanks for Alan's summary.

For the" Part 2: Security and data protection for mobile financial
services",I have some consideration that in order to protect financial privacy useful, the mobile device technology should combines Secure Elements
(SE) and a Trusted Execution Environment (TEE) to protect payment credentials. Beacause the SE only has Limited processing and storage capacity, but TEE can offer safe execution of authorized security software, known as 'trusted applications', enables it to provide end-to-end security by enforcing protection, confidentiality, integrity and data access rights. 

And when we design the payment architecure and use cases, we should also pay attention to that some payment application should be served as a TA(trusted
appliation) to run in the TEE for security.

For example in the Use case  "6.2.3.1 Non-essential Use Cases -Biometric", we have already emphasized as following:
An individual's privacy should be protected when performing any sort of biometric authentication.
Important data, such as the fingerprint template and private key, and sensitive code should be stored and executed in a Trusted Execution Environment (TEE).

-----邮件原件-----
发件人: David Ezell [mailto:David_E3@VERIFONE.com]
发送时间: 2015年5月18日 0:56
收件人: public-webpayments-ig@w3.org
抄送: Alan J. Thiemann (ajthiemann@gmail.com)
主题: Paper on Summary of ISO12812 by Alan Thiemann

Dear Web Payments group:

My colleague Alan Thiemann[1] has written a summary of ISO 12812[2].  This work is Alan's opinion of the work - not official.  But it is a very good introduction to the work and the expected trajectory at ISO.

I would request that everyone in our group give this paper consideration - it won't take long, and will help inform any needed discussion.

Best regards,
David

[1] Alan is on the Board of Advisors for Conexxus (NACS technology) and does work for NACS.  He serves as chair of the X9 Mirror Group handling ISO 12812 work in the US.
[2]
https://lists.w3.org/Archives/Member/w3c-archive/2015May/att-0254/Executive_

Summary_of_ISO_12812_05012015.pdf
________________________________
This electronic message, including attachments, is intended only for the use of the individual or company named above or to which it is addressed. The information contained in this message shall be considered confidential and proprietary, and may include confidential work product. If you are not the intended recipient, please be aware that any unauthorized use, dissemination, distribution or copying of this message is strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and deleting this email immediately.

Received on Monday, 18 May 2015 14:58:29 UTC