A briefing on the W3C SE API

To get some feeling for the difficulties combining traditional smart cards and browsers, you may take a peek at:
http://lists.w3.org/Archives/Public/public-sysapps/2014Apr/0057.html

I feel pity for Mozilla who bought into this API which also suffers from the "minor" snag that SIM-cards cannot be used except through cooperation with operators.
Banks and operators are not the most obvious bedfellows, IMO it is rather the opposite.

Apple, Google and Microsoft have so far not commented on this API which is sort of understandable since they have already invested in embedded security hardware which is much easier to deal with.   Of course without any coordination whatsoever.

I.e. this topic is effectively out of scope for true standardization.  Microsoft and the US government once had a chance coming up with a universal solution when the FIPS201/PIV standard was designed.  However, the smart card vendors kept the most interesting part for themselves (initialization) which the mildly put non-visionary NIST folks didn't realize would make their great standard useless for the private sector like banks who simply cannot motivate spending $200+ per seat for a "Security Solution".  The rest is history with an endless series of security breaches due to the use of unauthenticated credit-card numbers.

Due to this situation I feel pretty OK continuing with the Firefox WebCrypto extension ( https://bugzilla.mozilla.org/show_bug.cgi?id=978867 ).  And if someone finds a better mousetrap?  Well, that's life :-)

thanx,
Anders

Received on Saturday, 12 April 2014 05:28:17 UTC