- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 24 Jul 2014 11:19:49 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>, public-webpayments@w3.org
On 2014-07-23 03:54, Manu Sporny wrote: > On 07/13/2014 12:33 AM, Anders Rundgren wrote: >> How come the competition didn't buy into the TPM? >> >> TPMs are based on a "one-size-fits-all" security API philosophy. >> Since Intel relies on external vendors supplying TPM-components this >> (IMHO fairly unwieldy) API must also be standardized which makes the >> process updating TPMs extremely slow and costly. >> >> TEEs OTOH can be fitted at any time with application-specific >> security APIs which both can be standardized or entirely proprietary. >> In fact, even third-parties can create new security APIs using >> GlobalPlatform's TEE! > > Hey Anders, > > Could you elaborate a bit more on how we could apply this approach to > the Web Payments initiative? The part that I don't understand is that if > you allow entirely proprietary APIs into the mix, how do you achieve > interoperability? Hi Manu, Good question! What I meant was that for example payments represent a specific application which could be supported by a TEE-based scheme. The TPM-folks are trying to define mobile payment systems on top of something that was designed by OS-security experts which doesn't work particularly well. > Does it not matter at that level? See below. > > To bring this more in line w/ what we're doing. We hope that the payment > initiation mechanism that we end up standardizing is going to allow > Visa, Mastercard, PayPal, Bitcoin, Ripple, etc. to all be listed as > payment options by the merchant and selected freely by the customer > depending on which payment mechanism they want to use. Is this an > example of the approach that you're suggesting? I would use the TEE for keeping keys that could be used for any number of applications including payments. It will happen but I guess most people are waiting (as usual I might say...) for Google to tell the rest of the industry how to do it. Well, Samsung is also involved. http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937 Anders > > -- manu >
Received on Thursday, 24 July 2014 09:20:27 UTC