W3C home > Mailing lists > Public > public-webpayments@w3.org > July 2014

Re: The TPM is dead, long live the TEE!

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 24 Jul 2014 11:19:49 +0200
Message-ID: <53D0CFB5.2070803@gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>, public-webpayments@w3.org
On 2014-07-23 03:54, Manu Sporny wrote:
> On 07/13/2014 12:33 AM, Anders Rundgren wrote:
>> How come the competition didn't buy into the TPM?
>>
>> TPMs are based on a "one-size-fits-all" security API philosophy.
>> Since Intel relies on external vendors supplying TPM-components this
>> (IMHO fairly unwieldy) API must also be standardized which makes the
>> process updating TPMs extremely slow and costly.
>>
>> TEEs OTOH can be fitted at any time with application-specific
>> security APIs which both can be standardized or entirely proprietary.
>> In fact, even third-parties can create new security APIs using
>> GlobalPlatform's TEE!
>
> Hey Anders,
>
> Could you elaborate a bit more on how we could apply this approach to
> the Web Payments initiative? The part that I don't understand is that if
> you allow entirely proprietary APIs into the mix, how do you achieve
> interoperability?

Hi Manu,
Good question!  What I meant was that for example payments represent a
specific application which could be supported by a TEE-based scheme.

The TPM-folks are trying to define mobile payment systems on top of something
that was designed by OS-security experts which doesn't work particularly well.

> Does it not matter at that level?

See below.

>
> To bring this more in line w/ what we're doing. We hope that the payment
> initiation mechanism that we end up standardizing is going to allow
> Visa, Mastercard, PayPal, Bitcoin, Ripple, etc. to all be listed as
> payment options by the merchant and selected freely by the customer
> depending on which payment mechanism they want to use. Is this an
> example of the approach that you're suggesting?

I would use the TEE for keeping keys that could be used for any number
of applications including payments.  It will happen but I guess most
people are waiting (as usual I might say...) for Google to tell the
rest of the industry how to do it.  Well, Samsung is also involved.

http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937

Anders

>
> -- manu
>
Received on Thursday, 24 July 2014 09:20:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:32 UTC