Re: WebCrypto.Next conference conclusions

On 09/12/2014 11:55 AM, Anders Rundgren wrote:
> The conclusion was to include support for security hardware for more 
> traditional smart card applications that are already widely
> deployed.

Did the FIDO stuff factor into the discussion anywhere?

> My personal belief is that this does not mean retrofitting the web
> for the existing very diverse set of cards out there because this
> would lead to "Driver Hell".  There were also moderate interest in
> supporting smart cards at the APDU-level although that (on paper)
> would give support for every card.
> As a Google representative  said: I don't think many web-developers 
> would be able to write a login solution based on APDUs.  So right!!!


> So what does that lead us?  IMO, the only workable solution is
> creating a "WebToken" along the lines of FIDO but using a different
> access control/ mediation mechanism to get away from the SOP
> constraint which does not match current use of smart cards.

Who is "us"? What would the "WebToken" be used for? What would we use
instead of the same-origin policy? Could you expand on this bit a little
more? I'm not following what you're saying.

> If this actually succeeds it would be no less than a revolution!

Since I don't follow, I don't understand why it would be a revolution.
Specifically what part would be a revolution?

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments

Received on Friday, 19 September 2014 01:46:39 UTC