Authorized web applications are allowed

[hchavers]

Comments from Trusted Computing Group - Item # 13

Section: 6. Access Control

Comment: RE “In order to make sure only authorized web applications are allowed to use the Secure Element, the web application runtime MUST use ...”

Proposed Resolution: Is the intent to EXCLUDE any non-web-app users of the Secure Element or to EXCLUDE use of the Secure Element by unauthorized web applications?

[serianox]

The intent is only to control access from web apps. Non-web apps, e.g. middleware, will still have access to the Secure Element as they used to.

Note that it does not protect from a compromised device that would not properly implement the Access Control Enforcer, which is addressed by the internal protection of the Secure Element itself (using e.g. PIN or secure messaging).

This does not prevent however the user device to implement the same or similar mechanism defined in [GP-AC] to control access to the Secure Element from non-web apps, e.g. [OMAPI] in Android.