Access Control Enforcer

GlobalPlatform / WebApis-for-SE

Open source Apis to access a Secure Element from a Web application

Apache License 2.0

18 stars 5 forks source link

Access Control Enforcer #33

Closed hchavers closed 8 years ago

hchavers commented 8 years ago

Comments from Trusted Computing Group - Item # 14

Section: 6.1 Overall Architecture

Comment: Re “An Access Control Enforcer is running on the same device as the off-card application.”

Proposed Resolution: It appears that a compromised Requesting application could compromise the access control enforcer. How would this be implemented? Or is the figure wrong? Is the Access Control Enforcer in the kernel? Shouldn't it be higher privilege than the application?

serianox commented 8 years ago

I don't have access to the [GP-AC] currently, but I assume from the drawing that the Access Control Enforcer is separated from the Requesting Application through process isolation, sandbox or any similar mechanism.

opoto commented 8 years ago

Yes, the Access Control Enforcer is defined in GP-AC. Please refer to this specification for more information about it.