W3C home > Mailing lists > Public > public-web-security@w3.org > May 2013

[closing the gap] security perspectives

From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Date: Tue, 28 May 2013 11:26:55 +0200
To: "public-web-security@w3.org" <public-web-security@w3.org>
CC: Dominique Hazael-Massieux <dom@w3.org>
Message-ID: <239D7A53E5B17B4BB20795A7977613A4A868D2079B@CROEXCFWP04.gemalto.com>
Hi all,

There is a security discussion in another mailing list in W3C, named closing the gap (http://lists.w3.org/Archives/Public/public-closingthegap/) . The objective of closing the gap is to point the functional features missing in the web environment, that could make the difference compared to native environment. This headlight is managed by Dom from W3C (CCed). 

In order to progress on that one, I have put together my view about security in native apps and identify things missing in the web app ecosystem. Thanks for commenting if you believe there are things missing. 

> Life cycle of native apps
- design and usage of security enablers such as management of keys, login/passwords, TLS, certificate management, access to secure storage, access to secure element or TEE, application authentication operation, user identity management...
- loading of the application, including origin and integrity check
- update and versioning management
- blacklisting/revoking application

> security of execution environment 
OS devices can sometime go for security certification, increasing the robustness of the environment, which browser today do not do - unless I missed something. 

To my knowledge, the SysApp WG and the WebApps WG are managing a lot regarding the packaging/loading/updating/versioning of applications, by creating an appropriate packaging and security model to access specific APIs (including user permission and/or signature management). What is not addressed today are blacklisting/revoking and the availability of security enablers (except management of keys and crypto operation which is managed in the Web Crypto WG I am chairing). 

Do you, security experts, have the same view ? 
In case you want to join the people trying to think about it in the 'closing the gap' headlight, just let me know. 

Regards,
Virginie Galindo
gemalto




-----Original Message-----
From: Dominique Hazael-Massieux [mailto:dom@w3.org] 
Sent: vendredi 3 mai 2013 14:55
To: public-closingthegap@w3.org; tobie@w3.org; robin@w3.org; chaals@yandex-team.ru; jonas@sicking.cc; Alex Russell; yehuda.katz@jquery.com; daniel.appelquist@telefonica.com; Anssi.Kostiainen@intel.com; wayne.carr@linux.intel.com
Subject: Volunteers needed to work on action plans

Hi,

During the call on Tuesday, a few people volunteered to take the lead on defining action plans [1] in the upcoming 3 weeks on the following
topics:
* Marcos will work on providing an action plan around network optimizations

* Scott will work on an action plan around Web Apps user experiences (and has already started discussions toward that:
http://lists.w3.org/Archives/Public/public-closingthegap/2013May/0003.html )

* Virginie will work on an action plan on security considerations for Web apps

* I will take the lead on an action plan to help drive offline support in Web apps faster; (I would welcome someone else stepping up on that one though — Robin? Tobie?)

I list below the topics haven't found leaders yet; for each topic, I have put names of people who I think might have sufficient interest on it to be driving further work, but this should by no mean prevent other people from volunteering to lead the topic.

Pragmatically, there is little chance we can get additional W3C resources for a given topic if nobody steps up to describe what the resources should be and what for; so if you feel a topic below is of critical importance, I strongly encourage you to volunteer or find a volunteer.

* Searching Web Apps: Chaals? Jonas? Mounir?
http://lists.w3.org/Archives/Public/public-closingthegap/2013Mar/0063.html


* Functional Web / Web Intents / Web Activities: Robin? Anssi? Mounir?
http://lists.w3.org/Archives/Public/public-closingthegap/2013Mar/0063.html


* in-context discovery: Scott? Myself?
http://lists.w3.org/Archives/Public/public-closingthegap/2013Apr/0015.html


* App-cache post-mortem: Tobie? Myself?
http://lists.w3.org/Archives/Public/public-closingthegap/2013Apr/0021.html


* Consistency and dependency: Tobie? Alex? DKA? Wayne?
http://lists.w3.org/Archives/Public/public-closingthegap/2013Apr/0022.html


* Developer tools: Robin? Alex? Yehuda? Wayne?
http://lists.w3.org/Archives/Public/public-closingthegap/2013Apr/0036.html


I would very much hope to hear back from as many of the task force participants in their interest in leading work in these areas.

Thanks!

Dom

1.
http://lists.w3.org/Archives/Public/public-closingthegap/2013Apr/0041.html




Received on Tuesday, 28 May 2013 09:27:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC