Re: Web Crypto - GlobalPlatform collaboration proposal from Harry Halpin on 2014-10-24 (public-web-security@w3.org from October 2014)

From: Harry Halpin <hhalpin@w3.org>
Date: Fri, 24 Oct 2014 11:22:15 +0200
To: gil.bernabeu@globalplatform.org, public-web-security@w3.org
Message-ID: <544A1A47.5080204@w3.org>
On 10/23/2014 04:57 PM, gil.bernabeu@globalplatform.org wrote:
> 
> Dear all
> 
> Following the W3C WebCrypto.next workshop that showed strong focus and support for accessing HW security tokens, GlobalPlatform believes that there are different use cases that need to be supported for Web applications, and that different solutions should be considered jointly.
> 
> 
> - Accessing to a crypto engine 
> -> W3C Webcrypto.next should allow selecting different crypto environment such as software, Trusted Execution Environment (TEE) based, Secure element(SE) based , ….this will allow a web app to perform the crypto function in a environment compatible with his own risk management if available in the device.
> 
> - Accessing to standardized services (eg FIDO, webpki ...) 
> - > W3C should create an unique API that combined with a specific middleware automatically deployed (eg service or crypto environment specific) will allow a Web App to be as independent as possible from each specific implementation of the service
> 
> - Accessing to secure services that are not standardized (eg most of the SE or TEE services today) 
> As part of the security rules, end 2 end security requirements doesn’t allow the browser to create or modify an encrypted command to access a secure services hosted in a TEE or in SE. The commands to be sent to an application hosted in a TEE or in SE are created in a secure cloud and only needs to be forwarded to the secure component. To support this market requirement, web app needs to have a simple layer to pass command to the secure component. W3C should allow web app to access to similar service as proposed by TEE client API for the TEE or Open Mobile API for the SE presented by Herve during the Workshop.
>  
> - Control of access HW security services – just as there are requirements on control of access to a Secure Application from an OS, for instance permissions based on identification of the client application, a similar solution should be deployed to control access from websites to Secure Applications.
> 
> GlobalPlatform is ready to provides with such web app open source APIs is full collaboration with W3C environment.

Thanks very much for the contribution. Just so folks know, W3C is now in
procesing of setting up an official liasion relationship with
GlobalPlatform.

In terms of all the above good suggestions, we'd like to know more.
In my experience, a W3C Working Group maximizes its chance I think what
would be be great would be if the various solutions in this space are
sketched out in some detail before the Working Group begins.

We also have to work hard to maintain the royalty-free licensing. We
have a process for letting organizations contribute to W3C
standardization processes before the process begins via what is called
Member Submissions if a W3C member (Tyfone for example) is involved.
There is an additional Non-member contribute licensing agreement
involved we can send folks via email.

http://www.w3.org/Submission/

http://www.w3.org/Submission/2014/02/


  cheers,
       harry




> 
>  Best Regards 
> ----------- Gil BERNABEU --------------- 
> GlobalPlatform Technical Director 
> http://www.globalplatform.org 
>
Received on Friday, 24 October 2014 09:22:16 UTC