Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto contribution from Colin Gallagher on 2015-04-05 (public-web-security@w3.org from April 2015)

From: Colin Gallagher <colingallagher.rpcv@gmail.com>
Date: Sat, 4 Apr 2015 23:48:06 -0700
To: Ryan Sleevi <sleevi@google.com>
Cc: Lu HongQian Karen <karen.lu@gemalto.com>, GALINDO Virginie <virginie.galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Siva Narendra <siva@tyfone.com>, Harry Halpin <hhalpin@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Brad Hill <hillbrad@fb.com>, POTONNIEE Olivier <Olivier.Potonniee@gemalto.com>, "PHoyer@hidglobal.com" <PHoyer@hidglobal.com>, Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <CABghAMhaeNQNS1uoAKP-c2iVrexOOj4zn5nSJ5dfyPFQ0qyu=Q@mail.gmail.com>

Ryan, this model... when you say "that can reasonably consider the web
security model," rather than say "what model?-" I would ask, is it one that
you can visualize, and after visualizing it, would you draw or display it
and finally show anyone how to make it work (including someone with no
computer experience)?

When I hear people refer to "web security" I tend to visualize streams of
data (along with everything else) getting pulled into a black hole.   But
that's just how I'd visualize it.
On Feb 2, 2015 2:01 PM, "Ryan Sleevi" <sleevi@google.com> wrote:

>
>
> On Mon, Feb 2, 2015 at 1:54 PM, Siva Narendra <siva@tyfone.com> wrote:
>
>> Ryan -- if we are able to collaborate and come up with a web
>> implementation architecture that not only encompassed FIDO, but also
>> equally viable standards such as PIV Derived Credentials [1] and EMV
>> Tokenization [2]....and such standards to come in other industries, will
>> you be supportive of it. Or, you do not want to support anything other than
>> FIDO?
>>
>> Same question for Anders and Brad.
>>
>> Best,
>> Siva
>>
>> [1] http://www.nist.gov/manuscript-publication-search.cfm?pub_id=914530
>> [2] http://www.emvco.com/specifications.aspx?id=263
>>
>>
> Siva,
>
> I'll echo what I've said publicly for the last three years:
> - If a proposal is put forward that can reasonably consider the Web
> Security model and fit within the privacy goals, it will be considered.
>
> You've put forward a false dichotomy by suggesting it's "FIDO or legacy"
>
> Without evaluating [1] or [2], if they cannot or do not fit the web
> security model, then unquestionably, I oppose and will continue to oppose
> them. FIDO respects these goals - and was designed with them first and
> foremost in mind - so it absolutely deserves consideration.
>
> There has yet to be a proposal that demonstrates how [1] or [2], or any of
> the other legacy APDU systems, can be done in a way that preserves and
> respects security and privacy at the right layer (the origin). So
> naturally, I see no reason to block FIDO from being exposed, especially
> when three years have passed - in which time FIDO was written, implemented,
> and made mass-market available - while no such earnest efforts appear to
> have happened for legacy.
>

Received on Sunday, 5 April 2015 15:39:07 UTC