W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto contribution

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 2 Feb 2015 12:58:15 -0800
Message-ID: <CACvaWvZkcDH+UJOu05PWoZKaR6=oN7-qnp_uEWFXbSCuJqrdAQ@mail.gmail.com>
To: Siva Narendra <siva@tyfone.com>
Cc: POTONNIEE Olivier <Olivier.Potonniee@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, Lu HongQian Karen <karen.lu@gemalto.com>, Harry Halpin <hhalpin@w3.org>, "PHoyer@hidglobal.com" <PHoyer@hidglobal.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Brad Hill <hillbrad@fb.com>
On Mon, Feb 2, 2015 at 12:45 PM, Siva Narendra <siva@tyfone.com> wrote:

> Hi Ryan --
>
> Unless I'm mistaken, FIDO leverages such GP secure elements in its devices.
>

May. That's up to device manufacturers.


> This was possible only because several companies already built such
> standards (GP) based secure elements and devices, for use with the web,
> even though web did not standardize its interfacing to such hardware. These
> devices allow any application developer to take advantage of hardware
> security, just like FIDO based application developers can.
>
> What some of us are asking for is to make sure that when web supports
> hardware security, that it be generic to support further innovation and not
> be limited to FIDO.
>
> I assume you do not object to this. Or is your view that all roads shall
> lead only to FIDO?
>
I think no roads lead to GP in its present form, as it's a horribly
antiquated security / privacy model that has no place on the Web.

I think if the roads lead anywhere, it's to a path where security and
privacy are intrinsic in the design. That requires platform manufacturers
making an honest effort to understand, appreciate, and design for a Web
security model, and to put forward proposals that reflect that
understanding. FIDO represents the only effort that has done so, and thus
certainly has the benefit of being the only solution put forward that could
reasonably be brought to the Web.

As expressed previously, we opposed attempting to charter the WebCrypto WG
for such explorations. Leave that for a CG/IG, but it's of no use to
require members to constantly explain the basics of web security, as has
been done every time bringing legacy devices has been put forward. If, as a
result of such discussions - inside or outside of the W3C - results in
something that sensibly addresses the fundamental security model of the
Web, then it's worth considering and discussing. But until then, it does a
disservice to those who have spent considerable time and effort on such
activities to stall on a yet unformulated solution.
Received on Monday, 2 February 2015 20:59:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 February 2015 20:59:21 UTC