W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto contribution

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 2 Feb 2015 13:59:07 -0800
Message-ID: <CACvaWvYtVyQTDAAZOE+hHLRKG0NK4zric84LD+B-6PuS=YQyrg@mail.gmail.com>
To: Siva Narendra <siva@tyfone.com>
Cc: Harry Halpin <hhalpin@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Brad Hill <hillbrad@fb.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, Lu HongQian Karen <karen.lu@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, POTONNIEE Olivier <Olivier.Potonniee@gemalto.com>, "PHoyer@hidglobal.com" <PHoyer@hidglobal.com>
On Mon, Feb 2, 2015 at 1:54 PM, Siva Narendra <siva@tyfone.com> wrote:

> Ryan -- if we are able to collaborate and come up with a web
> implementation architecture that not only encompassed FIDO, but also
> equally viable standards such as PIV Derived Credentials [1] and EMV
> Tokenization [2]....and such standards to come in other industries, will
> you be supportive of it. Or, you do not want to support anything other than
> FIDO?
>
> Same question for Anders and Brad.
>
> Best,
> Siva
>
> [1] http://www.nist.gov/manuscript-publication-search.cfm?pub_id=914530
> [2] http://www.emvco.com/specifications.aspx?id=263
>
>
Siva,

I'll echo what I've said publicly for the last three years:
- If a proposal is put forward that can reasonably consider the Web
Security model and fit within the privacy goals, it will be considered.

You've put forward a false dichotomy by suggesting it's "FIDO or legacy"

Without evaluating [1] or [2], if they cannot or do not fit the web
security model, then unquestionably, I oppose and will continue to oppose
them. FIDO respects these goals - and was designed with them first and
foremost in mind - so it absolutely deserves consideration.

There has yet to be a proposal that demonstrates how [1] or [2], or any of
the other legacy APDU systems, can be done in a way that preserves and
respects security and privacy at the right layer (the origin). So
naturally, I see no reason to block FIDO from being exposed, especially
when three years have passed - in which time FIDO was written, implemented,
and made mass-market available - while no such earnest efforts appear to
have happened for legacy.
Received on Monday, 2 February 2015 21:59:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 February 2015 21:59:56 UTC