W3C home > Mailing lists > Public > public-web-security@w3.org > March 2015

Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments

From: Siva Narendra <siva@tyfone.com>
Date: Wed, 11 Mar 2015 18:05:55 -0700
Message-ID: <CAJhTYQzHX384DXJ1FAEhyNgqw-6JhRKMSq=Y4Hd8EpKVtSmgbQ@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>
Cc: Harry Halpin <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>, Charles Engelke <w3c@engelke.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
Wendy -- thank you for the clarification. Makes sense.

What we were trying to communicate is that -- FIDO is not the same as
secure hardware. FIDO can run on secure hardware.  FIDO is on the same
level as a security applet (speaking smart card language here). There are
other security applets such as PKCS15, EMV-Visa, EMV-Mastercard,
EMV-UnionPay, EMV-Amex, EMV-Discover (etc), CAC/PIV and all the methods
that the Governments from Europe represented at the workshop. We would like
the web community to consider a framework that is generic to support any
past, present, and future security applets. It is possible and it can be
done. E.g. Apple Pay supports 3 different EMV security applets -- one from
Visa, another one from Mastercard and a third from Amex.

So, for the web, we would propose (attached is a starting point) something
that would support everything including FIDO. I and the rest of the smart
card community is not against FIDO, we are in general against web
supporting only FIDO.

Best regards,
Siva





*--*


*Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
Taipeiwww.tyfone.com <http://www.tyfone.com>*
*Voice: +1.661.412.2233*


On Wed, Mar 11, 2015 at 2:55 PM, Wendy Seltzer <wseltzer@w3.org> wrote:

> Hi Siva and all,
>
> To follow up on Harry's response, we have great interest in doing more
> work on secure authentication building on the WebCrypto API. As its
> Chair has expressed, the WebCrypto WG wants to complete its work with a
> tight focus on the WebCrypto API and related deliverables.
>
> For my part, I look forward to supporting additional groups focused on
> extending WebCrypto's work, whether based in FIDO or secure hardware.
> Any member can propose work, and so long as there is interest and a path
> to getting interoperable implementations, some members'
> non-participation does not act as a veto.
>
> --Wendy
>
> On 03/11/2015 05:32 PM, Siva Narendra wrote:
> > Thank you Harry.
> >
> > -Siva
> >
> >
> > *--*
> >
> >
> > *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
> > Taipeiwww.tyfone.com <http://www.tyfone.com>*
> > *Voice: +1.661.412.2233*
> >
> >
> > On Wed, Mar 11, 2015 at 2:27 PM, Harry Halpin <hhalpin@w3.org> wrote:
> >
> >>
> >>
> >> On 03/11/2015 09:59 PM, Siva Narendra wrote:
> >>> +adding Pub-Web-Security for continuity from the Workshop
> >>>
> >>> Thank you Harry. Few questions:
> >>>
> >>>    1. Does this mean "FIDO will not be implemented under this WG?"
> >>>    2. Is the statement "All the web browser implementers do not want to
> >>>    support hardware tokens or anything that is outside of cryptography
> in
> >>>    within the scope of WG?" or "One browser vendors does not want to
> >> support
> >>>    anything other than FIDO?"
> >>
> >> I think the answer should be:
> >>
> >> 1) FIDO will not be implemented under the Web Crypto Working Group, but
> >> may be pursued in another WG.
> >>
> >> 2) Hardware token support, both in a manner consistent with a revised
> >> Gemalto proposal that takes on board feedback like respect for
> >> same-origin policy, should be pursued in another Working Group, but not
> >> in the WebCrypto WG.
> >>
> >> Does that help?
> >>
> >> The real question now is what the shape and charter(s) of the new
> >> Working Groups will be, along with associated time-frames.
> >>
> >> There have been formal Member submissions neither from the smartcard
> >> vendors or FIDO, but lots of informal discussion. However, the workshop
> >> did reach consensus that hardware token support should be part of the
> >> Open Web Platform, and the W3C would like to follow this up with one or
> >> more new Working Groups if the work does not match existing Working
> Groups.
> >>
> >>
> >> As the discussion in Web Crypto WG shows, it does not match at the time
> >> being as the implementors want to focus on algorithm maintenance and
> >> finishing version 1.0.
> >>
> >> If opinions have drastically changed since the workshop, we would like
> >> to revisit that consensus via a survey of W3C members but we are hoping
> >> there is still consensus and momentum.
> >>
> >>    cheers,
> >>        harry
> >>
> >>
> >>
> >>
> >>>
> >>> This is important for the eco-system to know so we can determine if
> this
> >>> work should be pursued inside W3C or outside.
> >>>
> >>> Thank you,
> >>> Siva
> >>>
> >>>
> >>>
> >>>
> >>> *--*
> >>>
> >>>
> >>> *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
> >>> Taipeiwww.tyfone.com <http://www.tyfone.com>*
> >>> *Voice: +1.661.412.2233*
> >>>
> >>>
> >>> On Wed, Mar 11, 2015 at 11:16 AM, Harry Halpin <hhalpin@w3.org> wrote:
> >>>
> >>>>
> >>>>
> >>>> On 03/11/2015 07:08 PM, Charles Engelke wrote:
> >>>>> I'm new to this WG and W3C in general, so I may be missing points on
> >>>>> how this works. But until today that draft did include adding new use
> >>>>> cases. Today that was revised to say "the Web Crypto WG will not
> >>>>> adress any new use case others then the ones developed with the first
> >>>>> version of the Web Crypto API."
> >>>>>
> >>>>> Did I miss the process that made this change?
> >>>>
> >>>> There was strong objections from members of the Working Group, in
> >>>> particular implementers that are on public record.
> >>>>
> >>>> Thus, while the W3C is still committed do finding an appropriate home
> >>>> for these use-cases and associated standards, it will not be this
> >>>> Working Group.
> >>>>
> >>>> If you have a particular use-case and proposed technical solution that
> >>>> you think would be acceptable to implementers, e-mail the Web Security
> >>>> Interest Group at public-web-security@w3.org.
> >>>>
> >>>>     cheers,
> >>>>        harry
> >>>>
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Charlie
> >>>>>
> >>>>> On Wed, Mar 11, 2015 at 1:13 PM, GALINDO Virginie
> >>>>> <Virginie.Galindo@gemalto.com> wrote:
> >>>>>> Dear all,
> >>>>>>
> >>>>>> You will find here
> >>>>>> https://www.w3.org/Security/wiki/IG/webcryptonext_draft_charter the
> >>>> basis of
> >>>>>> the next Web Crypto WG charter.
> >>>>>>
> >>>>>> Based on the feedback on this mailing list, despite the long
> >>>> discussions we
> >>>>>> had related to new features such as crypto service in secure
> element,
> >>>>>> certificate management, authentication management, this charter only
> >>>>>> adresses the maintenance of the Web Crypto API, and the creation of
> >>>>>> extension for specific algorithms.
> >>>>>>
> >>>>>> What I am expecting from working group participants now is the
> >>>> algorithms
> >>>>>> they would like to see as extension of the Web Crypto API. This will
> >>>> help us
> >>>>>> to get a list of the extension we plan to adress in the framework of
> >>>> that
> >>>>>> specific working group.
> >>>>>>
> >>>>>> Please note that there are some discussions in AC forum about
> >>>> restricting
> >>>>>> activities of any WG that does not work under a valid charter. Our
> >>>> charter
> >>>>>> will expire on the 31st of March, as such, we should try to get
> >>>> consensus on
> >>>>>> the new charter as soon as possible (or we will have to ask an
> >>>> extension to
> >>>>>> W3C director).
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Regards,
> >>>>>> Virginie Galindo
> >>>>>> gemalto
> >>>>>> chair of the web crypto WG
> >>>>>>
> >>>>>>
> >>>>>> ________________________________
> >>>>>> This message and any attachments are intended solely for the
> >> addressees
> >>>> and
> >>>>>> may contain confidential information. Any unauthorized use or
> >>>> disclosure,
> >>>>>> either whole or partial, is prohibited.
> >>>>>> E-mails are susceptible to alteration. Our company shall not be
> liable
> >>>> for
> >>>>>> the message if altered, changed or falsified. If you are not the
> >>>> intended
> >>>>>> recipient of this message, please delete it and notify the sender.
> >>>>>> Although all reasonable efforts have been made to keep this
> >> transmission
> >>>>>> free from viruses, the sender will not be liable for damages caused
> >> by a
> >>>>>> transmitted virus.
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >
>
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>


Received on Thursday, 12 March 2015 01:06:43 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 12 March 2015 01:06:43 UTC