W3C home > Mailing lists > Public > public-web-security@w3.org > March 2015

Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments

From: Colin Gallagher <colingallagher.rpcv@gmail.com>
Date: Mon, 16 Mar 2015 23:11:08 -0700
Message-ID: <CABghAMhzOO2vpYygzK7J+_+SUGyFwuDEmPQtAmtpv3n7TvFTOQ@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Wendy Seltzer <wseltzer@w3.org>, Siva Narendra <siva@tyfone.com>, Harry Halpin <hhalpin@w3.org>, public-web-security@w3.org, GALINDO Virginie <virginie.galindo@gemalto.com>, Charles Engelke <w3c@engelke.com>
Except google code isn't going to exist anymore, because google is pulling
it and anyone using it will likely just go to github. Anyway, a focused
list wouldn't hurt for those interested in that topic, imho. My four
satoshis have been given.
On Mar 16, 2015 10:06 PM, "Anders Rundgren" <anders.rundgren.net@gmail.com>
wrote:

> On 2015-03-17 04:34, Colin Gallagher wrote:
>
>> My impression was Wendy said some members' non-participation with respect
>> to some idea or another doesn't act as a veto so, correct me if I'm wrong,
>> but doesn't that imply that whether Google or someone else does or does not
>> like an idea, then can't it be included anyway? So the group can proceed....
>> not being concerned about vetoes of legacy security hardware, so basically,
>> I think the answer is... yes.
>>
>> Also, why new working group for secure hardware/tokens/FIDO/etc, when it
>> could be a subgroup or interest group within webcrypto, time permitting
>> (charter expiring on march 31, but will it be extended)? So, one could just
>> call this additional group within webcrypto "secure hardware" and give it a
>> list for those interested.  This is just my suggestion.
>>
>> Finally, some of the security issues brought up... no Web Security
>> Principle (maintained), plus, the Same Origin Policy doc is an IETF 2011
>> item itself in need of some review. Some of this stuff cited is extremely
>> dated.
>>
>> I would further suggest pushing this out for further public review, see
>> if you can some more eyes on the process.
>>
>
> Colin, my claim from November last year is still valid:
>
> https://lists.w3.org/Archives/Public/public-web-security/2014Nov/0032.html
>
> The ultra-simple question put there didn't got an answer since there's
> none to find.
>
> Therefore this activity is concluded and no new "smart-card-for-the-web"
> specifications will be presented, with FIDO alliance as an exception.
>
> Well, indirect paths to similar goals have indeed been proposed but have
> for unclear reasons not been considered or commented on although indirect
> methods (=bypassing the browser) are already a de-facto standard for mobile
> devices.
>
> Indirect methods are currently discussed and dealt with in places like
> this:
> https://code.google.com/p/chromium/issues/detail?id=378566
>
> Regards,
> Anders
>
>
>> On 2015-03-12 15:54, GALINDO Virginie wrote:
>>
>>     [gemalto representative hat on]
>>
>>     gemalto supports to discuss in W3C the usage of the secure services
>> based on hardware or combination
>>
>>  > of hardware/software (e.g. secure element, trusted execution
>> environement).
>>
>>     We suggest to gather the supporting companies and draft a a charter
>> for a Working Group or an Interest Group.
>>     this synchronization can happen in public, preferably on the
>> public-web-security interest group mailing list
>>
>>  > (to avoid overloading the web crypto working group mailing list).
>>
>> We had an F2F, then we had discussions and finally we had the public
>> dismissal
>> by Google of the core idea (=support for legacy security hardware in
>> browsers).
>>
>> That is, this activity is concluded and doesn't benefit from being
>> rehashed
>> unless somebody has a silver bullet to offer.
>>
>> Regards
>> Anders
>>
>>
>>     Regards,
>>     Virginie
>>     gemalto
>>
>>     ________________________________________
>>     De : Wendy Seltzer [wseltzer@w3.org <mailto:wseltzer@w3.org>]
>>     Envoyé : mercredi 11 mars 2015 22:55
>>     À : Siva Narendra; Harry Halpin
>>     Cc :public-web-security@w3.org <mailto:public-web-security@w3.org>;
>> public-webcrypto@w3.org <mailto:public-webcrypto@w3.org>; Charles
>> Engelke; GALINDO Virginie
>>     Objet : Re: [Web Crypto WG] draft Web Crypto WG charter : for your
>> review and comments
>>
>>     Hi Siva and all,
>>
>>     To follow up on Harry's response, we have great interest in doing more
>>     work on secure authentication building on the WebCrypto API. As its
>>     Chair has expressed, the WebCrypto WG wants to complete its work with
>> a
>>     tight focus on the WebCrypto API and related deliverables.
>>
>>     For my part, I look forward to supporting additional groups focused on
>>     extending WebCrypto's work, whether based in FIDO or secure hardware..
>>     Any member can propose work, and so long as there is interest and a
>> path
>>     to getting interoperable implementations, some members'
>>     non-participation does not act as a veto.
>>
>>     --Wendy
>>
>>     On 03/11/2015 05:32 PM, Siva Narendra wrote:
>>
>>         Thank you Harry.
>>
>>         -Siva
>>
>>         *--*
>>
>>         *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
>>         Taipeiwww.tyfone.com <http://Taipeiwww.tyfone.com><
>> http://www.tyfone.com>*
>>         *Voice:+1.661.412.2233 <tel:%2B1.661.412.2233>*
>>
>>         On Wed, Mar 11, 2015 at 2:27 PM, Harry Halpin <hhalpin@w3.org
>> <mailto:hhalpin@w3.org>> wrote:
>>
>>             On 03/11/2015 09:59 PM, Siva Narendra wrote:
>>
>>                 +adding Pub-Web-Security for continuity from the Workshop
>>
>>                 Thank you Harry. Few questions:
>>
>>                      1. Does this mean "FIDO will not be implemented
>> under this WG?"
>>                      2. Is the statement "All the web browser
>> implementers do not want to
>>                      support hardware tokens or anything that is outside
>> of cryptography in
>>                      within the scope of WG?" or "One browser vendors
>> does not want to
>>
>>             support
>>
>>                      anything other than FIDO?"
>>
>>
>>             I think the answer should be:
>>
>>             1) FIDO will not be implemented under the Web Crypto Working
>> Group, but
>>             may be pursued in another WG.
>>
>>             2) Hardware token support, both in a manner consistent with a
>> revised
>>             Gemalto proposal that takes on board feedback like respect for
>>             same-origin policy, should be pursued in another Working
>> Group, but not
>>             in the WebCrypto WG.
>>
>>             Does that help?
>>
>>             The real question now is what the shape and charter(s) of the
>> new
>>             Working Groups will be, along with associated time-frames.
>>
>>             There have been formal Member submissions neither from the
>> smartcard
>>             vendors or FIDO, but lots of informal discussion. However,
>> the workshop
>>             did reach consensus that hardware token support should be
>> part of the
>>             Open Web Platform, and the W3C would like to follow this up
>> with one or
>>             more new Working Groups if the work does not match existing
>> Working Groups.
>>
>>             As the discussion in Web Crypto WG shows, it does not match
>> at the time
>>             being as the implementors want to focus on algorithm
>> maintenance and
>>             finishing version 1.0.
>>
>>             If opinions have drastically changed since the workshop, we
>> would like
>>             to revisit that consensus via a survey of W3C members but we
>> are hoping
>>             there is still consensus and momentum.
>>
>>                  cheers,
>>                      harry
>>
>>
>>
>>                 This is important for the eco-system to know so we can
>> determine if this
>>                 work should be pursued inside W3C or outside.
>>
>>                 Thank you,
>>                 Siva
>>
>>
>>                 *--*
>>
>>                 *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland |
>> Bangalore |
>>                 Taipeiwww.tyfone.com <http://Taipeiwww.tyfone.com><
>> http://www.tyfone.com>*
>>                 *Voice:+1.661.412.2233 <tel:%2B1.661.412.2233>*
>>
>>                 On Wed, Mar 11, 2015 at 11:16 AM, Harry Halpin <
>> hhalpin@w3.org <mailto:hhalpin@w3.org>> wrote:
>>
>>                     On 03/11/2015 07:08 PM, Charles Engelke wrote:
>>
>>                         I'm new to this WG and W3C in general, so I may
>> be missing points on
>>                         how this works. But until today that draft did
>> include adding new use
>>                         cases. Today that was revised to say "the Web
>> Crypto WG will not
>>                         adress any new use case others then the ones
>> developed with the first
>>                         version of the Web Crypto API."
>>
>>                         Did I miss the process that made this change?
>>
>>
>>                     There was strong objections from members of the
>> Working Group, in
>>                     particular implementers that are on public record.
>>
>>                     Thus, while the W3C is still committed do finding an
>> appropriate home
>>                     for these use-cases and associated standards, it will
>> not be this
>>                     Working Group.
>>
>>                     If you have a particular use-case and proposed
>> technical solution that
>>                     you think would be acceptable to implementers, e-mail
>> the Web Security
>>                     Interest Group atpublic-web-security@w3.org <mailto:
>> public-web-security@w3.org>.
>>
>>                           cheers,
>>                              harry
>>
>>
>>                         Thanks,
>>
>>                         Charlie
>>
>>                         On Wed, Mar 11, 2015 at 1:13 PM, GALINDO Virginie
>>                         <Virginie.Galindo@gemalto.com <mailto:
>> Virginie.Galindo@gemalto.com>> wrote:
>>
>>                             Dear all,
>>
>>                             You will find here
>>                             https://www.w3.org/Security/
>> wiki/IG/webcryptonext_draft_charterthe
>>
>>                     basis of
>>
>>                             the next Web Crypto WG charter.
>>
>>                             Based on the feedback on this mailing list,
>> despite the long
>>
>>                     discussions we
>>
>>                             had related to new features such as crypto
>> service in secure element,
>>                             certificate management, authentication
>> management, this charter only
>>                             adresses the maintenance of the Web Crypto
>> API, and the creation of
>>                             extension for specific algorithms.
>>
>>                             What I am expecting from working group
>> participants now is the
>>
>>                     algorithms
>>
>>                             they would like to see as extension of the
>> Web Crypto API. This will
>>
>>                     help us
>>
>>                             to get a list of the extension we plan to
>> adress in the framework of
>>
>>                     that
>>
>>                             specific working group.
>>
>>                             Please note that there are some discussions
>> in AC forum about
>>
>>                     restricting
>>
>>                             activities of any WG that does not work under
>> a valid charter. Our
>>
>>                     charter
>>
>>                             will expire on the 31st of March, as such, we
>> should try to get
>>
>>                     consensus on
>>
>>                             the new charter as soon as possible (or we
>> will have to ask an
>>
>>                     extension to
>>
>>                             W3C director).
>>
>>                             Regards,
>>                             Virginie Galindo
>>                             gemalto
>>                             chair of the web crypto WG
>>
>>                             ________________________________
>>                             This message and any attachments are intended
>> solely for the
>>
>>             addressees
>>
>>                     and
>>
>>                             may contain confidential information. Any
>> unauthorized use or
>>
>>                     disclosure,
>>
>>                             either whole or partial, is prohibited.
>>                             E-mails are susceptible to alteration. Our
>> company shall not be liable
>>
>>                     for
>>
>>                             the message if altered, changed or falsified..
>> If you are not the
>>
>>                     intended
>>
>>                             recipient of this message, please delete it
>> and notify the sender.
>>                             Although all reasonable efforts have been
>> made to keep this
>>
>>             transmission
>>
>>                             free from viruses, the sender will not be
>> liable for damages caused
>>
>>             by a
>>
>>                             transmitted virus.
>>
>>
>>
>>
>>
>>     --
>>     Wendy Seltzer --wseltzer@w3.org <mailto:wseltzer@w3.org>
>> +1.617.715.4883 <tel:%2B1.617.715.4883>(office)
>>     Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>>     http://wendy.seltzer.org/ +1.617.863.0613 <tel:%2B1.617.863.0613>(
>> mobile)
>>
>>     ________________________________
>>        This message and any attachments are intended solely for the
>> addressees and may contain confidential information. Any unauthorized use
>> or disclosure, either whole or partial, is prohibited.
>>     E-mails are susceptible to alteration. Our company shall not be
>> liable for the message if altered, changed or falsified. If you are not the
>> intended recipient of this message, please delete it and notify the sender.
>>     Although all reasonable efforts have been made to keep this
>> transmission free from viruses, the sender will not be liable for damages
>> caused by a transmitted virus.
>>
>>
>
Received on Tuesday, 17 March 2015 06:12:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 17 March 2015 06:12:22 UTC