W3C home > Mailing lists > Public > public-web-security@w3.org > March 2015

RE: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Tue, 17 Mar 2015 09:17:39 +0000
To: Colin Gallagher <colingallagher.rpcv@gmail.com>, Anders Rundgren <anders.rundgren.net@gmail.com>
CC: Wendy Seltzer <wseltzer@w3.org>, Siva Narendra <siva@tyfone.com>, "Harry Halpin" <hhalpin@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, Charles Engelke <w3c@engelke.com>
Message-ID: <540E99C53248CE468F6F7702588ABA2AD275675A@A1GTOEMBXV005.gto.a3c.atos.net>
[chair hat on]
Colin, Anders,

Standard is about process but also about evaluating the chances to get something actually done. Not guessing the future, but at least reading the evidences you have in front of you.

W3C Recommendations can only happen when there are two interoperables implementations. Implementers in this WG are not supporting the integration of secure enablers in that WG. The chances to get something on that specific topic, here, are low. Thus, as chair, I don’t see any value blocking the rechartering of this WG, discussing indefinitely that topic.
Lets be pragmatic, and recharter or extend the Web Crypto on the common consensual basis. I am inviting companies supporting inclusion of secure enablers in the open web platform to create another group. Creating another group means, a chance to 1) give visibility to the work, 2) get on board new people and new W3C members representatives, 3) forces the W3C members to revisit their support or not of specific feature (as per the process, W3C AC representatives need to approve the creation of each new working group).
Those arguments are the ones that lead me and the team to suggest to take the secure enablers topic out of Web Crypto WG.

Regards,
Virginie




From: Colin Gallagher [mailto:colingallagher.rpcv@gmail.com]
Sent: mardi 17 mars 2015 07:11
To: Anders Rundgren
Cc: Wendy Seltzer; Siva Narendra; Harry Halpin; public-web-security@w3.org; GALINDO Virginie; Charles Engelke
Subject: Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments


Except google code isn't going to exist anymore, because google is pulling it and anyone using it will likely just go to github. Anyway, a focused list wouldn't hurt for those interested in that topic, imho. My four satoshis have been given.
On Mar 16, 2015 10:06 PM, "Anders Rundgren" <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>> wrote:
On 2015-03-17 04:34, Colin Gallagher wrote:
My impression was Wendy said some members' non-participation with respect to some idea or another doesn't act as a veto so, correct me if I'm wrong, but doesn't that imply that whether Google or someone else does or does not like an idea, then can't it be included anyway? So the group can proceed... not being concerned about vetoes of legacy security hardware, so basically, I think the answer is... yes.

Also, why new working group for secure hardware/tokens/FIDO/etc, when it could be a subgroup or interest group within webcrypto, time permitting (charter expiring on march 31, but will it be extended)? So, one could just call this additional group within webcrypto "secure hardware" and give it a list for those interested.  This is just my suggestion.

Finally, some of the security issues brought up... no Web Security Principle (maintained), plus, the Same Origin Policy doc is an IETF 2011 item itself in need of some review. Some of this stuff cited is extremely dated.

I would further suggest pushing this out for further public review, see if you can some more eyes on the process.

Colin, my claim from November last year is still valid:

https://lists.w3.org/Archives/Public/public-web-security/2014Nov/0032.html


The ultra-simple question put there didn't got an answer since there's none to find.

Therefore this activity is concluded and no new "smart-card-for-the-web" specifications will be presented, with FIDO alliance as an exception.

Well, indirect paths to similar goals have indeed been proposed but have for unclear reasons not been considered or commented on although indirect methods (=bypassing the browser) are already a de-facto standard for mobile devices.

Indirect methods are currently discussed and dealt with in places like this:
https://code.google.com/p/chromium/issues/detail?id=378566


Regards,
Anders

On 2015-03-12 15:54, GALINDO Virginie wrote:

    [gemalto representative hat on]

    gemalto supports to discuss in W3C the usage of the secure services based on hardware or combination

 > of hardware/software (e.g. secure element, trusted execution environement).

    We suggest to gather the supporting companies and draft a a charter for a Working Group or an Interest Group.
    this synchronization can happen in public, preferably on the public-web-security interest group mailing list

 > (to avoid overloading the web crypto working group mailing list).

We had an F2F, then we had discussions and finally we had the public dismissal
by Google of the core idea (=support for legacy security hardware in browsers).

That is, this activity is concluded and doesn't benefit from being rehashed
unless somebody has a silver bullet to offer.

Regards
Anders


    Regards,
    Virginie
    gemalto

    ________________________________________
    De : Wendy Seltzer [wseltzer@w3.org<mailto:wseltzer@w3.org> <mailto:wseltzer@w3.org<mailto:wseltzer@w3.org>>]
    Envoyé : mercredi 11 mars 2015 22:55
    À : Siva Narendra; Harry Halpin
    Cc :public-web-security@w3.org<mailto:public-web-security@w3.org> <mailto:public-web-security@w3.org<mailto:public-web-security@w3.org>>;public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> <mailto:public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>>; Charles Engelke; GALINDO Virginie
    Objet : Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments

    Hi Siva and all,

    To follow up on Harry's response, we have great interest in doing more
    work on secure authentication building on the WebCrypto API. As its
    Chair has expressed, the WebCrypto WG wants to complete its work with a
    tight focus on the WebCrypto API and related deliverables.

    For my part, I look forward to supporting additional groups focused on
    extending WebCrypto's work, whether based in FIDO or secure hardware.
    Any member can propose work, and so long as there is interest and a path
    to getting interoperable implementations, some members'
    non-participation does not act as a veto.

    --Wendy

    On 03/11/2015 05:32 PM, Siva Narendra wrote:

        Thank you Harry.

        -Siva

        *--*

        *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
        Taipeiwww.tyfone.com<http://Taipeiwww.tyfone.com> <http://Taipeiwww.tyfone.com><http://www.tyfone.com>*
        *Voice:+1.661.412.2233<tel:%2B1.661.412.2233> <tel:%2B1.661.412.2233>*

        On Wed, Mar 11, 2015 at 2:27 PM, Harry Halpin <hhalpin@w3.org<mailto:hhalpin@w3.org> <mailto:hhalpin@w3.org<mailto:hhalpin@w3.org>>> wrote:

            On 03/11/2015 09:59 PM, Siva Narendra wrote:

                +adding Pub-Web-Security for continuity from the Workshop

                Thank you Harry. Few questions:

                     1. Does this mean "FIDO will not be implemented under this WG?"
                     2. Is the statement "All the web browser implementers do not want to
                     support hardware tokens or anything that is outside of cryptography in
                     within the scope of WG?" or "One browser vendors does not want to

            support

                     anything other than FIDO?"


            I think the answer should be:

            1) FIDO will not be implemented under the Web Crypto Working Group, but
            may be pursued in another WG.

            2) Hardware token support, both in a manner consistent with a revised
            Gemalto proposal that takes on board feedback like respect for
            same-origin policy, should be pursued in another Working Group, but not
            in the WebCrypto WG.

            Does that help?

            The real question now is what the shape and charter(s) of the new
            Working Groups will be, along with associated time-frames.

            There have been formal Member submissions neither from the smartcard
            vendors or FIDO, but lots of informal discussion. However, the workshop
            did reach consensus that hardware token support should be part of the
            Open Web Platform, and the W3C would like to follow this up with one or
            more new Working Groups if the work does not match existing Working Groups.

            As the discussion in Web Crypto WG shows, it does not match at the time
            being as the implementors want to focus on algorithm maintenance and
            finishing version 1.0.

            If opinions have drastically changed since the workshop, we would like
            to revisit that consensus via a survey of W3C members but we are hoping
            there is still consensus and momentum.

                 cheers,
                     harry



                This is important for the eco-system to know so we can determine if this
                work should be pursued inside W3C or outside.

                Thank you,
                Siva


                *--*

                *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
                Taipeiwww.tyfone.com<http://Taipeiwww.tyfone.com> <http://Taipeiwww.tyfone.com><http://www.tyfone.com>*
                *Voice:+1.661.412.2233<tel:%2B1.661.412.2233> <tel:%2B1.661.412.2233>*

                On Wed, Mar 11, 2015 at 11:16 AM, Harry Halpin <hhalpin@w3.org<mailto:hhalpin@w3.org> <mailto:hhalpin@w3.org<mailto:hhalpin@w3.org>>> wrote:

                    On 03/11/2015 07:08 PM, Charles Engelke wrote:

                        I'm new to this WG and W3C in general, so I may be missing points on
                        how this works. But until today that draft did include adding new use
                        cases. Today that was revised to say "the Web Crypto WG will not
                        adress any new use case others then the ones developed with the first
                        version of the Web Crypto API."

                        Did I miss the process that made this change?


                    There was strong objections from members of the Working Group, in
                    particular implementers that are on public record.

                    Thus, while the W3C is still committed do finding an appropriate home
                    for these use-cases and associated standards, it will not be this
                    Working Group.

                    If you have a particular use-case and proposed technical solution that
                    you think would be acceptable to implementers, e-mail the Web Security
                    Interest Group atpublic-web-security@w3.org<mailto:atpublic-web-security@w3.org> <mailto:public-web-security@w3.org<mailto:public-web-security@w3.org>>.

                          cheers,
                             harry


                        Thanks,

                        Charlie

                        On Wed, Mar 11, 2015 at 1:13 PM, GALINDO Virginie
                        <Virginie.Galindo@gemalto.com<mailto:Virginie.Galindo@gemalto.com> <mailto:Virginie.Galindo@gemalto.com<mailto:Virginie.Galindo@gemalto.com>>> wrote:

                            Dear all,

                            You will find here
                            https://www.w3.org/Security/wiki/IG/webcryptonext_draft_charterthe


                    basis of

                            the next Web Crypto WG charter.

                            Based on the feedback on this mailing list, despite the long

                    discussions we

                            had related to new features such as crypto service in secure element,
                            certificate management, authentication management, this charter only
                            adresses the maintenance of the Web Crypto API, and the creation of
                            extension for specific algorithms.

                            What I am expecting from working group participants now is the

                    algorithms

                            they would like to see as extension of the Web Crypto API. This will

                    help us

                            to get a list of the extension we plan to adress in the framework of

                    that

                            specific working group.

                            Please note that there are some discussions in AC forum about

                    restricting

                            activities of any WG that does not work under a valid charter. Our

                    charter

                            will expire on the 31st of March, as such, we should try to get

                    consensus on

                            the new charter as soon as possible (or we will have to ask an

                    extension to

                            W3C director).

                            Regards,
                            Virginie Galindo
                            gemalto
                            chair of the web crypto WG

                            ________________________________
                            This message and any attachments are intended solely for the

            addressees

                    and

                            may contain confidential information. Any unauthorized use or

                    disclosure,

                            either whole or partial, is prohibited.
                            E-mails are susceptible to alteration. Our company shall not be liable

                    for

                            the message if altered, changed or falsified. If you are not the

                    intended

                            recipient of this message, please delete it and notify the sender.
                            Although all reasonable efforts have been made to keep this

            transmission

                            free from viruses, the sender will not be liable for damages caused

            by a

                            transmitted virus.





    --
    Wendy Seltzer --wseltzer@w3.org<mailto:wseltzer@w3.org> <mailto:wseltzer@w3.org<mailto:wseltzer@w3.org>>+1.617.715.4883<tel:%2B1.617.715.4883> <tel:%2B1.617.715.4883>(office)
    Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
    http://wendy.seltzer.org/ +1.617.863.0613<tel:%2B1.617.863.0613> <tel:%2B1.617.863.0613>(mobile)

    ________________________________
       This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
    E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
    Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Tuesday, 17 March 2015 09:18:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 17 March 2015 09:18:12 UTC