W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

Re: Draft security charters for discussion at TPAC

From: Wendy Seltzer <wseltzer@w3.org>
Date: Fri, 23 Oct 2015 10:02:07 -0400
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <562A3DDF.3070403@w3.org>
On 10/23/2015 09:28 AM, Melvin Carvalho wrote:
> On 23 October 2015 at 11:05, Wendy Seltzer <wseltzer@w3.org> wrote:
> 
>> Hi Web Security,
>>
>> Last year, we announced work in progress on new security work-areas,
>> then proposed as a re-chartering of the Web Cryptography Working Group.[1]
>>
>> WebCrypto is concluding its work and we have identified two distinct
>> areas of potential new work: Web Authentication and Hardware-Based
>> Security. We propose to discuss draft charters for this work in a
>> plenary day breakout at TPAC (Wednesday).[2]
>>
>> Web Authentication (based on an anticipated submission from FIDO 2):
>>   https://w3c.github.io/websec/web-authentication-charter
> 
> 
> I think the line "Overall goals include obviating the use of shared
> secrets, i.e. passwords, as authentication credentials, facilitating
> multi-factor authentication support as well as hardware-based key storage
> while respecting the Same Origin Policy"
> 
> Should read "Overall goals include obviating the use of shared secrets,
> i.e. passwords, as authentication credentials, facilitating multi-factor
> authentication support as well as hardware-based key storage"
> 
> IMHO the last part doesnt really add anything, and potentially imposes a
> false constraint.  Respecting security best practices for scoping and
> asymmetric keys, will ensure that private material is not leaked.  And that
> public material is made available to the correct audience.

The parameters of those interested in developing this work include
explicitly respecting the Same Origin Policy. Since that security
boundary is widely applied across web applications, setting user and
developer expectations, respecting it is essential to the deployment of
new authentication components. While we usually implicitly assume that
new work will respect architectural best practices, it seemed useful to
add the text here to head off these counter-arguments from the start.

> Also:
> 
> Out of Scope
> 
> Out of scope: federated identity, multi-origin credentials, low-level
> access to cryptographic operations or key material.
> The web is predicated on the URI which is a federated identification
> system.  It would be good to understand whether or not there was a
> documented consensus process that came up with this clause.

This line doesn't preclude federated identity work elsewhere, just not
in this chartered group.

Discussions began with FIDO members who are also W3C members; we're now
inviting broader feedback. We assess consensus later, when we bring
charters to the W3C membership (Advisory Committee) for review.

--Wendy

> 
> 
>>
>>
>> Hardware-Based Security:
>>   https://w3c.github.io/websec/hwsec-charter
>>
>> We look forward to discussion at TPAC, here, and via github pull requests.
>>
>> Best,
>> --Wendy
>>
>>
>> [1]
>> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html
>> [2]
>>
>> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security
>> --
>> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
>> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>>
>>
>>
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Friday, 23 October 2015 14:03:14 UTC

This archive was generated by hypermail 2.3.1 : Friday, 23 October 2015 14:03:14 UTC