Re: Draft security charters for discussion at TPAC

On 23 October 2015 at 16:02, Wendy Seltzer <wseltzer@w3.org> wrote:

> On 10/23/2015 09:28 AM, Melvin Carvalho wrote:
> > On 23 October 2015 at 11:05, Wendy Seltzer <wseltzer@w3.org> wrote:
> >
> >> Hi Web Security,
> >>
> >> Last year, we announced work in progress on new security work-areas,
> >> then proposed as a re-chartering of the Web Cryptography Working
> Group.[1]
> >>
> >> WebCrypto is concluding its work and we have identified two distinct
> >> areas of potential new work: Web Authentication and Hardware-Based
> >> Security. We propose to discuss draft charters for this work in a
> >> plenary day breakout at TPAC (Wednesday).[2]
> >>
> >> Web Authentication (based on an anticipated submission from FIDO 2):
> >>   https://w3c.github.io/websec/web-authentication-charter
> >
> >
> > I think the line "Overall goals include obviating the use of shared
> > secrets, i.e. passwords, as authentication credentials, facilitating
> > multi-factor authentication support as well as hardware-based key storage
> > while respecting the Same Origin Policy"
> >
> > Should read "Overall goals include obviating the use of shared secrets,
> > i.e. passwords, as authentication credentials, facilitating multi-factor
> > authentication support as well as hardware-based key storage"
> >
> > IMHO the last part doesnt really add anything, and potentially imposes a
> > false constraint.  Respecting security best practices for scoping and
> > asymmetric keys, will ensure that private material is not leaked.  And
> that
> > public material is made available to the correct audience.
>
> The parameters of those interested in developing this work include
> explicitly respecting the Same Origin Policy. Since that security
> boundary is widely applied across web applications, setting user and
> developer expectations, respecting it is essential to the deployment of
> new authentication components. While we usually implicitly assume that
> new work will respect architectural best practices, it seemed useful to
> add the text here to head off these counter-arguments from the start.
>

This is, IMHO, a useful article on the topic:

http://www.w3.org/DesignIssues/Security-Origin.html


>
> > Also:
> >
> > Out of Scope
> >
> > Out of scope: federated identity, multi-origin credentials, low-level
> > access to cryptographic operations or key material.
> > The web is predicated on the URI which is a federated identification
> > system.  It would be good to understand whether or not there was a
> > documented consensus process that came up with this clause.
>
> This line doesn't preclude federated identity work elsewhere, just not
> in this chartered group.
>
> Discussions began with FIDO members who are also W3C members; we're now
> inviting broader feedback. We assess consensus later, when we bring
> charters to the W3C membership (Advisory Committee) for review.
>
> --Wendy
>
> >
> >
> >>
> >>
> >> Hardware-Based Security:
> >>   https://w3c.github.io/websec/hwsec-charter
> >>
> >> We look forward to discussion at TPAC, here, and via github pull
> requests.
> >>
> >> Best,
> >> --Wendy
> >>
> >>
> >> [1]
> >>
> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html
> >> [2]
> >>
> >>
> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security
> >> --
> >> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> >> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> >> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
> >>
> >>
> >>
> >
>
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>