Re: Draft security charters for discussion at TPAC from Joe Steele on 2015-10-27 (public-web-security@w3.org from October 2015)

From: Joe Steele <steele@adobe.com>
Date: Tue, 27 Oct 2015 00:24:38 +0000
To: Melvin Carvalho <melvincarvalho@gmail.com>, Wendy Seltzer <wseltzer@w3.org>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <8318EF33-C831-49CD-AC91-31F5CBE25CA6@adobe.com>
Is the discussion at TPAC going to be in a breakout session? If so — is it scheduled yet?
I would like to attend.

> On Oct 23, 2015, at 11:12 PM, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> 
> 
> 
> On 23 October 2015 at 16:02, Wendy Seltzer <wseltzer@w3.org <mailto:wseltzer@w3.org>> wrote:
> On 10/23/2015 09:28 AM, Melvin Carvalho wrote:
> > On 23 October 2015 at 11:05, Wendy Seltzer <wseltzer@w3.org <mailto:wseltzer@w3.org>> wrote:
> >
> >> Hi Web Security,
> >>
> >> Last year, we announced work in progress on new security work-areas,
> >> then proposed as a re-chartering of the Web Cryptography Working Group.[1]
> >>
> >> WebCrypto is concluding its work and we have identified two distinct
> >> areas of potential new work: Web Authentication and Hardware-Based
> >> Security. We propose to discuss draft charters for this work in a
> >> plenary day breakout at TPAC (Wednesday).[2]
> >>
> >> Web Authentication (based on an anticipated submission from FIDO 2):
> >>   https://w3c.github.io/websec/web-authentication-charter <https://w3c.github.io/websec/web-authentication-charter>
> >
> >
> > I think the line "Overall goals include obviating the use of shared
> > secrets, i.e. passwords, as authentication credentials, facilitating
> > multi-factor authentication support as well as hardware-based key storage
> > while respecting the Same Origin Policy"
> >
> > Should read "Overall goals include obviating the use of shared secrets,
> > i.e. passwords, as authentication credentials, facilitating multi-factor
> > authentication support as well as hardware-based key storage"
> >
> > IMHO the last part doesnt really add anything, and potentially imposes a
> > false constraint.  Respecting security best practices for scoping and
> > asymmetric keys, will ensure that private material is not leaked.  And that
> > public material is made available to the correct audience.
> 
> The parameters of those interested in developing this work include
> explicitly respecting the Same Origin Policy. Since that security
> boundary is widely applied across web applications, setting user and
> developer expectations, respecting it is essential to the deployment of
> new authentication components. While we usually implicitly assume that
> new work will respect architectural best practices, it seemed useful to
> add the text here to head off these counter-arguments from the start.
> 
> Thanks for the explanation and for sharing the draft.
> 
> -1 on that line still, I dont think it is needed.
> 
> Preempting counter arguments I dont think is a necessary measure.
> 
> 
> > Also:
> >
> > Out of Scope
> >
> > Out of scope: federated identity, multi-origin credentials, low-level
> > access to cryptographic operations or key material.
> > The web is predicated on the URI which is a federated identification
> > system.  It would be good to understand whether or not there was a
> > documented consensus process that came up with this clause.
> 
> This line doesn't preclude federated identity work elsewhere, just not
> in this chartered group.
> 
> Discussions began with FIDO members who are also W3C members; we're now
> inviting broader feedback. We assess consensus later, when we bring
> charters to the W3C membership (Advisory Committee) for review.
> 
> Thanks.  Look forward to hearing more.
> 
> 
> --Wendy
> 
> >
> >
> >>
> >>
> >> Hardware-Based Security:
> >>   https://w3c.github.io/websec/hwsec-charter <https://w3c.github.io/websec/hwsec-charter>
> >>
> >> We look forward to discussion at TPAC, here, and via github pull requests.
> >>
> >> Best,
> >> --Wendy
> >>
> >>
> >> [1]
> >> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html <https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html>
> >> [2]
> >>
> >> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security <https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security>
> >> --
> >> Wendy Seltzer -- wseltzer@w3.org <mailto:wseltzer@w3.org> +1.617.715.4883 <tel:%2B1.617.715.4883> (office)
> >> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> >> http://wendy.seltzer.org/ <http://wendy.seltzer.org/>        +1.617.863.0613 <tel:%2B1.617.863.0613> (mobile)
> >>
> >>
> >>
> >
> 
> 
> --
> Wendy Seltzer -- wseltzer@w3.org <mailto:wseltzer@w3.org> +1.617.715.4883 <tel:%2B1.617.715.4883> (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/ <http://wendy.seltzer.org/>        +1.617.863.0613 <tel:%2B1.617.863.0613> (mobile)
> 
>
Received on Tuesday, 27 October 2015 00:25:14 UTC