W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

RE: Draft security charters for discussion at TPAC

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Tue, 27 Oct 2015 03:29:19 +0000
To: Joe Steele <steele@adobe.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Wendy Seltzer <wseltzer@w3.org>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <540E99C53248CE468F6F7702588ABA2A0130411778@A1GTOEMBXV005.gto.a3c.atos.net>
Joe,
Indeed, look at http://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security

Regards,
Virginie

From: Joe Steele [mailto:steele@adobe.com]
Sent: mardi 27 octobre 2015 01:25
To: Melvin Carvalho; Wendy Seltzer
Cc: public-web-security@w3.org
Subject: Re: Draft security charters for discussion at TPAC

Is the discussion at TPAC going to be in a breakout session? If so — is it scheduled yet?
I would like to attend.

On Oct 23, 2015, at 11:12 PM, Melvin Carvalho <melvincarvalho@gmail.com<mailto:melvincarvalho@gmail.com>> wrote:



On 23 October 2015 at 16:02, Wendy Seltzer <wseltzer@w3.org<mailto:wseltzer@w3.org>> wrote:
On 10/23/2015 09:28 AM, Melvin Carvalho wrote:
> On 23 October 2015 at 11:05, Wendy Seltzer <wseltzer@w3.org<mailto:wseltzer@w3.org>> wrote:
>
>> Hi Web Security,
>>
>> Last year, we announced work in progress on new security work-areas,
>> then proposed as a re-chartering of the Web Cryptography Working Group.[1]
>>
>> WebCrypto is concluding its work and we have identified two distinct
>> areas of potential new work: Web Authentication and Hardware-Based
>> Security. We propose to discuss draft charters for this work in a
>> plenary day breakout at TPAC (Wednesday).[2]
>>
>> Web Authentication (based on an anticipated submission from FIDO 2):
>>   https://w3c.github.io/websec/web-authentication-charter

>
>
> I think the line "Overall goals include obviating the use of shared
> secrets, i.e. passwords, as authentication credentials, facilitating
> multi-factor authentication support as well as hardware-based key storage
> while respecting the Same Origin Policy"
>
> Should read "Overall goals include obviating the use of shared secrets,
> i.e. passwords, as authentication credentials, facilitating multi-factor
> authentication support as well as hardware-based key storage"
>
> IMHO the last part doesnt really add anything, and potentially imposes a
> false constraint.  Respecting security best practices for scoping and
> asymmetric keys, will ensure that private material is not leaked.  And that
> public material is made available to the correct audience.

The parameters of those interested in developing this work include
explicitly respecting the Same Origin Policy. Since that security
boundary is widely applied across web applications, setting user and
developer expectations, respecting it is essential to the deployment of
new authentication components. While we usually implicitly assume that
new work will respect architectural best practices, it seemed useful to
add the text here to head off these counter-arguments from the start.

Thanks for the explanation and for sharing the draft.
-1 on that line still, I dont think it is needed.

Preempting counter arguments I dont think is a necessary measure.


> Also:
>
> Out of Scope
>
> Out of scope: federated identity, multi-origin credentials, low-level
> access to cryptographic operations or key material.
> The web is predicated on the URI which is a federated identification
> system.  It would be good to understand whether or not there was a
> documented consensus process that came up with this clause.

This line doesn't preclude federated identity work elsewhere, just not
in this chartered group.

Discussions began with FIDO members who are also W3C members; we're now
inviting broader feedback. We assess consensus later, when we bring
charters to the W3C membership (Advisory Committee) for review.

Thanks.  Look forward to hearing more.


--Wendy

>
>
>>
>>
>> Hardware-Based Security:
>>   https://w3c.github.io/websec/hwsec-charter

>>
>> We look forward to discussion at TPAC, here, and via github pull requests.
>>
>> Best,
>> --Wendy
>>
>>
>> [1]
>> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html

>> [2]
>>
>> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security

>> --
>> Wendy Seltzer -- wseltzer@w3.org<mailto:wseltzer@w3.org> +1.617.715.4883<tel:%2B1.617.715.4883> (office)
>> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>> http://wendy.seltzer.org/        +1.617.863.0613<tel:%2B1.617.863.0613> (mobile)
>>
>>
>>
>


--
Wendy Seltzer -- wseltzer@w3.org<mailto:wseltzer@w3.org> +1.617.715.4883<tel:%2B1.617.715.4883> (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613<tel:%2B1.617.863.0613> (mobile)


________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Tuesday, 27 October 2015 03:29:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 27 October 2015 03:29:52 UTC