Re: Draft security charters for discussion at TPAC

Thanks Virginie.

I don’t see a time/date but I guess I will just wander around.

> On Oct 27, 2015, at 12:29 PM, GALINDO Virginie <Virginie.GALINDO@gemalto.com> wrote:
> 
> Joe,
> Indeed, look at http://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security <http://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security>
> Regards,
> Virginie
> 
> From: Joe Steele [mailto:steele@adobe.com <mailto:steele@adobe.com>]
> Sent: mardi 27 octobre 2015 01:25
> To: Melvin Carvalho; Wendy Seltzer
> Cc: public-web-security@w3.org <mailto:public-web-security@w3.org>
> Subject: Re: Draft security charters for discussion at TPAC
> 
> Is the discussion at TPAC going to be in a breakout session? If so — is it scheduled yet?
> I would like to attend.
> 
> On Oct 23, 2015, at 11:12 PM, Melvin Carvalho <melvincarvalho@gmail.com <mailto:melvincarvalho@gmail.com>> wrote:
> 
> 
> 
> On 23 October 2015 at 16:02, Wendy Seltzer <wseltzer@w3.org <mailto:wseltzer@w3.org>> wrote:
> On 10/23/2015 09:28 AM, Melvin Carvalho wrote:
> > On 23 October 2015 at 11:05, Wendy Seltzer <wseltzer@w3.org <mailto:wseltzer@w3.org>> wrote:
> >
> >> Hi Web Security,
> >>
> >> Last year, we announced work in progress on new security work-areas,
> >> then proposed as a re-chartering of the Web Cryptography Working Group.[1]
> >>
> >> WebCrypto is concluding its work and we have identified two distinct
> >> areas of potential new work: Web Authentication and Hardware-Based
> >> Security. We propose to discuss draft charters for this work in a
> >> plenary day breakout at TPAC (Wednesday).[2]
> >>
> >> Web Authentication (based on an anticipated submission from FIDO 2):
> >>   https://w3c.github.io/websec/web-authentication-charter <https://w3c.github.io/websec/web-authentication-charter>
> >
> >
> > I think the line "Overall goals include obviating the use of shared
> > secrets, i.e. passwords, as authentication credentials, facilitating
> > multi-factor authentication support as well as hardware-based key storage
> > while respecting the Same Origin Policy"
> >
> > Should read "Overall goals include obviating the use of shared secrets,
> > i.e. passwords, as authentication credentials, facilitating multi-factor
> > authentication support as well as hardware-based key storage"
> >
> > IMHO the last part doesnt really add anything, and potentially imposes a
> > false constraint.  Respecting security best practices for scoping and
> > asymmetric keys, will ensure that private material is not leaked.  And that
> > public material is made available to the correct audience.
> 
> The parameters of those interested in developing this work include
> explicitly respecting the Same Origin Policy. Since that security
> boundary is widely applied across web applications, setting user and
> developer expectations, respecting it is essential to the deployment of
> new authentication components. While we usually implicitly assume that
> new work will respect architectural best practices, it seemed useful to
> add the text here to head off these counter-arguments from the start.
> 
> Thanks for the explanation and for sharing the draft.
> 
> -1 on that line still, I dont think it is needed.
> 
> Preempting counter arguments I dont think is a necessary measure.
> 
> 
> > Also:
> >
> > Out of Scope
> >
> > Out of scope: federated identity, multi-origin credentials, low-level
> > access to cryptographic operations or key material.
> > The web is predicated on the URI which is a federated identification
> > system.  It would be good to understand whether or not there was a
> > documented consensus process that came up with this clause.
> 
> This line doesn't preclude federated identity work elsewhere, just not
> in this chartered group.
> 
> Discussions began with FIDO members who are also W3C members; we're now
> inviting broader feedback. We assess consensus later, when we bring
> charters to the W3C membership (Advisory Committee) for review.
> 
> Thanks.  Look forward to hearing more.
> 
> 
> --Wendy
> 
> >
> >
> >>
> >>
> >> Hardware-Based Security:
> >>   https://w3c.github.io/websec/hwsec-charter <https://w3c.github.io/websec/hwsec-charter>
> >>
> >> We look forward to discussion at TPAC, here, and via github pull requests.
> >>
> >> Best,
> >> --Wendy
> >>
> >>
> >> [1]
> >> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html <https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html>
> >> [2]
> >>
> >> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security <https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security>
> >> --
> >> Wendy Seltzer -- wseltzer@w3.org <mailto:wseltzer@w3.org> +1.617.715.4883 <tel:%2B1.617.715.4883> (office)
> >> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> >> http://wendy.seltzer.org/ <http://wendy.seltzer.org/>        +1.617.863.0613 <tel:%2B1.617.863.0613> (mobile)
> >>
> >>
> >>
> >
> 
> 
> --
> Wendy Seltzer -- wseltzer@w3.org <mailto:wseltzer@w3.org> +1.617.715.4883 <tel:%2B1.617.715.4883> (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/ <http://wendy.seltzer.org/>        +1.617.863.0613 <tel:%2B1.617.863.0613> (mobile)
> 
> 
> 
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.