RE: [Hardware Based Secure Services IG] some topics to discuss

Yes this is a good point and definitively it has to be addressed.
There is a mechanism in GlobalPlatform for Access Control, this could be a good way to authorize the server part.
In another hand, smart cards are protected by authentication mechanisms so the "terminal" side (the server in this case) has to own credentials to do anything on the secure hardware.
One last point, the HW will have anyway to be accessed under user control. At least a user consent, in some cases a PIN entry.

Bruno 

-----Message d'origine-----
De : Wendy Seltzer [mailto:wseltzer@w3.org] 
Envoyé : jeudi 21 avril 2016 15:16
À : JAVARY Bruno; public-hb-secure-services@w3.org
Cc : MOUGIN Nicolas
Objet : Re: [Hardware Based Secure Services IG] some topics to discuss

Thanks Bruno!

A critical question is on your slide 10: how do we communicate between the Web and the Smart Card, without opening a channel that can be abused. Browsers want to be able to act as "user agents," to help users protect their privacy and security, so are wary of plugin-style interfaces. Can we specify further the functions we want to access (which could then be abstracted to be provided by a smartcard or other hardware device).

Talk with you soon,
--Wendy

On 04/21/2016 03:21 AM, JAVARY Bruno wrote:
> Hello all,
> I am unfortunately unavailable next week but I'll attend the call this afternoon.
> Please find attached a sum-up of our thoughts regarding that topic, I'll comment during the call.
> 
> Best regards,
> 
> Bruno Javary I Oberthur Technologies
> R&D Project manager | Citizen Access & Identity Business Unit
> 420 Rue d'Estienne d'Orves - CS 40008 - 92705 COLOMBES CEDEX | France 
> b.javary@oberthur.com<mailto:b.javary@oberthur.com> I 
> www.oberthur.com<http://www.oberthur.com/>
> 
> De : GALINDO Virginie [mailto:Virginie.Galindo@gemalto.com]
> Envoyé : mercredi 20 avril 2016 11:52
> À : public-hb-secure-services@w3.org
> Objet : [Hardware Based Secure Services IG] some topics to discuss
> 
> Dear all,
> I put together a list of topics we should discuss in the Community Group.
> This list is based on the different discussions I had in the last two years around the integration of secure services and is available here :
> https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-to
> pics-for-the-workshop Please do not hesitate to enrich, challenge, 
> improve by commenting on this list.
> Regards,
> Virginie
> 
> ________________________________
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
> 


--
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Thursday, 21 April 2016 14:54:18 UTC