- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 9 Mar 2018 14:30:18 +0100
- To: David Rogers <david.rogers@copperhorse.co.uk>, 'Erik Anderson' <eanders@pobox.com>, public-hb-secure-services@w3.org
- Cc: 'Wendy Seltzer' <wseltzer@w3.org>
Hi David et al, There's a lot to say about this topic; let me take two things that remain hurdles for rebooting this activity: 1. The core technical objection to this work was the anticipated lack of conformance to the "Web Security Model" which in practical terms means that a key intended for authenticating to "taxes.gov" MUST NOT be usable at "health.gov". The https://www.w3.org/TR/webauthn/ scheme supported by the browser vendors doesn't suffer from this problem. 2. Yours truly early on advocated for a compromise [1] which actually was featured in one of the demos shown at TPAC 2016. However, this model was never discussed as an option by the HBSS CG. FWIW, it is nowadays the core of a dedicated Web API for payments: https://www.w3.org/TR/payment-request/ which indeed permits the use of Security Hardware, albeit currently limited to external native "Apps". thanx, Anders 1] The use of external "mediating" applications obviating the need for exposing sensitive low-level cryptographic operations to untrusted Web code: https://cyberphone.github.io/doc/research/permissions.pdf On 2018-03-09 13:08, David Rogers wrote: > Hi all, > > I would be very happy to pick this work up again if we have a sufficient number of people to support and contribute - we all know that inevitably this has to be done at some point and I think the right people in those orgs also know. The initial work on this was extremely positive and we had a good amount of academic support and also from people like Tim Berners-Lee and Bruce Schneier. > > Of course there will always be individuals who want to shoot things down. I'd like to take a positive stance and say that if we can present the practical and security case for this work, then we can certainly bring on board the right people from some of those large organisations who may not even know of the existence of this. > > I would be interested in the views of the people on this list about setting up a sit-rep call, and also Wendy who was originally involved from the W3C side but who I believe has moved to a different domain. I believe we still need to sign-off the report on this? > > Thanks, > > David. > Copper Horse > > > -----Original Message----- > From: Erik Anderson [mailto:eanders@pobox.com] > Sent: 08 March 2018 19:15 > To: public-hb-secure-services@w3.org > Subject: Re: Specification status > >> That group is not that active as it could not find a way to start >> implementation and experimentation, neither endorsement from browser > > Imagine that. Google/Microsoft/etc deadlocking something so critically important. > > Erik Anderson > Bloomberg > > >
Received on Friday, 9 March 2018 13:30:53 UTC