Web Crypto - GlobalPlatform collaboration proposal from gil.bernabeu@globalplatform.org on 2014-10-22 (public-web-security@w3.org from October 2014)

From: <gil.bernabeu@globalplatform.org>
Date: Wed, 22 Oct 2014 13:01:44 +0000
To: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <B7090DE4BA6E3243BA802057A59EBCD394166356@A1GTOEMBXV001.gto.a3c.atos.net>

Dear all

Following the W3C WebCrypto.next workshop that showed strong focus and support for accessing HW security tokens, GlobalPlatform believes that there are different use cases that need to be supported for Web applications, and that different solutions should be considered jointly.


- Accessing to a crypto engine
-> W3C Webcrypto.next should allow selecting different crypto environment such as software, Trusted Execution Environment (TEE) based, Secure element(SE) based , ....this will allow a web app to perform the crypto function in a environment compatible with his own risk management if available in the device.

- Accessing to standardized services (eg FIDO, webpki ...)
- > W3C should create an unique API that combined with a specific middleware automatically deployed (eg service or crypto environment specific) will allow a Web App to be as independent as possible from each specific implementation of the service

- Accessing to secure services that are not standardized (eg most of the SE or TEE services today)
As part of the security rules, end 2 end security requirements doesn't allow the browser to create or modify an encrypted command to access a secure services hosted in a TEE or in SE. The commands to be sent to an application hosted in a TEE or in SE are created in a secure cloud and only needs to be forwarded to the secure component. To support this market requirement, web app needs to have a simple layer to pass command to the secure component. W3C should allow web app to access to similar service as proposed by TEE client API for the TEE or Open Mobile API for the SE presented by Herve during the Workshop.


- Control of access HW security services - just as there are requirements on control of access to a Secure Application from an OS, for instance permissions based on identification of the client application, a similar solution should be deployed to control access from websites to Secure Applications.

GlobalPlatform is ready to provides with such web app open source APIs is full collaboration with W3C environment.


 Best Regards
-----------  Gil BERNABEU  ---------------
GlobalPlatform Technical Director
http://www.globalplatform.org

Received on Thursday, 23 October 2014 20:50:05 UTC