Re: Web Crypto - GlobalPlatform collaboration proposal

> Following the W3C WebCrypto.next workshop that showed strong focus and
> support for accessing HW security tokens, GlobalPlatform believes that there
> are different use cases that need to be supported for Web applications, and
> that different solutions should be considered jointly.
+1. Authentication (both client and server) is still a sore spot.

> - Accessing to standardized services (eg FIDO, webpki ...)
> - > W3C should create an unique API that combined with a specific middleware
> automatically deployed (eg service or crypto environment specific) will
> allow a Web App to be as independent as possible from each specific
> implementation of the service
+1. Please don't do Key Transport. Coughing up a secret to any server
that answers is still a bad idea. Please don't back door it with
overrides and then claim they are "user approved".

Jeff

On Thu, Oct 23, 2014 at 10:57 AM,  <gil.bernabeu@globalplatform.org> wrote:
> Dear all
>
> Following the W3C WebCrypto.next workshop that showed strong focus and
> support for accessing HW security tokens, GlobalPlatform believes that there
> are different use cases that need to be supported for Web applications, and
> that different solutions should be considered jointly.
>
>
> - Accessing to a crypto engine
> -> W3C Webcrypto.next should allow selecting different crypto environment
> such as software, Trusted Execution Environment (TEE) based, Secure
> element(SE) based , ….this will allow a web app to perform the crypto
> function in a environment compatible with his own risk management if
> available in the device.
>
> - Accessing to standardized services (eg FIDO, webpki ...)
> - > W3C should create an unique API that combined with a specific middleware
> automatically deployed (eg service or crypto environment specific) will
> allow a Web App to be as independent as possible from each specific
> implementation of the service
>
> - Accessing to secure services that are not standardized (eg most of the SE
> or TEE services today)
> As part of the security rules, end 2 end security requirements doesn’t allow
> the browser to create or modify an encrypted command to access a secure
> services hosted in a TEE or in SE. The commands to be sent to an application
> hosted in a TEE or in SE are created in a secure cloud and only needs to be
> forwarded to the secure component. To support this market requirement, web
> app needs to have a simple layer to pass command to the secure component.
> W3C should allow web app to access to similar service as proposed by TEE
> client API for the TEE or Open Mobile API for the SE presented by Herve
> during the Workshop.
>
> - Control of access HW security services – just as there are requirements on
> control of access to a Secure Application from an OS, for instance
> permissions based on identification of the client application, a similar
> solution should be deployed to control access from websites to Secure
> Applications.
>
> GlobalPlatform is ready to provides with such web app open source APIs is
> full collaboration with W3C environment.
>
> Best Regards
> ----------- Gil BERNABEU ---------------
> GlobalPlatform Technical Director
> http://www.globalplatform.org

Received on Friday, 24 October 2014 13:32:36 UTC