- From: Jeffrey Walton <noloader@gmail.com>
- Date: Fri, 24 Oct 2014 09:32:10 -0400
- To: gil.bernabeu@globalplatform.org
- Cc: public-web-security@w3.org
> Following the W3C WebCrypto.next workshop that showed strong focus and > support for accessing HW security tokens, GlobalPlatform believes that there > are different use cases that need to be supported for Web applications, and > that different solutions should be considered jointly. +1. Authentication (both client and server) is still a sore spot. > - Accessing to standardized services (eg FIDO, webpki ...) > - > W3C should create an unique API that combined with a specific middleware > automatically deployed (eg service or crypto environment specific) will > allow a Web App to be as independent as possible from each specific > implementation of the service +1. Please don't do Key Transport. Coughing up a secret to any server that answers is still a bad idea. Please don't back door it with overrides and then claim they are "user approved". Jeff On Thu, Oct 23, 2014 at 10:57 AM, <gil.bernabeu@globalplatform.org> wrote: > Dear all > > Following the W3C WebCrypto.next workshop that showed strong focus and > support for accessing HW security tokens, GlobalPlatform believes that there > are different use cases that need to be supported for Web applications, and > that different solutions should be considered jointly. > > > - Accessing to a crypto engine > -> W3C Webcrypto.next should allow selecting different crypto environment > such as software, Trusted Execution Environment (TEE) based, Secure > element(SE) based , ….this will allow a web app to perform the crypto > function in a environment compatible with his own risk management if > available in the device. > > - Accessing to standardized services (eg FIDO, webpki ...) > - > W3C should create an unique API that combined with a specific middleware > automatically deployed (eg service or crypto environment specific) will > allow a Web App to be as independent as possible from each specific > implementation of the service > > - Accessing to secure services that are not standardized (eg most of the SE > or TEE services today) > As part of the security rules, end 2 end security requirements doesn’t allow > the browser to create or modify an encrypted command to access a secure > services hosted in a TEE or in SE. The commands to be sent to an application > hosted in a TEE or in SE are created in a secure cloud and only needs to be > forwarded to the secure component. To support this market requirement, web > app needs to have a simple layer to pass command to the secure component. > W3C should allow web app to access to similar service as proposed by TEE > client API for the TEE or Open Mobile API for the SE presented by Herve > during the Workshop. > > - Control of access HW security services – just as there are requirements on > control of access to a Secure Application from an OS, for instance > permissions based on identification of the client application, a similar > solution should be deployed to control access from websites to Secure > Applications. > > GlobalPlatform is ready to provides with such web app open source APIs is > full collaboration with W3C environment. > > Best Regards > ----------- Gil BERNABEU --------------- > GlobalPlatform Technical Director > http://www.globalplatform.org
Received on Friday, 24 October 2014 13:32:36 UTC