- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 18 Feb 2015 15:38:47 +0100
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
- CC: Castillo Laurent <Laurent.Castillo@gemalto.com>, Lu HongQian Karen <karen.lu@gemalto.com>
On 2015-02-18 13:41, GALINDO Virginie wrote: Hi Virginie, If you pay in a shop using your "Carte Bancaire" you put the card in a terminal provided by a certified vendor of trusted payment terminals, right? That is, the card is never directly exposed to potentially malicious merchant code. Now if you rather go to the Web, you'll find that the entire concept "Trusted Web Code" [1] is missing which makes all efforts merging generic security hardware [2,3] with browsers doomed to fail. Sincerely, Anders Rundgren 1] Trusted UI + Trusted Software 2] GP TEE, SIM, PIV, TPM, etc. 3] FIDO/U2F is special purpose and limited by SOP so it is outside of this discussion. > Dear all, > > (web security chair hat on) > > a lots of interesting and very diverse conversation going on here. I just would like to remind the segmentation of topics and ownership in W3C in ordre to help people to send their use cases, contributions and thoughts to the appropriate location : > > - Web Crypto next charter > The charter will include anything related to cryptographic operation. At the moment, the WG targets the maintenance of the specification to include new algorithms (aka new curve familly). The group is currently discussing the gemalto proposal for certificate management, integrating the usage of hardware token for cryptographic operation, with no consensus on that matter. if you are willing to support one of those topic, please speak on the public-webcrypto mailing list [1]. > > - FIDO Alliance and authentication service > The topic of authentication is currenlty owned and discussed by FIDO Alliance. the level of service expected there is about enrollement and authentication opertaions. That technology is backed by a strong strategy by Microsoft and Google. I suggest we let FIDO Alliance decide when they are ready to input to W3C their contribution in terms which are compliant with W3C IP policy. > > - Web Payment services > That topic is discussed in the Web Payment Interest group, whihc is currently gathering use cases. There are no technical requirements, no technical proposal endorsed in the IG as of today. It may happen that the Web Payment IG ends with that kind of consensual requirements. I can only encourage people interested in payment to join the IG or at least monitor their deliverables [2]. > > - Any service accessing secure element > That topic will not be adressed in the Web Crypto next charter, it has been rejected by main browser makers attending that WG. The way to go on the discussion could be either to create a W3C community group, it is very light and easy to manage and join. But there is another possibility : from what I see, GlobalPlatform is willing to host the discussion in ordre to allow all players to design a flexible technical solution, allowing browser to integrate in a flexible way any services using hardware token. GP will soon open a public working group, with an IP policy compliant with W3C one, to discuss that. > > Again, that mail is not to prevent you to share here your ideas and comments, but gives you guideline to make sure your are heard in the appropriate group(s). > > Regards, > Virginie > chair of the Web Security IG > > > [1] https://lists.w3.org/Archives/Public/public-webcrypto/ > [2] http://www.w3.org/Payments/IG/ > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
Received on Wednesday, 18 February 2015 14:39:36 UTC