- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 18 Feb 2015 18:19:36 +0100
- To: ANDREAE Philip <P.Andreae@oberthur.com>, "public-web-security@w3.org" <public-web-security@w3.org>
- CC: Castillo Laurent <Laurent.Castillo@gemalto.com>
On 2015-02-18 17:51, ANDREAE Philip wrote: > As a consumer and founder of what became EMV, also an Amex, Europay and Visa Product employee and technology guy. Trust is not an assumption people make when they swipe/tap or insert their card through/into/on a Point of Sale device. Often payment cards are read by terminals that have nothing to do with Payments, for example in the Delta Lounge to allow members in. > > Yes EMVCo type approves terminals. Not for security reasons. It is done to assure global interoperability. By that I mean any EMV Card in an EMV terminal should work or at least be told that payment type not accepted here. > > It is true that in some countries there are different rules. Universally trust should not be an assumption and I would love to be able to tap if possible insert my debit card against/into a Mobile Device, PC or tablet and know that the credentials my Bank enabled can be used as a means of authentication (replacing passwords), and, maybe even identification. Rewriting this is practical terms: In your opinion the "Payment Terminal" may very well be supplied by the MERCHANT as ordinary (=untrusted) web code and that users should be able dealing with questions like "'example.com' wants to access token 'YYZ' in slot #4, please provide a PIN". Note that it is the BROWSER (not the application) that asks this, because it has to do that using the method above. Anders > > Philip Andreae > Tel: +1 (404) 680 9640 > > > -----Original Message----- > From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] > Sent: Wednesday, February 18, 2015 9:39 AM > To: GALINDO Virginie; public-web-security@w3.org > Cc: Castillo Laurent; Lu HongQian Karen > Subject: Re: About Web Crypto WG rechartering, next steps and related topics > > On 2015-02-18 13:41, GALINDO Virginie wrote: > > Hi Virginie, > > If you pay in a shop using your "Carte Bancaire" you put the card in a terminal provided by a certified vendor of trusted payment terminals, right? > > That is, the card is never directly exposed to potentially malicious merchant code. > > Now if you rather go to the Web, you'll find that the entire concept "Trusted Web Code" [1] is missing which makes all efforts merging generic security hardware [2,3] with browsers doomed to fail. > > Sincerely, > Anders Rundgren > > 1] Trusted UI + Trusted Software > 2] GP TEE, SIM, PIV, TPM, etc. > 3] FIDO/U2F is special purpose and limited by SOP so it is outside of this discussion. > > >> Dear all, >> >> (web security chair hat on) >> >> a lots of interesting and very diverse conversation going on here. I just would like to remind the segmentation of topics and ownership in W3C in ordre to help people to send their use cases, contributions and thoughts to the appropriate location : >> >> - Web Crypto next charter >> The charter will include anything related to cryptographic operation. At the moment, the WG targets the maintenance of the specification to include new algorithms (aka new curve familly). The group is currently discussing the gemalto proposal for certificate management, integrating the usage of hardware token for cryptographic operation, with no consensus on that matter. if you are willing to support one of those topic, please speak on the public-webcrypto mailing list [1]. >> >> - FIDO Alliance and authentication service The topic of authentication >> is currenlty owned and discussed by FIDO Alliance. the level of service expected there is about enrollement and authentication opertaions. That technology is backed by a strong strategy by Microsoft and Google. I suggest we let FIDO Alliance decide when they are ready to input to W3C their contribution in terms which are compliant with W3C IP policy. >> >> - Web Payment services >> That topic is discussed in the Web Payment Interest group, whihc is currently gathering use cases. There are no technical requirements, no technical proposal endorsed in the IG as of today. It may happen that the Web Payment IG ends with that kind of consensual requirements. I can only encourage people interested in payment to join the IG or at least monitor their deliverables [2]. >> >> - Any service accessing secure element That topic will not be adressed >> in the Web Crypto next charter, it has been rejected by main browser makers attending that WG. The way to go on the discussion could be either to create a W3C community group, it is very light and easy to manage and join. But there is another possibility : from what I see, GlobalPlatform is willing to host the discussion in ordre to allow all players to design a flexible technical solution, allowing browser to integrate in a flexible way any services using hardware token. GP will soon open a public working group, with an IP policy compliant with W3C one, to discuss that. >> >> Again, that mail is not to prevent you to share here your ideas and comments, but gives you guideline to make sure your are heard in the appropriate group(s). >> >> Regards, >> Virginie >> chair of the Web Security IG >> >> >> [1] https://lists.w3.org/Archives/Public/public-webcrypto/ >> [2] http://www.w3.org/Payments/IG/ >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> -------- > -- >> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. >> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. >> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> ---------------------------------------------------------------------- >> -------- > -- >> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. >> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. >> Although all reasonable efforts have been made to keep this >> transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus >
Received on Wednesday, 18 February 2015 17:20:25 UTC