Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments

On 03/16/2015 11:11 AM, GALINDO Virginie wrote:
> [gemalto hat on]
> Thank you anders for your very  synthetic analysis.
> That call is exactly what you mean, a call for designing a new solution suitable to browser makers and serving appropriate use cases.

>From W3C's perspective, it seems like the right answer is also to split
up the initiative for a new solution for hardware tokens in the browser
space to be in a new Working Group or Interest Group rather than WebCrypto.

Note that the solution does not need the support from all browser
vendors at its inception, but we do obviously prefer having a solid
technical design with no significant objections before chartering a new
WG. For example, historically the WebCrypto WG came originally out of
Mozilla's DomCrypto plug-in without clear support from either Google or
Microsoft.

   cheers,
     harry

> Virginie
> 
> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
> Sent: lundi 16 mars 2015 10:59
> To: GALINDO Virginie; Wendy Seltzer; Siva Narendra; Harry Halpin
> Cc: public-web-security@w3.org; Charles Engelke
> Subject: Re: [Web Crypto WG] draft Web Crypto WG charter : for your review and comments
> 
> On 2015-03-12 15:54, GALINDO Virginie wrote:
>> [gemalto representative hat on]
>>
>> gemalto supports to discuss in W3C the usage of the secure services
>> based on hardware or combination
>  > of hardware/software (e.g. secure element, trusted execution environement).
>> We suggest to gather the supporting companies and draft a a charter for a Working Group or an Interest Group.
>> this synchronization can happen in public, preferably on the
>> public-web-security interest group mailing list
>  > (to avoid overloading the web crypto working group mailing list).
> 
> We had an F2F, then we had discussions and finally we had the public dismissal by Google of the core idea (=support for legacy security hardware in browsers).
> 
> That is, this activity is concluded and doesn't benefit from being rehashed unless somebody has a silver bullet to offer.
> 
> Regards
> Anders
> 
> 
>>
>> Regards,
>> Virginie
>> gemalto
>>
>>
>> ________________________________________
>> De : Wendy Seltzer [wseltzer@w3.org]
>> Envoyé : mercredi 11 mars 2015 22:55
>> À : Siva Narendra; Harry Halpin
>> Cc : public-web-security@w3.org; public-webcrypto@w3.org; Charles
>> Engelke; GALINDO Virginie Objet : Re: [Web Crypto WG] draft Web Crypto
>> WG charter : for your review and comments
>>
>> Hi Siva and all,
>>
>> To follow up on Harry's response, we have great interest in doing more
>> work on secure authentication building on the WebCrypto API. As its
>> Chair has expressed, the WebCrypto WG wants to complete its work with
>> a tight focus on the WebCrypto API and related deliverables.
>>
>> For my part, I look forward to supporting additional groups focused on
>> extending WebCrypto's work, whether based in FIDO or secure hardware.
>> Any member can propose work, and so long as there is interest and a
>> path to getting interoperable implementations, some members'
>> non-participation does not act as a veto.
>>
>> --Wendy
>>
>> On 03/11/2015 05:32 PM, Siva Narendra wrote:
>>> Thank you Harry.
>>>
>>> -Siva
>>>
>>>
>>> *--*
>>>
>>>
>>> *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
>>> Taipeiwww.tyfone.com <http://www.tyfone.com>*
>>> *Voice: +1.661.412.2233*
>>>
>>>
>>> On Wed, Mar 11, 2015 at 2:27 PM, Harry Halpin <hhalpin@w3.org> wrote:
>>>
>>>>
>>>>
>>>> On 03/11/2015 09:59 PM, Siva Narendra wrote:
>>>>> +adding Pub-Web-Security for continuity from the Workshop
>>>>>
>>>>> Thank you Harry. Few questions:
>>>>>
>>>>>     1. Does this mean "FIDO will not be implemented under this WG?"
>>>>>     2. Is the statement "All the web browser implementers do not want to
>>>>>     support hardware tokens or anything that is outside of cryptography in
>>>>>     within the scope of WG?" or "One browser vendors does not want
>>>>> to
>>>> support
>>>>>     anything other than FIDO?"
>>>>
>>>> I think the answer should be:
>>>>
>>>> 1) FIDO will not be implemented under the Web Crypto Working Group,
>>>> but may be pursued in another WG.
>>>>
>>>> 2) Hardware token support, both in a manner consistent with a
>>>> revised Gemalto proposal that takes on board feedback like respect
>>>> for same-origin policy, should be pursued in another Working Group,
>>>> but not in the WebCrypto WG.
>>>>
>>>> Does that help?
>>>>
>>>> The real question now is what the shape and charter(s) of the new
>>>> Working Groups will be, along with associated time-frames.
>>>>
>>>> There have been formal Member submissions neither from the smartcard
>>>> vendors or FIDO, but lots of informal discussion. However, the
>>>> workshop did reach consensus that hardware token support should be
>>>> part of the Open Web Platform, and the W3C would like to follow this
>>>> up with one or more new Working Groups if the work does not match existing Working Groups.
>>>>
>>>>
>>>> As the discussion in Web Crypto WG shows, it does not match at the
>>>> time being as the implementors want to focus on algorithm
>>>> maintenance and finishing version 1.0.
>>>>
>>>> If opinions have drastically changed since the workshop, we would
>>>> like to revisit that consensus via a survey of W3C members but we
>>>> are hoping there is still consensus and momentum.
>>>>
>>>>     cheers,
>>>>         harry
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> This is important for the eco-system to know so we can determine if
>>>>> this work should be pursued inside W3C or outside.
>>>>>
>>>>> Thank you,
>>>>> Siva
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *--*
>>>>>
>>>>>
>>>>> *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
>>>>> Taipeiwww.tyfone.com <http://www.tyfone.com>*
>>>>> *Voice: +1.661.412.2233*
>>>>>
>>>>>
>>>>> On Wed, Mar 11, 2015 at 11:16 AM, Harry Halpin <hhalpin@w3.org> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On 03/11/2015 07:08 PM, Charles Engelke wrote:
>>>>>>> I'm new to this WG and W3C in general, so I may be missing points
>>>>>>> on how this works. But until today that draft did include adding
>>>>>>> new use cases. Today that was revised to say "the Web Crypto WG
>>>>>>> will not adress any new use case others then the ones developed
>>>>>>> with the first version of the Web Crypto API."
>>>>>>>
>>>>>>> Did I miss the process that made this change?
>>>>>>
>>>>>> There was strong objections from members of the Working Group, in
>>>>>> particular implementers that are on public record.
>>>>>>
>>>>>> Thus, while the W3C is still committed do finding an appropriate
>>>>>> home for these use-cases and associated standards, it will not be
>>>>>> this Working Group.
>>>>>>
>>>>>> If you have a particular use-case and proposed technical solution
>>>>>> that you think would be acceptable to implementers, e-mail the Web
>>>>>> Security Interest Group at public-web-security@w3.org.
>>>>>>
>>>>>>      cheers,
>>>>>>         harry
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Charlie
>>>>>>>
>>>>>>> On Wed, Mar 11, 2015 at 1:13 PM, GALINDO Virginie
>>>>>>> <Virginie.Galindo@gemalto.com> wrote:
>>>>>>>> Dear all,
>>>>>>>>
>>>>>>>> You will find here
>>>>>>>> https://www.w3.org/Security/wiki/IG/webcryptonext_draft_charter
>>>>>>>> the
>>>>>> basis of
>>>>>>>> the next Web Crypto WG charter.
>>>>>>>>
>>>>>>>> Based on the feedback on this mailing list, despite the long
>>>>>> discussions we
>>>>>>>> had related to new features such as crypto service in secure
>>>>>>>> element, certificate management, authentication management, this
>>>>>>>> charter only adresses the maintenance of the Web Crypto API, and
>>>>>>>> the creation of extension for specific algorithms.
>>>>>>>>
>>>>>>>> What I am expecting from working group participants now is the
>>>>>> algorithms
>>>>>>>> they would like to see as extension of the Web Crypto API. This
>>>>>>>> will
>>>>>> help us
>>>>>>>> to get a list of the extension we plan to adress in the
>>>>>>>> framework of
>>>>>> that
>>>>>>>> specific working group.
>>>>>>>>
>>>>>>>> Please note that there are some discussions in AC forum about
>>>>>> restricting
>>>>>>>> activities of any WG that does not work under a valid charter.
>>>>>>>> Our
>>>>>> charter
>>>>>>>> will expire on the 31st of March, as such, we should try to get
>>>>>> consensus on
>>>>>>>> the new charter as soon as possible (or we will have to ask an
>>>>>> extension to
>>>>>>>> W3C director).
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Virginie Galindo
>>>>>>>> gemalto
>>>>>>>> chair of the web crypto WG
>>>>>>>>
>>>>>>>>
>>>>>>>> ________________________________ This message and any
>>>>>>>> attachments are intended solely for the
>>>> addressees
>>>>>> and
>>>>>>>> may contain confidential information. Any unauthorized use or
>>>>>> disclosure,
>>>>>>>> either whole or partial, is prohibited.
>>>>>>>> E-mails are susceptible to alteration. Our company shall not be
>>>>>>>> liable
>>>>>> for
>>>>>>>> the message if altered, changed or falsified. If you are not the
>>>>>> intended
>>>>>>>> recipient of this message, please delete it and notify the sender.
>>>>>>>> Although all reasonable efforts have been made to keep this
>>>> transmission
>>>>>>>> free from viruses, the sender will not be liable for damages
>>>>>>>> caused
>>>> by a
>>>>>>>> transmitted virus.
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy
>> Counsel and Domain Lead, World Wide Web Consortium (W3C)
>> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>>
>> ________________________________
>>   This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
>> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
>> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
>>
> 
> ________________________________
>  This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
>

Received on Monday, 16 March 2015 16:25:31 UTC