- From: Colin Gallagher <colingallagher.rpcv@gmail.com>
- Date: Mon, 16 Mar 2015 23:11:08 -0700
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: Wendy Seltzer <wseltzer@w3.org>, Siva Narendra <siva@tyfone.com>, Harry Halpin <hhalpin@w3.org>, public-web-security@w3.org, GALINDO Virginie <virginie.galindo@gemalto.com>, Charles Engelke <w3c@engelke.com>
- Message-ID: <CABghAMhzOO2vpYygzK7J+_+SUGyFwuDEmPQtAmtpv3n7TvFTOQ@mail.gmail.com>
Except google code isn't going to exist anymore, because google is pulling it and anyone using it will likely just go to github. Anyway, a focused list wouldn't hurt for those interested in that topic, imho. My four satoshis have been given. On Mar 16, 2015 10:06 PM, "Anders Rundgren" <anders.rundgren.net@gmail.com> wrote: > On 2015-03-17 04:34, Colin Gallagher wrote: > >> My impression was Wendy said some members' non-participation with respect >> to some idea or another doesn't act as a veto so, correct me if I'm wrong, >> but doesn't that imply that whether Google or someone else does or does not >> like an idea, then can't it be included anyway? So the group can proceed.... >> not being concerned about vetoes of legacy security hardware, so basically, >> I think the answer is... yes. >> >> Also, why new working group for secure hardware/tokens/FIDO/etc, when it >> could be a subgroup or interest group within webcrypto, time permitting >> (charter expiring on march 31, but will it be extended)? So, one could just >> call this additional group within webcrypto "secure hardware" and give it a >> list for those interested. This is just my suggestion. >> >> Finally, some of the security issues brought up... no Web Security >> Principle (maintained), plus, the Same Origin Policy doc is an IETF 2011 >> item itself in need of some review. Some of this stuff cited is extremely >> dated. >> >> I would further suggest pushing this out for further public review, see >> if you can some more eyes on the process. >> > > Colin, my claim from November last year is still valid: > > https://lists.w3.org/Archives/Public/public-web-security/2014Nov/0032.html > > The ultra-simple question put there didn't got an answer since there's > none to find. > > Therefore this activity is concluded and no new "smart-card-for-the-web" > specifications will be presented, with FIDO alliance as an exception. > > Well, indirect paths to similar goals have indeed been proposed but have > for unclear reasons not been considered or commented on although indirect > methods (=bypassing the browser) are already a de-facto standard for mobile > devices. > > Indirect methods are currently discussed and dealt with in places like > this: > https://code.google.com/p/chromium/issues/detail?id=378566 > > Regards, > Anders > > >> On 2015-03-12 15:54, GALINDO Virginie wrote: >> >> [gemalto representative hat on] >> >> gemalto supports to discuss in W3C the usage of the secure services >> based on hardware or combination >> >> > of hardware/software (e.g. secure element, trusted execution >> environement). >> >> We suggest to gather the supporting companies and draft a a charter >> for a Working Group or an Interest Group. >> this synchronization can happen in public, preferably on the >> public-web-security interest group mailing list >> >> > (to avoid overloading the web crypto working group mailing list). >> >> We had an F2F, then we had discussions and finally we had the public >> dismissal >> by Google of the core idea (=support for legacy security hardware in >> browsers). >> >> That is, this activity is concluded and doesn't benefit from being >> rehashed >> unless somebody has a silver bullet to offer. >> >> Regards >> Anders >> >> >> Regards, >> Virginie >> gemalto >> >> ________________________________________ >> De : Wendy Seltzer [wseltzer@w3.org <mailto:wseltzer@w3.org>] >> Envoyé : mercredi 11 mars 2015 22:55 >> À : Siva Narendra; Harry Halpin >> Cc :public-web-security@w3.org <mailto:public-web-security@w3.org>; >> public-webcrypto@w3.org <mailto:public-webcrypto@w3.org>; Charles >> Engelke; GALINDO Virginie >> Objet : Re: [Web Crypto WG] draft Web Crypto WG charter : for your >> review and comments >> >> Hi Siva and all, >> >> To follow up on Harry's response, we have great interest in doing more >> work on secure authentication building on the WebCrypto API. As its >> Chair has expressed, the WebCrypto WG wants to complete its work with >> a >> tight focus on the WebCrypto API and related deliverables. >> >> For my part, I look forward to supporting additional groups focused on >> extending WebCrypto's work, whether based in FIDO or secure hardware.. >> Any member can propose work, and so long as there is interest and a >> path >> to getting interoperable implementations, some members' >> non-participation does not act as a veto. >> >> --Wendy >> >> On 03/11/2015 05:32 PM, Siva Narendra wrote: >> >> Thank you Harry. >> >> -Siva >> >> *--* >> >> *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore | >> Taipeiwww.tyfone.com <http://Taipeiwww.tyfone.com>< >> http://www.tyfone.com>* >> *Voice:+1.661.412.2233 <tel:%2B1.661.412.2233>* >> >> On Wed, Mar 11, 2015 at 2:27 PM, Harry Halpin <hhalpin@w3.org >> <mailto:hhalpin@w3.org>> wrote: >> >> On 03/11/2015 09:59 PM, Siva Narendra wrote: >> >> +adding Pub-Web-Security for continuity from the Workshop >> >> Thank you Harry. Few questions: >> >> 1. Does this mean "FIDO will not be implemented >> under this WG?" >> 2. Is the statement "All the web browser >> implementers do not want to >> support hardware tokens or anything that is outside >> of cryptography in >> within the scope of WG?" or "One browser vendors >> does not want to >> >> support >> >> anything other than FIDO?" >> >> >> I think the answer should be: >> >> 1) FIDO will not be implemented under the Web Crypto Working >> Group, but >> may be pursued in another WG. >> >> 2) Hardware token support, both in a manner consistent with a >> revised >> Gemalto proposal that takes on board feedback like respect for >> same-origin policy, should be pursued in another Working >> Group, but not >> in the WebCrypto WG. >> >> Does that help? >> >> The real question now is what the shape and charter(s) of the >> new >> Working Groups will be, along with associated time-frames. >> >> There have been formal Member submissions neither from the >> smartcard >> vendors or FIDO, but lots of informal discussion. However, >> the workshop >> did reach consensus that hardware token support should be >> part of the >> Open Web Platform, and the W3C would like to follow this up >> with one or >> more new Working Groups if the work does not match existing >> Working Groups. >> >> As the discussion in Web Crypto WG shows, it does not match >> at the time >> being as the implementors want to focus on algorithm >> maintenance and >> finishing version 1.0. >> >> If opinions have drastically changed since the workshop, we >> would like >> to revisit that consensus via a survey of W3C members but we >> are hoping >> there is still consensus and momentum. >> >> cheers, >> harry >> >> >> >> This is important for the eco-system to know so we can >> determine if this >> work should be pursued inside W3C or outside. >> >> Thank you, >> Siva >> >> >> *--* >> >> *Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | >> Bangalore | >> Taipeiwww.tyfone.com <http://Taipeiwww.tyfone.com>< >> http://www.tyfone.com>* >> *Voice:+1.661.412.2233 <tel:%2B1.661.412.2233>* >> >> On Wed, Mar 11, 2015 at 11:16 AM, Harry Halpin < >> hhalpin@w3.org <mailto:hhalpin@w3.org>> wrote: >> >> On 03/11/2015 07:08 PM, Charles Engelke wrote: >> >> I'm new to this WG and W3C in general, so I may >> be missing points on >> how this works. But until today that draft did >> include adding new use >> cases. Today that was revised to say "the Web >> Crypto WG will not >> adress any new use case others then the ones >> developed with the first >> version of the Web Crypto API." >> >> Did I miss the process that made this change? >> >> >> There was strong objections from members of the >> Working Group, in >> particular implementers that are on public record. >> >> Thus, while the W3C is still committed do finding an >> appropriate home >> for these use-cases and associated standards, it will >> not be this >> Working Group. >> >> If you have a particular use-case and proposed >> technical solution that >> you think would be acceptable to implementers, e-mail >> the Web Security >> Interest Group atpublic-web-security@w3.org <mailto: >> public-web-security@w3.org>. >> >> cheers, >> harry >> >> >> Thanks, >> >> Charlie >> >> On Wed, Mar 11, 2015 at 1:13 PM, GALINDO Virginie >> <Virginie.Galindo@gemalto.com <mailto: >> Virginie.Galindo@gemalto.com>> wrote: >> >> Dear all, >> >> You will find here >> https://www.w3.org/Security/ >> wiki/IG/webcryptonext_draft_charterthe >> >> basis of >> >> the next Web Crypto WG charter. >> >> Based on the feedback on this mailing list, >> despite the long >> >> discussions we >> >> had related to new features such as crypto >> service in secure element, >> certificate management, authentication >> management, this charter only >> adresses the maintenance of the Web Crypto >> API, and the creation of >> extension for specific algorithms. >> >> What I am expecting from working group >> participants now is the >> >> algorithms >> >> they would like to see as extension of the >> Web Crypto API. This will >> >> help us >> >> to get a list of the extension we plan to >> adress in the framework of >> >> that >> >> specific working group. >> >> Please note that there are some discussions >> in AC forum about >> >> restricting >> >> activities of any WG that does not work under >> a valid charter. Our >> >> charter >> >> will expire on the 31st of March, as such, we >> should try to get >> >> consensus on >> >> the new charter as soon as possible (or we >> will have to ask an >> >> extension to >> >> W3C director). >> >> Regards, >> Virginie Galindo >> gemalto >> chair of the web crypto WG >> >> ________________________________ >> This message and any attachments are intended >> solely for the >> >> addressees >> >> and >> >> may contain confidential information. Any >> unauthorized use or >> >> disclosure, >> >> either whole or partial, is prohibited. >> E-mails are susceptible to alteration. Our >> company shall not be liable >> >> for >> >> the message if altered, changed or falsified.. >> If you are not the >> >> intended >> >> recipient of this message, please delete it >> and notify the sender. >> Although all reasonable efforts have been >> made to keep this >> >> transmission >> >> free from viruses, the sender will not be >> liable for damages caused >> >> by a >> >> transmitted virus. >> >> >> >> >> >> -- >> Wendy Seltzer --wseltzer@w3.org <mailto:wseltzer@w3.org> >> +1.617.715.4883 <tel:%2B1.617.715.4883>(office) >> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) >> http://wendy.seltzer.org/ +1.617.863.0613 <tel:%2B1.617.863.0613>( >> mobile) >> >> ________________________________ >> This message and any attachments are intended solely for the >> addressees and may contain confidential information. Any unauthorized use >> or disclosure, either whole or partial, is prohibited. >> E-mails are susceptible to alteration. Our company shall not be >> liable for the message if altered, changed or falsified. If you are not the >> intended recipient of this message, please delete it and notify the sender. >> Although all reasonable efforts have been made to keep this >> transmission free from viruses, the sender will not be liable for damages >> caused by a transmitted virus. >> >> >
Received on Tuesday, 17 March 2015 06:12:22 UTC