Re: Draft security charters for discussion at TPAC from Melvin Carvalho on 2015-10-23 (public-web-security@w3.org from October 2015)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 23 Oct 2015 15:28:58 +0200
To: Wendy Seltzer <wseltzer@w3.org>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CAKaEYhLUBOdZZ3SoZSxL1MFxgvU3vXZQjGbvd-bG9vDD7mLC6Q@mail.gmail.com>

On 23 October 2015 at 11:05, Wendy Seltzer <wseltzer@w3.org> wrote:

> Hi Web Security,
>
> Last year, we announced work in progress on new security work-areas,
> then proposed as a re-chartering of the Web Cryptography Working Group.[1]
>
> WebCrypto is concluding its work and we have identified two distinct
> areas of potential new work: Web Authentication and Hardware-Based
> Security. We propose to discuss draft charters for this work in a
> plenary day breakout at TPAC (Wednesday).[2]
>
> Web Authentication (based on an anticipated submission from FIDO 2):
>   https://w3c.github.io/websec/web-authentication-charter

I think the line "Overall goals include obviating the use of shared
secrets, i.e. passwords, as authentication credentials, facilitating
multi-factor authentication support as well as hardware-based key storage
while respecting the Same Origin Policy"

Should read "Overall goals include obviating the use of shared secrets,
i.e. passwords, as authentication credentials, facilitating multi-factor
authentication support as well as hardware-based key storage"

IMHO the last part doesnt really add anything, and potentially imposes a
false constraint.  Respecting security best practices for scoping and
asymmetric keys, will ensure that private material is not leaked.  And that
public material is made available to the correct audience.

Also:

Out of Scope

Out of scope: federated identity, multi-origin credentials, low-level
access to cryptographic operations or key material.
The web is predicated on the URI which is a federated identification
system.  It would be good to understand whether or not there was a
documented consensus process that came up with this clause.

>
>
> Hardware-Based Security:
>   https://w3c.github.io/websec/hwsec-charter
>
> We look forward to discussion at TPAC, here, and via github pull requests.
>
> Best,
> --Wendy
>
>
> [1]
> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html
> [2]
>
> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>
>

Received on Friday, 23 October 2015 13:29:33 UTC