Re: [Moderator Action] 3GPP liaison statement to W3C from Ryan Sleevi on 2012-11-13 (public-webcrypto-comments@w3.org from November 2012)

From: Ryan Sleevi <sleevi@google.com>
Date: Tue, 13 Nov 2012 09:59:10 -0800
To: Chris Lilley <chris@w3.org>
Cc: public-webcrypto-comments@w3.org
Message-ID: <CACvaWvayewOtD=ke6CdBox0LV6co15hqs2dwX=h7hPJi44bFQQ@mail.gmail.com>

Thanks for forwarding this on.

My individual feeling is that this work is not (yet) something for the
Web Crypto WG to work on. It represents a specific API, much like
Kerberos or smart cards, that, while valuable, brings with it a host
of security and usability considerations.

Minimally, the reliance on TLS keying material export / channel IDs
suggests a dissonance in the web model, due to the multi-resource
nature of script execution. That is, because a user agent may
negotiate multiple TLS sessions simultaneously, this results in
arbitrary session identifiers and security parameters for the
(multiple) TLS sessions used to collectively instantiate the script
execution environment. As a result, it is difficult-to-impossible to
practically assure that there is consistent keying material being
exported from the correct channel, and that future requests will be
associated with the same channel from which keying material was
exported. This is fundamentally the same concern on why WebID is
impractical and unimplementable.

I think it's reasonable to consider this for possible future work, as
a signal of interest in the use cases, but I'm not sure much of this
API overlaps with what is currently roadmapped - for better or worse.

On Tue, Nov 13, 2012 at 4:51 AM, Chris Lilley <chris@w3.org> wrote:
>
>
>
>
>
> This is a forwarded message
> From: 3GPPLiaison statements <3GPPLiaison@etsi.org>
> To: "'w3c-html-cg@w3.org'" <w3c-html-cg@w3.org>
> Date: Monday, November 12, 2012, 1:34:12 PM
> Subject: [Moderator Action] 3GPP liaison statement to W3C
>
> ===8<==============Original message text===============
>
>
> Dear  W3C,
>
> Please find attached  a liaison statement from 3GPP SA WG3 to W3C - Web Cryto Working  group.
>
> BR
>
> --susanna
>
>
>
> -------------------------------------------------------------
> Susanna Kooistra, ETSI MCC
> 3GPP Liaison
> E-mail: 3GPPLiaison@etsi.org
> Phone: +33 (0)4 92 94 49 35
>
>
>
>
>
>
> 3GPP TSG-SA WG3 (Security) Meeting #69                             S3-121203
>
> Edinburgh, Scotland, 5. - 9. November 2012
>
>
>
> Title:                         Integration of Web  GBA with Crypto API
>
> Release:                    Rel-12
>
> Work Item:                SEC12
>
>
>
> Source:                     3GPP SA3
>
> To:                            W3C - Web Crypto Working Group
>
> Cc:                            SA
>
>
>
> Contact Persons:
>
> Names:                 Silke Holtmanns, Mireille Pauliac
>
> E-mail Addresss:  Silke dot Holtmanns at Nokia dot com
>
>                             Mireille dot Pauliac at Gemalto dot com
>
>
>
> Attachments:             S3-121202
>
>
> ===8<===========End of original message text===========
>
>
> --
>  Chris Lilley   Technical Director, Interaction Domain
>  W3C Graphics Activity Lead, Fonts Activity Lead
>  Co-Chair, W3C Hypertext CG
>  Member, CSS, WebFonts, SVG Working Groups

Received on Tuesday, 13 November 2012 17:59:51 UTC