Re: Fwd: Draft security charters for discussion at TPAC from Erik Anderson on 2015-10-23 (public-webpayments-ig@w3.org from October 2015)

From: Erik Anderson <eanders@pobox.com>
Date: Fri, 23 Oct 2015 15:13:52 -0400
To: Web Payments IG <public-webpayments-ig@w3.org>
Message-ID: <8ab4d5fecacafa991a5d0846d1b56aa5@pobox.com>

Thanks Wendy. I have been anxiously awaiting these. I will review on the 
plane to TPAC.

One thing jumps out at me in the web-authentication-charter

> Out of scope: federated identity, multi-origin credentials, low-level 
> access to cryptographic operations or key material.

Financial Services uses PKCS#11 and rotatable/changeable key material in 
their mobile applications so they can instantly rotate any key 
generation inputs in event of a suspected compromise. They also use this 
to combine key material and random material into custom SSL tunnels so 
they dont have ti rely 100% on the trust of the random number generator.

As written the spec doesnt meet many of the bank security team's ever 
increasing RISK requirements. In financial services
RISK > R&D

Anything that has the potential, perceived or real, to increase the an 
institutional exposure/risk gets veto'ed.

Erik Anderson
Bloomberg

On 2015-10-23 12:36, Wendy Seltzer wrote:
> Hi Web Payments IG,
> 
> In advance of my visit to the IG Monday at TPAC, here are links to the
> draft security charters we'll be discussing. I look forward to your
> input and participation in the Wednesday breakout as well.
> 
> Best,
> --Wendy
> 
> -------- Forwarded Message --------
> Subject: Draft security charters for discussion at TPAC
> To: public-web-security@w3.org <public-web-security@w3.org>
> 
> Hi Web Security,
> 
> Last year, we announced work in progress on new security work-areas,
> then proposed as a re-chartering of the Web Cryptography Working 
> Group.[1]
> 
> WebCrypto is concluding its work and we have identified two distinct
> areas of potential new work: Web Authentication and Hardware-Based
> Security. We propose to discuss draft charters for this work in a
> plenary day breakout at TPAC (Wednesday).[2]
> 
> Web Authentication (based on an anticipated submission from FIDO 2):
>   https://w3c.github.io/websec/web-authentication-charter
> 
> Hardware-Based Security:
>   https://w3c.github.io/websec/hwsec-charter
> 
> We look forward to discussion at TPAC, here, and via github pull 
> requests.
> 
> Best,
> --Wendy
> 
> 
> [1] 
> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html
> [2]
> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security

Received on Friday, 23 October 2015 19:17:50 UTC