W3C home > Mailing lists > Public > public-webpayments-ig@w3.org > October 2015

Re: Fwd: Draft security charters for discussion at TPAC

From: Erik Anderson <eanders@pobox.com>
Date: Fri, 23 Oct 2015 15:13:52 -0400
To: Web Payments IG <public-webpayments-ig@w3.org>
Message-ID: <8ab4d5fecacafa991a5d0846d1b56aa5@pobox.com>
Thanks Wendy. I have been anxiously awaiting these. I will review on the 
plane to TPAC.

One thing jumps out at me in the web-authentication-charter

> Out of scope: federated identity, multi-origin credentials, low-level 
> access to cryptographic operations or key material.

Financial Services uses PKCS#11 and rotatable/changeable key material in 
their mobile applications so they can instantly rotate any key 
generation inputs in event of a suspected compromise. They also use this 
to combine key material and random material into custom SSL tunnels so 
they dont have ti rely 100% on the trust of the random number generator.

As written the spec doesnt meet many of the bank security team's ever 
increasing RISK requirements. In financial services

Anything that has the potential, perceived or real, to increase the an 
institutional exposure/risk gets veto'ed.

Erik Anderson

On 2015-10-23 12:36, Wendy Seltzer wrote:
> Hi Web Payments IG,
> In advance of my visit to the IG Monday at TPAC, here are links to the
> draft security charters we'll be discussing. I look forward to your
> input and participation in the Wednesday breakout as well.
> Best,
> --Wendy
> -------- Forwarded Message --------
> Subject: Draft security charters for discussion at TPAC
> To: public-web-security@w3.org <public-web-security@w3.org>
> Hi Web Security,
> Last year, we announced work in progress on new security work-areas,
> then proposed as a re-chartering of the Web Cryptography Working 
> Group.[1]
> WebCrypto is concluding its work and we have identified two distinct
> areas of potential new work: Web Authentication and Hardware-Based
> Security. We propose to discuss draft charters for this work in a
> plenary day breakout at TPAC (Wednesday).[2]
> Web Authentication (based on an anticipated submission from FIDO 2):
>   https://w3c.github.io/websec/web-authentication-charter
> Hardware-Based Security:
>   https://w3c.github.io/websec/hwsec-charter
> We look forward to discussion at TPAC, here, and via github pull 
> requests.
> Best,
> --Wendy
> [1] 
> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html
> [2]
> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security
Received on Friday, 23 October 2015 19:17:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:08:46 UTC