- From: Erik Anderson <eanders@pobox.com>
- Date: Fri, 23 Oct 2015 15:13:52 -0400
- To: Web Payments IG <public-webpayments-ig@w3.org>
Thanks Wendy. I have been anxiously awaiting these. I will review on the plane to TPAC. One thing jumps out at me in the web-authentication-charter > Out of scope: federated identity, multi-origin credentials, low-level > access to cryptographic operations or key material. Financial Services uses PKCS#11 and rotatable/changeable key material in their mobile applications so they can instantly rotate any key generation inputs in event of a suspected compromise. They also use this to combine key material and random material into custom SSL tunnels so they dont have ti rely 100% on the trust of the random number generator. As written the spec doesnt meet many of the bank security team's ever increasing RISK requirements. In financial services RISK > R&D Anything that has the potential, perceived or real, to increase the an institutional exposure/risk gets veto'ed. Erik Anderson Bloomberg On 2015-10-23 12:36, Wendy Seltzer wrote: > Hi Web Payments IG, > > In advance of my visit to the IG Monday at TPAC, here are links to the > draft security charters we'll be discussing. I look forward to your > input and participation in the Wednesday breakout as well. > > Best, > --Wendy > > -------- Forwarded Message -------- > Subject: Draft security charters for discussion at TPAC > To: public-web-security@w3.org <public-web-security@w3.org> > > Hi Web Security, > > Last year, we announced work in progress on new security work-areas, > then proposed as a re-chartering of the Web Cryptography Working > Group.[1] > > WebCrypto is concluding its work and we have identified two distinct > areas of potential new work: Web Authentication and Hardware-Based > Security. We propose to discuss draft charters for this work in a > plenary day breakout at TPAC (Wednesday).[2] > > Web Authentication (based on an anticipated submission from FIDO 2): > https://w3c.github.io/websec/web-authentication-charter > > Hardware-Based Security: > https://w3c.github.io/websec/hwsec-charter > > We look forward to discussion at TPAC, here, and via github pull > requests. > > Best, > --Wendy > > > [1] > https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html > [2] > https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security
Received on Friday, 23 October 2015 19:17:50 UTC