W3C home > Mailing lists > Public > public-webpayments-ig@w3.org > October 2015

Re: Draft security charters for discussion at TPAC

From: Arie Y LEVY COHEN <arielevycohen@gmail.com>
Date: Fri, 23 Oct 2015 16:27:37 -0400
Cc: Web Payments IG <public-webpayments-ig@w3.org>
Message-Id: <2FDECBCB-72AF-4112-A989-347D3A6F0C83@gmail.com>
To: Erik Anderson <eanders@pobox.com>

Heritage & Legacy Advisory | Multi-Generational Wealth Preservation
P: 917.692.6999

> On Oct 23, 2015, at 3:13 PM, Erik Anderson <eanders@pobox.com> wrote:
> Thanks Wendy. I have been anxiously awaiting these. I will review on the plane to TPAC.
> One thing jumps out at me in the web-authentication-charter
>> Out of scope: federated identity, multi-origin credentials, low-level access to cryptographic operations or key material.
> Financial Services uses PKCS#11 and rotatable/changeable key material in their mobile applications so they can instantly rotate any key generation inputs in event of a suspected compromise. They also use this to combine key material and random material into custom SSL tunnels so they dont have ti rely 100% on the trust of the random number generator.
> As written the spec doesnt meet many of the bank security team's ever increasing RISK requirements. In financial services
> RISK > R&D
> Anything that has the potential, perceived or real, to increase the an institutional exposure/risk gets veto'ed.
> Erik Anderson
> Bloomberg
>> On 2015-10-23 12:36, Wendy Seltzer wrote:
>> Hi Web Payments IG,
>> In advance of my visit to the IG Monday at TPAC, here are links to the
>> draft security charters we'll be discussing. I look forward to your
>> input and participation in the Wednesday breakout as well.
>> Best,
>> --Wendy
>> -------- Forwarded Message --------
>> Subject: Draft security charters for discussion at TPAC
>> To: public-web-security@w3.org <public-web-security@w3.org>
>> Hi Web Security,
>> Last year, we announced work in progress on new security work-areas,
>> then proposed as a re-chartering of the Web Cryptography Working Group.[1]
>> WebCrypto is concluding its work and we have identified two distinct
>> areas of potential new work: Web Authentication and Hardware-Based
>> Security. We propose to discuss draft charters for this work in a
>> plenary day breakout at TPAC (Wednesday).[2]
>> Web Authentication (based on an anticipated submission from FIDO 2):
>>  https://w3c.github.io/websec/web-authentication-charter
>> Hardware-Based Security:
>>  https://w3c.github.io/websec/hwsec-charter
>> We look forward to discussion at TPAC, here, and via github pull requests.
>> Best,
>> --Wendy
>> [1] https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html
>> [2]
>> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security

Received on Friday, 23 October 2015 20:28:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:08:46 UTC