On Mar 16, 2015 10:06 PM, "Anders Rundgren" <anders.rundgren....@gmail.com
<mailto:anders.rundgren....@gmail.com>> wrote:
On 2015-03-17 04:34, Colin Gallagher wrote:
My impression was Wendy said some members' non-participation with
respect to some idea or another doesn't act as a veto so, correct me if I'm
wrong, but doesn't that imply that whether Google or someone else does or does
not like an idea, then can't it be included anyway? So the group can proceed...
not being concerned about vetoes of legacy security hardware, so basically, I
think the answer is... yes.
Also, why new working group for secure hardware/tokens/FIDO/etc, when it could be
a subgroup or interest group within webcrypto, time permitting (charter expiring on march
31, but will it be extended)? So, one could just call this additional group within
webcrypto "secure hardware" and give it a list for those interested. This is
just my suggestion.
Finally, some of the security issues brought up... no Web Security
Principle (maintained), plus, the Same Origin Policy doc is an IETF 2011 item
itself in need of some review. Some of this stuff cited is extremely dated.
I would further suggest pushing this out for further public review, see
if you can some more eyes on the process.
Colin, my claim from November last year is still valid:
https://lists.w3.org/Archives/__Public/public-web-security/__2014Nov/0032.html
<https://lists.w3.org/Archives/Public/public-web-security/2014Nov/0032.html>
The ultra-simple question put there didn't got an answer since there's none
to find.
Therefore this activity is concluded and no new "smart-card-for-the-web"
specifications will be presented, with FIDO alliance as an exception.
Well, indirect paths to similar goals have indeed been proposed but have
for unclear reasons not been considered or commented on although indirect
methods (=bypassing the browser) are already a de-facto standard for mobile
devices.
Indirect methods are currently discussed and dealt with in places like this:
https://code.google.com/p/__chromium/issues/detail?id=__378566
<https://code.google.com/p/chromium/issues/detail?id=378566>
Regards,
Anders
On 2015-03-12 15:54, GALINDO Virginie wrote:
[gemalto representative hat on]
gemalto supports to discuss in W3C the usage of the secure
services based on hardware or combination
> of hardware/software (e.g. secure element, trusted execution
environement).
We suggest to gather the supporting companies and draft a a
charter for a Working Group or an Interest Group.
this synchronization can happen in public, preferably on the
public-web-security interest group mailing list
> (to avoid overloading the web crypto working group mailing list).
We had an F2F, then we had discussions and finally we had the public
dismissal
by Google of the core idea (=support for legacy security hardware in
browsers).
That is, this activity is concluded and doesn't benefit from being
rehashed
unless somebody has a silver bullet to offer.
Regards
Anders
Regards,
Virginie
gemalto
__________________________________________
De : Wendy Seltzer [wselt...@w3.org <mailto:wselt...@w3.org>
<mailto:wselt...@w3.org <mailto:wselt...@w3.org>>]
Envoyé : mercredi 11 mars 2015 22:55
À : Siva Narendra; Harry Halpin
Cc :public-web-security@w3.org <mailto:public-web-security@w3.org>
<mailto:public-web-security@__w3.org <mailto:public-web-security@w3.org>>;public-webcrypto@w3.__org
<mailto:public-webcry...@w3.org> <mailto:public-webcrypto@w3.__org
<mailto:public-webcry...@w3.org>>; Charles Engelke; GALINDO Virginie
Objet : Re: [Web Crypto WG] draft Web Crypto WG charter : for your
review and comments
Hi Siva and all,
To follow up on Harry's response, we have great interest in doing
more
work on secure authentication building on the WebCrypto API. As its
Chair has expressed, the WebCrypto WG wants to complete its work
with a
tight focus on the WebCrypto API and related deliverables.
For my part, I look forward to supporting additional groups
focused on
extending WebCrypto's work, whether based in FIDO or secure
hardware.
Any member can propose work, and so long as there is interest and
a path
to getting interoperable implementations, some members'
non-participation does not act as a veto.
--Wendy
On 03/11/2015 05:32 PM, Siva Narendra wrote:
Thank you Harry.
-Siva
*--*
*Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore
|
Taipeiwww.tyfone.com <http://Taipeiwww.tyfone.com>
<http://Taipeiwww.tyfone.com><__http://www.tyfone.com>*
*Voice:+1.661.412.2233 <tel:%2B1.661.412.2233>
<tel:%2B1.661.412.2233>*
On Wed, Mar 11, 2015 at 2:27 PM, Harry Halpin <hhal...@w3.org
<mailto:hhal...@w3.org> <mailto:hhal...@w3.org <mailto:hhal...@w3.org>>> wrote:
On 03/11/2015 09:59 PM, Siva Narendra wrote:
+adding Pub-Web-Security for continuity from the
Workshop
Thank you Harry. Few questions:
1. Does this mean "FIDO will not be implemented under
this WG?"
2. Is the statement "All the web browser
implementers do not want to
support hardware tokens or anything that is
outside of cryptography in
within the scope of WG?" or "One browser vendors
does not want to
support
anything other than FIDO?"
I think the answer should be:
1) FIDO will not be implemented under the Web Crypto
Working Group, but
may be pursued in another WG.
2) Hardware token support, both in a manner consistent
with a revised
Gemalto proposal that takes on board feedback like respect
for
same-origin policy, should be pursued in another Working
Group, but not
in the WebCrypto WG.
Does that help?
The real question now is what the shape and charter(s) of
the new
Working Groups will be, along with associated time-frames.
There have been formal Member submissions neither from the
smartcard
vendors or FIDO, but lots of informal discussion. However,
the workshop
did reach consensus that hardware token support should be
part of the
Open Web Platform, and the W3C would like to follow this
up with one or
more new Working Groups if the work does not match
existing Working Groups.
As the discussion in Web Crypto WG shows, it does not
match at the time
being as the implementors want to focus on algorithm
maintenance and
finishing version 1.0.
If opinions have drastically changed since the workshop,
we would like
to revisit that consensus via a survey of W3C members but
we are hoping
there is still consensus and momentum.
cheers,
harry
This is important for the eco-system to know so we can
determine if this
work should be pursued inside W3C or outside.
Thank you,
Siva
*--*
*Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland |
Bangalore |
Taipeiwww.tyfone.com <http://Taipeiwww.tyfone.com>
<http://Taipeiwww.tyfone.com><__http://www.tyfone.com>*
*Voice:+1.661.412.2233 <tel:%2B1.661.412.2233>
<tel:%2B1.661.412.2233>*
On Wed, Mar 11, 2015 at 11:16 AM, Harry Halpin <hhal...@w3.org
<mailto:hhal...@w3.org> <mailto:hhal...@w3.org <mailto:hhal...@w3.org>>> wrote:
On 03/11/2015 07:08 PM, Charles Engelke wrote:
I'm new to this WG and W3C in general, so I
may be missing points on
how this works. But until today that draft did
include adding new use
cases. Today that was revised to say "the Web
Crypto WG will not
adress any new use case others then the ones
developed with the first
version of the Web Crypto API."
Did I miss the process that made this change?
There was strong objections from members of the
Working Group, in
particular implementers that are on public record.
Thus, while the W3C is still committed do finding
an appropriate home
for these use-cases and associated standards, it
will not be this
Working Group.
If you have a particular use-case and proposed
technical solution that
you think would be acceptable to implementers,
e-mail the Web Security
Interest Group atpublic-web-secur...@w3.org
<mailto:atpublic-web-secur...@w3.org> <mailto:public-web-security@__w3.org
<mailto:public-web-security@w3.org>>.
cheers,
harry
Thanks,
Charlie
On Wed, Mar 11, 2015 at 1:13 PM, GALINDO
Virginie
<virginie.gali...@gemalto.com
<mailto:virginie.gali...@gemalto.com> <mailto:Virginie.Galindo@__gemalto.com
<mailto:virginie.gali...@gemalto.com>>> wrote:
Dear all,
You will find here
https://www.w3.org/Security/__wiki/IG/webcryptonext_draft___charterthe
<https://www.w3.org/Security/wiki/IG/webcryptonext_draft_charterthe>
basis of
the next Web Crypto WG charter.
Based on the feedback on this mailing
list, despite the long
discussions we
had related to new features such as crypto
service in secure element,
certificate management, authentication
management, this charter only
adresses the maintenance of the Web Crypto
API, and the creation of
extension for specific algorithms.
What I am expecting from working group
participants now is the
algorithms
they would like to see as extension of the
Web Crypto API. This will
help us
to get a list of the extension we plan to
adress in the framework of
that
specific working group.
Please note that there are some
discussions in AC forum about
restricting
activities of any WG that does not work
under a valid charter. Our
charter
will expire on the 31st of March, as such,
we should try to get
consensus on
the new charter as soon as possible (or we
will have to ask an
extension to
W3C director).
Regards,
Virginie Galindo
gemalto
chair of the web crypto WG
__________________________________
This message and any attachments are
intended solely for the
addressees
and
may contain confidential information. Any
unauthorized use or
disclosure,
either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our
company shall not be liable
for
the message if altered, changed or
falsified. If you are not the
intended
recipient of this message, please delete
it and notify the sender.
Although all reasonable efforts have been
made to keep this
transmission
free from viruses, the sender will not be
liable for damages caused
by a
transmitted virus.
--
Wendy Seltzer --wselt...@w3.org <mailto:wselt...@w3.org> <mailto:wselt...@w3.org
<mailto:wselt...@w3.org>>+1.617.715.4883 <tel:%2B1.617.715.4883>
<tel:%2B1.617.715.4883>(__office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/ +1.617.863.0613 <tel:%2B1.617.863.0613>
<tel:%2B1.617.863.0613>(__mobile)
__________________________________
This message and any attachments are intended solely for the
addressees and may contain confidential information. Any unauthorized use or
disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be
liable for the message if altered, changed or falsified. If you are not the
intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this
transmission free from viruses, the sender will not be liable for damages
caused by a transmitted virus.
