Is the discussion at TPAC going to be in a breakout session? If so — is it scheduled yet? I would like to attend.
> On Oct 23, 2015, at 11:12 PM, Melvin Carvalho <melvincarva...@gmail.com> > wrote: > > > > On 23 October 2015 at 16:02, Wendy Seltzer <wselt...@w3.org > <mailto:wselt...@w3.org>> wrote: > On 10/23/2015 09:28 AM, Melvin Carvalho wrote: > > On 23 October 2015 at 11:05, Wendy Seltzer <wselt...@w3.org > > <mailto:wselt...@w3.org>> wrote: > > > >> Hi Web Security, > >> > >> Last year, we announced work in progress on new security work-areas, > >> then proposed as a re-chartering of the Web Cryptography Working Group.[1] > >> > >> WebCrypto is concluding its work and we have identified two distinct > >> areas of potential new work: Web Authentication and Hardware-Based > >> Security. We propose to discuss draft charters for this work in a > >> plenary day breakout at TPAC (Wednesday).[2] > >> > >> Web Authentication (based on an anticipated submission from FIDO 2): > >> https://w3c.github.io/websec/web-authentication-charter > >> <https://w3c.github.io/websec/web-authentication-charter> > > > > > > I think the line "Overall goals include obviating the use of shared > > secrets, i.e. passwords, as authentication credentials, facilitating > > multi-factor authentication support as well as hardware-based key storage > > while respecting the Same Origin Policy" > > > > Should read "Overall goals include obviating the use of shared secrets, > > i.e. passwords, as authentication credentials, facilitating multi-factor > > authentication support as well as hardware-based key storage" > > > > IMHO the last part doesnt really add anything, and potentially imposes a > > false constraint. Respecting security best practices for scoping and > > asymmetric keys, will ensure that private material is not leaked. And that > > public material is made available to the correct audience. > > The parameters of those interested in developing this work include > explicitly respecting the Same Origin Policy. Since that security > boundary is widely applied across web applications, setting user and > developer expectations, respecting it is essential to the deployment of > new authentication components. While we usually implicitly assume that > new work will respect architectural best practices, it seemed useful to > add the text here to head off these counter-arguments from the start. > > Thanks for the explanation and for sharing the draft. > > -1 on that line still, I dont think it is needed. > > Preempting counter arguments I dont think is a necessary measure. > > > > Also: > > > > Out of Scope > > > > Out of scope: federated identity, multi-origin credentials, low-level > > access to cryptographic operations or key material. > > The web is predicated on the URI which is a federated identification > > system. It would be good to understand whether or not there was a > > documented consensus process that came up with this clause. > > This line doesn't preclude federated identity work elsewhere, just not > in this chartered group. > > Discussions began with FIDO members who are also W3C members; we're now > inviting broader feedback. We assess consensus later, when we bring > charters to the W3C membership (Advisory Committee) for review. > > Thanks. Look forward to hearing more. > > > --Wendy > > > > > > >> > >> > >> Hardware-Based Security: > >> https://w3c.github.io/websec/hwsec-charter > >> <https://w3c.github.io/websec/hwsec-charter> > >> > >> We look forward to discussion at TPAC, here, and via github pull requests. > >> > >> Best, > >> --Wendy > >> > >> > >> [1] > >> https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html > >> <https://lists.w3.org/Archives/Member/w3c-ac-members/2014JulSep/0049.html> > >> [2] > >> > >> https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security > >> > >> <https://www.w3.org/wiki/TPAC/2015/SessionIdeas#Web_Authentication_and_Security> > >> -- > >> Wendy Seltzer -- wselt...@w3.org <mailto:wselt...@w3.org> +1.617.715.4883 > >> <tel:%2B1.617.715.4883> (office) > >> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) > >> http://wendy.seltzer.org/ <http://wendy.seltzer.org/> > >> +1.617.863.0613 <tel:%2B1.617.863.0613> (mobile) > >> > >> > >> > > > > > -- > Wendy Seltzer -- wselt...@w3.org <mailto:wselt...@w3.org> +1.617.715.4883 > <tel:%2B1.617.715.4883> (office) > Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) > http://wendy.seltzer.org/ <http://wendy.seltzer.org/> +1.617.863.0613 > <tel:%2B1.617.863.0613> (mobile) > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
