08:56:22 RRSAgent has joined #hb-secure-services 08:56:22 logging to http://www.w3.org/2016/04/26-hb-secure-services-irc 08:56:25 Zakim has joined #hb-secure-services 08:56:35 Meeting: Hardware-Based Secure Services CG 09:05:04 screen has joined #hb-secure-services 09:08:00 acouvert has joined #hb-secure-services 09:08:39 wseltzer has changed the topic to: Hardware-Based Secure Services 09:08:56 mkuhn has joined #hb-secure-services 09:10:06 lescarr has joined #hb-secure-services 09:10:45 chackett has joined #hb-secure-services 09:11:25 Hello everybody, Conor Hackett from Worldpay here. 09:11:32 Welcome! 09:11:52 Wendy Seltzer from W3C 09:12:28 Hello, Aurelien Couvert from Gemalto 09:12:30 PhilHoyer has joined #hb-secure-services 09:13:09 drogersuk has joined #hb-secure-services 09:13:22 brian has joined #hb-secure-services 09:13:46 virginie has joined #hb-secure-services 09:13:54 schuki has joined #hb-secure-services 09:14:48 Arnold has joined #hb-secure-services 09:14:48 Introduction from Susan McLean of MoFo 09:14:58 Sue: MoFo, supporting the workshop 09:15:38 Adrian has joined #hb-secure-services 09:15:40 Sue: MoFo is happy to provide legal support to tech companies 09:15:46 arnold has joined #hb-secure-services 09:15:52 ... data privacy and security practice 09:16:19 ... Welcome! 09:16:33 Markus Kuhn, University of Cambridge, here, hi everone! 09:16:49 Sebastien has joined #hb-secure-services 09:17:03 ... Women in Wireless, UK tech organization 09:17:20 Susan McLean talking about Women in Wireless 09:18:48 Agenda is here : https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda 09:18:53 Wendy Seltzer introduces the two days 09:18:56 We will need to review it 09:19:08 Dont forget to list topics you want to address 09:19:10 ...developing a really solid plan of how we bring hardware security to the web 09:19:20 caribou has joined #hb-secure-services 09:19:28 ..user expectations and the ecosystem 09:19:36 ..this is IRC! 09:20:00 ..we use IRC in W3C fer recording minutes and text in realtime 09:20:13 ...we produce the minutes as we're meeting 09:20:19 ..[like this] 09:20:36 https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda 09:20:54 klas has joined #hb-secure-services 09:20:57 ...now introductions 09:21:21 ...Wendy: I am part of the W3C team. This is a community group - to get early ideas for standardisation 09:21:46 ...we often incubate ideas through workshops which can reach standardisation through our recommendations 09:22:02 ...my role as W3C team is to help you to do that. 09:22:15 Virginie Galindo: I am co-chairing this CG 09:22:39 ..I have an interest in this work from my company perspective, Gemalto 09:23:00 drogersuk: David Rogers, Copper Horse 09:23:20 ... W3C; chair GSMA device security 09:23:40 ...proposals here need to be attractive enough for browser vendors 09:23:49 Conor_Hackett: WorldPay 09:24:17 Aurelien_Couvert: Gemalto; previously worked with web secure element API 09:24:34 Brian_Sullivan: VISA Europe. Payments security 09:24:54 Arnold: Samsung, crypto and security 09:25:08 Colin_Whorlow: CESG 09:25:24 Paul: CESG, TCG, GlobalPlatform, FIDO 09:25:36 Sebastian: Morpho, identity and secure services 09:25:46 @@: Samsung, browser and security 09:26:05 Natasha: GSMA, mobile operators 09:26:17 hvirji has joined #hb-secure-services 09:26:20 Michelle: NokNok Labs, one of the founders of FIDO Alliance 09:26:28 s/Sebastian/Sebastien/ 09:26:46 Les: Southampton Web Sciences Insitute 09:26:59 Susan: Univ. Southampton 09:27:04 @@: Yubico 09:27:13 Markus_Kuhn: Univ of Cambridge 09:27:21 Robert_Lee: Royal Holloway smartcard center 09:27:40 Joerg_Heuer: DT Labs. ID management, secure element, sim card 09:28:01 Peter: DT, security consultant on HW sec 09:28:16 Philip_Hoyer: HD Global 09:28:26 Adrian_Castilio: HID Global hw credentials 09:28:31 s/HD/HID/ 09:29:43 Wendy introduces the W3C objectives, 400 members worldwide 09:29:52 ...consensus to produce recommendations for the web 09:30:04 ...e.g. html, css, web crypto api 09:30:23 ......things that help web services interoperate 09:30:45 ...no power to compel - help people to recognise the value of the work we're creating 09:30:54 ...so that it is adopted in browsers 09:31:06 ...we can take advantage of hardware capabilities for the web 09:31:20 ...for example - authorisation, key storage, processing - better 09:31:46 ...we can do it on the web platform if we convince the participants that these are services that we need and implementable, sensible and at the right level of abstraction. 09:32:08 ...over the next two days, the goal is to see how specific we can get about early prototype services for the web 09:32:21 ...what does the web need and what can we get out of those APIs 09:32:32 ...let's try and whiteboard how we get there 09:32:53 ..the recommendations go out for votes among the membership. 09:33:26 ...We got responses on this particular charter, but we got some pushback in terms of it being too broad. We also got substantial support for the work. 09:33:51 ...So let's take a step back and look at the charter again so that it meets all the necessary needs. 09:34:39 ...We have a Royalty Free patent policy which has been very successful 09:35:01 ..the scope is therefore extremely important in working group charters. 09:35:38 ...We also have other groups in W3C that are looking at things like web authentication - this is a layer above where we are looking at. 09:36:04 ...We also have the web crypto API which is nearly finished, at Candidate Recommendation status 09:36:15 ...how can we support that functionality with hardware? 09:36:51 ...We also have a web payments working group, chartered to look at bringing payments to the web. They are not doing security in that group 09:37:05 ...we could also be looking to support security for the web payments work. 09:39:34 colin has joined #hb-secure-services 09:39:46 drogersuk has joined #hb-secure-services 09:39:51 chackett has joined #hb-secure-services 09:40:02 jheuer has joined #hb-secure-services 09:40:26 Michelle_Salway has joined #hb-secure-services 09:41:04 Michael: G&D, on the phone line 09:41:25 Philip: What has changed from a few years ago 09:41:31 s/ago/ago?/ 09:41:47 Adrian has joined #hb-secure-services 09:42:08 ... more devices incorporate NFC; technologies of hw sec have decreased in price 09:42:16 Rob has joined #hb-secure-services 09:42:18 ... tech trends that would lead to solution 09:42:38 phofmanntsy has joined #hb-secure-services 09:43:06 -> https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/ 2014 workshop 09:43:23 virginie: Secure services, not specific implementation 09:43:26 q? 09:44:01 q+ 09:44:51 The charter which was sent for review to W3C members is : https://w3c.github.io/websec/hasec-charter 09:45:31 Wendy: we have seen feedback that incubation of this work is necessary and members don't want to see R&D without feedback from implementation and use 09:45:41 ..one of the ways is to start to draft 09:45:46 ..not just use cases and need 09:45:53 ...what does this look like in practice? 09:46:23 ...what is the shape of the API? How does this protect privacy against linkage across websites? What are the security, accessibility and internationalisation considerations? 09:46:59 ...some use cases discussed already 09:47:09 The list of item to discuss is here : https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop 09:47:17 ...citizen identity and services seems to be an important point in Europe 09:47:48 Frank-Michael__G_D_ has joined #hb-secure-services 09:48:07 q? 09:48:14 ack jh 09:48:36 jheuer: implementability and economic sustainability are key 09:48:48 Joerg Heuer: maybe not specific implementation but implementability important 09:49:31 ...use of hardware is a reality for almost everyone across the world 09:49:37 ...just look at the Oyster card in Lonodn 09:52:19 virginie: Reviewing agenda 09:52:30 Agenda: https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda 09:52:37 rrsagent, make logs public 09:52:41 rrsagent, draft minutes 09:52:41 I have made the request to generate http://www.w3.org/2016/04/26-hb-secure-services-minutes.html wseltzer 09:52:52 q? 09:54:17 5 presentations from different companies coming up this morning, @drogersuk will chair 09:55:04 This is where we want to re things : https://v.etherpad.org/p/Hardware_Security 09:57:52 Paul: Paul Waller, CESG 09:57:52 Paul Waller presenting from CESG 09:58:12 Paul is Technical Director in CESG for platform security 09:58:21 ...getting security right in govenrment platform and systems 09:58:42 ..improving government services, improving usability without compromising security 09:59:07 ...if it isn't viable it isn't going to work 09:59:37 ...when we talk about authnetication and managing crypto on the web, we really do need hardware for that 09:59:49 ...software based crypto etc. exposes more people to attack 09:59:56 ...as we see increased usage 10:00:10 ...reducing reliance on passwords 10:00:41 ...We help risk management - government as an enterprise for small, medium and large gov departments 10:01:07 ..usually on corporately managed laptops, increasingly more other types of devices. 10:01:21 ...The other thing is government services online (same as businesses) 10:01:24 FM has joined #hb-secure-services 10:01:29 ...we don't want a bucket load of passwords 10:01:36 ...we want it to be seamless and by default 10:01:42 ...easy to use the most secure option 10:02:09 ....I have been a contributor to a lot of standards - TCG, Global Platform and more recently in FIDO Alliance 10:02:29 ...for users - very difficult to explain what that is they just need to know it is ok 10:02:44 ...can I offer a better service if that is authenticated more strongly? 10:02:57 ...what does that mean? how do I tell? how can I get more confidence? 10:03:04 q? 10:04:17 ...would love to see a solution to user interface security and user perceptions and display of information 10:04:36 ...is it beyond the scope? 10:05:42 donfel01 has joined #hb-secure-services 10:05:46 ...I would like to have some confidence that I can send something to a device that I don't trust 10:07:20 FMK has joined #hb-secure-services 10:08:08 ... think we need to break this down into chunks we can deliver 10:08:40 ...if I was a bank, how can different hardware work with other banks / consumers / tell the difference is going to be key 10:09:31 ...I think the work of this group is to make the business case for it and understand how to plug all the bits together 10:09:39 q? 10:10:04 drogersuk: eIDAS? 10:10:49 ...there are also other schemes - eVerify 10:10:55 ...this stuff is coming 10:11:11 ...it just is going to be less cumbersome than what we're already doing 10:11:17 ...a bit clunky at the moment 10:14:17 drogersuk: We should both be capturing long-term objectives and immediate priorities 10:15:08 Adrian has joined #hb-secure-services 10:15:13 Arnold: thoughts about citizen services? single-identity per citizen, or federated? 10:15:33 Paul: Govt' program, Verify, use IDPs from industry, federate across govt services 10:15:44 ... don't believe goal is single ID per citizen 10:15:49 ... for privacy reasons 10:16:42 service program mentionned by Paul : https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify 10:16:53 Markus: hw sec is difficult to deploy, because you need to get the hardwarwe out 10:17:19 ... differentiate between security services done at W3C, then talk about implementation in hardware 10:17:31 ... start with software, then improve by hardware 10:18:08 ... Should we talk about HTTP, HTML security services? 10:18:09 q+ 10:18:29 Paul: Lots of the hardware is there. TPMs, TEEs, keystore 10:18:36 ... there's not yet mass adoption 10:19:03 ... attestation can help to provide a step-up in security 10:19:33 q? 10:19:41 ack wsel 10:21:47 wseltzer: e.g. needs of WebCrypto users for secure keystorage 10:21:59 q+ 10:22:04 Markus: idp services are currently server-side 10:23:10 q? 10:24:21 Sebastien: using browser as IDP, means that key is identity; you might also have different credentials 10:24:48 drogersuk: don't break the web. Also think about what happens wehn one of these services is not present. Graceful degradation 10:25:41 ..anti-patterns need to be captured 10:25:42 ack Seb 10:25:59 Phillip Hoyer from HID Global presenting now 10:27:24 [materila to be sent by Philip Hoyer] 10:27:43 s/materila/material 10:27:57 mkuhn has joined #hb-secure-services 10:28:51 etherpad, https://v.etherpad.org/p/Hardware_Security 10:29:10 rigo has joined #hb-secure-services 10:34:07 q? 10:34:08 q? 10:34:49 jheuer: important that user can choose *as whom* they are recognized 10:34:56 ... pseudonymity of the web 10:35:07 ... as a driver of user confidence 10:35:54 Philip: binding to the device is common 10:36:13 q+ 10:36:26 q? 10:37:33 q? 10:37:36 q- 10:38:03 wseltzer: accommodate a range of user preferences for privacy 10:40:37 chackett has joined #hb-secure-services 10:43:03 [Aurélien to send the material] 10:45:18 q? 10:45:52 Aurélien : the web security model and the SE based security model must be gapped 10:46:20 ... on the web side, the user chooses permission 10:46:26 ungapped? 10:46:40 ... the web uses the SOP 10:47:24 ... there is the marge use of authentication by third party (OAuth like) 10:47:51 ... on the smart card habits, there is pin management, or credential management in security domains in the card 10:48:32 ... on the mobile area, there is a technology known as access ocntrol enforcer : a list in the secure element checks a mob app can access the service 10:49:01 .... the solution should be public APIs to allow web app to access services in TEE or SE 10:49:24 the key point will be the access control, making sure only authorized entity can use the service 10:49:39 ... the question is : how do we build the access control ? 10:49:55 ... we have a lot of things, we need to pick some parts and build on that 10:50:17 ... or we can think at web services, based on REST services, relying on authent mecanisms 10:50:43 .... we can rely on other techno like priviliedged context and all security tools designed by the W3C 10:51:08 ... this is entry point to technical discussions 10:51:25 Rob has joined #hb-secure-services 10:51:35 ... how to add new authorized services into this solution (once we have an access control) 10:51:39 q? 10:52:51 q+ 10:53:02 phill : do we have an history of the workshop, we tried to adress everything, and did not succeed. We should revisit all the security tools and see if it is relevant for our use cases 10:53:30 phil : what does happen if there is no access control ? 10:53:54 phofmanntsy has joined #hb-secure-services 10:54:24 Aurélien : we need to have an intermediate step between web app accessing the APDU stack, like web app accessing a specific service 10:55:08 Phil : we discussed about priviledged application in FFOS 10:55:11 phil: privileged javascript? 10:55:31 David Rogers : FFOS is only maintained 10:55:56 Aurélien : we implemented a U2F FIDO service 10:56:00 drogersuk: top-up of transportation cards example? 10:57:14 Phil : it seems there is a common set of interest in different marlets ? 10:57:42 s/marlets/markets 10:57:54 q? 10:57:55 boxes could be categorized by use cases and then done in liaisons 10:58:02 Phil : is there any official liaison ? 10:58:11 Brian : there is no, but it could be 10:58:22 Brian : it would make sense 10:58:31 -> no, there is no liaison done at the moment, internally, could liaise with payment 10:58:44 Wendy : a common sense in W3C is to reuse what other industry develop 10:58:54 ... we used to ping EMVCO for the payment aspects 10:59:19 Paul : This slide #18 is an interesting slide to let the browser know the different technos 10:59:40 Paul ; we need to define what is the blue box content 10:59:59 (note that blue box label are payment/relaod/signature/authent) 11:00:01 chackett has joined #hb-secure-services 11:00:26 wendy : Same origin - the web sec is working well enough, while being challenged 11:00:30 drogersuk: web crypto group had a discussion on high level vs low level apis 11:00:52 ... SOP is a good basis today to bring security to web application 11:01:14 ... what we've got make a reasonnable job against threat 11:01:27 .... we have to work with it, until someone redesign a better approach 11:01:54 ... thinking about addional concept like trusted javascript could be a good direction 11:02:09 ... keeping in minf that SOP is the framework we have 11:02:16 s/minf/mind 11:02:48 David : we should think about policies, other maybe... 11:03:23 Joerg : on hardware security, we talk about SOP. It is with different ways, different browsers. 11:03:43 ... we need to understand how to use the service from different browsers and sessions 11:03:52 jheuer: another real-world fact is multiple browsers and devices 11:04:22 https://v.etherpad.org/p/Hardware_Security 11:04:44 David : we should also have a look at the work that all the people are doing to avoid the SOP 11:04:55 phofmanntsy has joined #hb-secure-services 11:04:58 David : we have time for one more presentation 11:05:14 Joerg and Peter will present use cases 11:05:53 JH: communication path that are guaranteed by hardware (bluetooth) 11:05:58 joerg : two qualities we are using in our use case (1) communications paths available garanteed such as BLE/NFC (2) secure element is secured for execuiton and storage 11:06:07 drogersuk has joined #hb-secure-services 11:06:12 ... other story is where keys are stored etc 11:06:37 joerg : we prototyped digital wallet to allow user to keep everything they need (ticket, key, access control ...) and reuse in any browser 11:07:07 ... can keep state outside the browser, but have to communicate through the browser 11:07:24 .... presents T-Systems 11:08:03 ... want to have a ticket to Vienna, they will give you a bar code or a QR code. There is nothing to replace that, very unsecure. 11:08:43 ... have already integrated lots of keys and access tokens across and have even an interface 11:08:58 ... virtual car key in the user's wallet 11:10:54 ... ticketing is special case, very limited. Public transport organisations in Germany, came together from private side, have contracts since 100 years, can't change that. Need to securely process in the world. Smartcards work, now have done QR codes as SM did not work. 11:11:24 q+ on the business model and deloyment fragmentation for transportation or automotive 11:11:57 ... payment also an issue. Hope for Mastercard or Visa to allow us secure online payment. But there are procedural issues. But instead of having "card not present" we could have nice hardware support 11:12:07 q- 11:12:13 q? 11:12:29 q+ 11:12:59 virginie: take care about implementability. Payment and transportation are different. Payment is with a wallet. Allows a browser to interface with wallet 11:13:13 ... helpful to disfragment the market 11:13:50 ... how to make sure that the 10000k different transportation schemes get some interoperability for the browsers? 11:13:52 virginie asks, how do we make a single, productive interface 11:14:43 jheuer: we need to enable ecosystems; meet industry needs, then see where there's common demand for interfaces 11:15:01 JH: we need to allow proprietary extensions, so that they can interface to the web. We need to talk to those makers of key schemes. They will adopt FIDO because that's the scheme that will always work. 11:15:02 ... start from the verticals 11:15:07 q+ 11:15:13 ack vir 11:15:13 virginie, you wanted to comment on the business model and deloyment fragmentation for transportation or automotive 11:15:55 ack dr 11:15:55 ... but if we don't approach the verticals, they will perhaps go that route. Or have some big internet corps being THE ticket provider for the internet world 11:16:04 Sebastien has joined #hb-secure-services 11:16:37 drogersuk: please beware of card clash... too many cards in one wallet. Challenge for the user. Not having to make a choice. 11:17:05 ... given the prob space here, if choice, what would be the single quick deliverable you would work on 11:17:31 phofmanntsy: couponing and loyalty, for online purchases 11:17:39 Peter: payments and loyality, with secure elements, services applets to make that accessible for online payments 11:18:17 q- 11:18:18 ... authentication, hb-based authentication, keys, one time passwords etc 11:18:41 q+ 11:18:42 .... car keys, ticketing, many different solutions out there. No ticketing on the Web 11:19:24 .... digital commerce cases are low hanging fruit here. 11:19:54 Peter: as long as there is discussion about using native apps, we will have that challenge 11:20:11 q- later 11:20:12 q- 11:20:16 ... standardised scheme could have value for smaller layers 11:21:01 ... big hole in standardisation, ?? 11:21:55 ... gap to native is access to secure element. FirefoxOS had it and was best way to work with cloud etc... 11:22:39 ... have access over multiple platforms and using several different underlying elements 11:23:11 virginie: technical aspect, can you share the implementation architecture? 11:23:18 Peter: can do, 11:23:24 q? 11:23:41 JH: unfortunately did not know that demo slot was still available 11:24:11 virginie: what is common to all the use cases so we can attack it. 11:25:41 == Sebastian presenting == 11:27:06 EID use cases and e-citizenship (shows map) 11:27:08 ...eID use cases in e-citizenship 11:27:50 Sebastien: Motivation to create eID schemes: includes public safety 11:28:11 ... strong authentication, digital services, prevent identity theft. 11:28:24 ... But we have no access to secure element in browser. 11:29:28 ... define and recognize level of assurance. Difference between FIDO and secure element. FIDO is binding to a specific service provider, secure element is not 11:30:06 ... X.509 ID & secure element. Could provide ID & security level. 11:30:53 ... in a secure element, there is always some identity in the secure element that currently is still usable universally 11:31:33 ... most banks and governments agree on secure element as it ties to a key or identity. 11:32:00 ... there is nothing providing consent, so need that and FIDO will not provide it 11:32:38 .... Smartcards and authentication are same level as OTP via mobile phone 11:32:48 ... can be faked quite easily 11:33:18 ... EMV CAP already known attacks, so have to do better 11:34:17 ... ehealth, Servida avoided to put common criteria into regulation because there was no way to connect smartcards through the browser 11:35:11 ... not willing to deploy FIDO at this time, they need to manage user experience. User has same key for different providers. Very difficult to understand for users 11:35:47 .... at broader level only 3 tools? Native apps. PKCS#11, TLS for authentication. 11:36:17 ... Signing hash is not an option, user should sign document 11:37:26 ... for browser makers GSAPI is a nightmare as they will not see what is going through 11:38:12 .... remote middleware that relies on PCSC, but doesn't work on mobile, NP-API is a dead end 11:38:31 .... API as proposed could make sense for Browsers 11:39:32 virginie: in global platform, there is API on web access. Aureilien had mentioned it. This API is now public. 11:40:32 ...virginie discussing the history of APDU access 11:40:51 ... gemalto vision: OMAPI -> APIU-level. Gemalto has promoted APU to W3C, but was rejected. Web Devs don't speak APU 11:41:14 ...group in GlobalPlatform called webAPI - the web version of the OMAPI API is now up and running 11:41:17 q+ 11:41:32 ...this would still be at a lower layer 11:41:44 ...we don't now see W3C at this layer - they are higher up 11:41:54 ... created WebAPI - is like OMAPI for the Web. Is directly implementable now. But not where W3C is. W3C is higher. Lower level is open source browsers accepting contributions 11:42:04 ...the question is how are we going to create the access to a Trusted Execution Environment 11:42:19 ... is TEE and secure element industry should push that. C 11:42:44 Question: is there a liaison between W3C and GP? 11:42:58 Answer: yes there is. Gil Bernabeau is the contact at GP 11:43:00 .... there is a liaison with Global platform. Gilles Bernabeu is the liaison person 11:43:55 Sebastien: FIDO is good because end user can accept or reject. How can we manage other use cases based on that. 11:44:01 the Web API allowing to access to Secure Elelement is under public review here : http://globalplatform.github.io/WebApis-for-SE/doc/. 11:44:20 Your review would be appreciated 11:44:31 q? 11:45:17 paul: transaction confirmation is useful. But there you also need trusted output and trusted input 11:45:48 Sebastien: definitely has to be related to the end user, show document. 11:46:14 PhilHoyer: also from service provider side view, liability 11:47:01 Sebastien: manage lifecycle of FIDO, link to the token. Can be quite easy. But for them it is very difficult to prove that you signed a document 11:47:34 ... common criteria needs WhatYouSeeIsWhatYouSign 11:47:47 RRSAgent: please draft minutes 11:47:47 I have made the request to generate http://www.w3.org/2016/04/26-hb-secure-services-minutes.html rigo 12:00:49 donfel01 has joined #hb-secure-services 12:15:01 klas has joined #hb-secure-services 12:26:39 rigo has joined #hb-secure-services 12:27:49 [resuming from lunch] 12:29:22 phofmanntsy has joined #hb-secure-services 12:29:51 s/@@: Samsung/Habib Virji: Samsung/ 12:30:10 s/@@: Yubico/Klas Lindfors: Yubico/ 12:31:07 Topic: Use cases and demos 12:31:22 Adrian: remote card diagnostics 12:31:30 Aurelien: FIDO U2F 12:31:40 colin has joined #hb-secure-services 12:32:01 virginie: Sharing of common experience from use cases and implementations 12:33:08 Rob has joined #hb-secure-services 12:34:45 wseltzer: Please join the CG: https://www.w3.org/community/hb-secure-services/ 12:34:56 -> https://www.w3.org/community/hb-secure-services/ Hardware Based Secure Services CG 12:36:48 -> https://v.etherpad.org/p/Hardware_Security Etherpad 12:42:24 LJWatson has joined #hb-secure-services 12:42:53 Hello. It seems that those of us dialled in can hear the room, but that you can't hear us. 12:43:50 Dinner location (90% sure): Bleeding Heart Tavern: http://bleedingheart.co.uk/ 12:44:15 Ok. No problem. 12:44:50 I can also hear you but you do not seem to be able to hear me. 12:46:59 scribe: colin 12:47:07 scribenick: colin 12:48:13 Phone bridge lost? 12:49:12 adrian something to provide bridge. for certain browsers. 12:49:47 not only implementation available. 12:49:59 describing cardid/webcard 12:50:52 cannot anticipate all possible protocols 12:52:13 ... idea is for remote diagnostics for cards. 12:53:13 ... cardID provides mechanism to access data in smart cards from your browser. 12:53:27 apologies from scribe. forgot the dots! 12:53:32 hvirji has joined #hb-secure-services 12:54:26 [Adrian demonstrates plugin.cardid.org] 12:54:39 [plugin exchanges APDUs] 12:55:29 adrian multi-application. 12:56:01 ...if no key then cant access 12:56:14 s/adrian multi/adrian: multi/ 12:56:16 ...no concept of privacy protection in card 12:57:07 ... something i just implemented. mapping of use 12:57:52 adrian: this map shows that people are willing to install plugins from random people to run APDUs on their cards! 12:58:06 ... many people 12:58:25 ... just start with something. better than nothing. 12:59:14 ...encouraging to see other initiatives. bridges between webpage and card 12:59:42 ... feel free to visit page. i will provide the link to irc. 12:59:46 q? 12:59:52 ack drogersuk 13:00:30 virginie idea is to enumerate apps in the token and provide secure channel. is that right? 13:00:48 ... so you need keys. 13:01:04 adrian service is useful for card issuer. 13:03:05 virginie thank you Adrian. try to get Leonie Watson audio. success! 13:03:27 leonie sorry cant be there in person. talk about accessibility and security 13:03:50 s/leonie/leonie: / 13:03:57 ...describe couple of situations where they work or dont work together 13:04:31 Adrian has joined #hb-secure-services 13:04:34 ... biometrics wont work f you dont have a retina. also not everyone has fingerprints 13:05:02 Sample plugin code is at https://github.com/cardid/WebCard 13:07:46 [LJWatson describes a challenging experience using NFC payment in the London Tube] 13:08:14 LJWatson: Trust, confidence in the system matter; accessibility matters in security 13:08:45 rob has joined #hb-secure-services 13:09:11 See the conversation about the ARIA role 'password' https://lists.w3.org/Archives/Public/public-web-security/2016Apr/0025.html 13:12:17 colin has joined #hb-secure-services 13:13:21 joerg question. would it be helpful to have tool that allows general communication with devices 13:13:44 ... we are talking about secure communication. 13:14:16 leonie cant hear question 13:16:31 LJWatson: It is helpful to have a device acting as the user's agent, as interface to other devices and systems 13:17:19 Sebastien has joined #hb-secure-services 13:17:35 colin_ has joined #hb-secure-services 13:18:08 virginie: next up in descriptions from implementers, Sebastien 13:19:10 Sebastien: proof of concept implementation 13:19:19 ... browser extension with json array 13:19:52 ... key management 13:19:57 [on-screen diagram] 13:20:28 ... trusted UI 13:20:48 ... service: confirming a transaction with an existing certificate 13:21:53 ... operates in different modes, with different hardware capabilities 13:22:22 virginie: what's in the browser? 13:22:28 Sebastien: just a simple extension with new API 13:22:38 ... browser receives the signed data 13:23:04 ... js:trust.confirm({"op":"the operation to confirm"}} 13:23:27 Paul: how do you explain to the user to difffeerentiate trusted display? 13:23:41 Sebastien: nothing at this point. 13:24:15 ... up to the service provider to determine what they need, based on attestation 13:24:28 ... SE, SE+TEE, TEE, or nothing 13:24:49 ... SE is a FIDO authenticator, has attestation 13:24:54 q? 13:25:29 ... extension + native plugin 13:26:22 jheuer: API looks the same even if some elements aren't present? 13:26:24 Sebastien: Yes 13:26:30 jheuer; I think that's important 13:26:49 ... up to the service provider to see attributes, decide whether to provide servies 13:27:38 Sebastien: passive authentication, active 13:28:42 LJWatson has left #hb-secure-services 13:29:42 virginie: who qualifies the level of secure services? browser, app developer/service provider, certifier? 13:31:34 virginie: next up, FIDO technologies 13:31:38 rigo has joined #hb-secure-services 13:31:58 ... Web Authentication WG launched earlier this year, now building FIDO 2.0 tech into browsers 13:32:18 ... let's see what worked well for them 13:32:33 Aurelien: overview of our architectures 13:32:54 ... use U2F FIDO to authenticate to Google services 13:33:15 ... U2F applet in SE 13:34:13 ... we used websocket channel to communicate between browser and websocket server on android 13:34:21 ... to access SE API 13:35:20 websocket server maps everything to smartcard I/O 13:35:53 no access control so far 13:37:21 PhilHoyer: How do you bind the device? 13:37:34 olivier: we bind to the user 13:38:39 ...listening on a specific port on localhost 13:38:56 s/olivier/aurélien 13:39:15 Adrian: does websocket approach work, or better in browser? 13:39:43 Aurélien, not for all use cases. for authentication you need to be in the browser 13:40:50 .... can access web socket server from outside the browser. We can rely on global platform ACL 13:41:29 ??: no concept limiting the number of authentication requests 13:42:11 Aurélien: yes, no limit. If FIDO, you expect USB token. Waits for that event. You have to mimic that 13:42:20 ... then listening to the event 13:42:22 s/??/Arnold/ 13:44:35 Arnold: many attacks based on repeated requests, e.g. to authenticate, so it's useful to rate-limit 13:45:14 Topic: Technical Requirements 13:45:37 virginie: 2 tasks 1/ Specific services that are in the browser (generic framework to host secure services) 13:46:43 ...2/ small groups discussing user consent and security working on integration and that interface can be plugged on lower level 13:47:19 arnold has joined #hb-secure-services 13:48:09 wseltzer: where does the momentum come from? We need a solid specification that is implementable and testable 13:48:38 ... small groups or more conversational? 13:48:59 Adrian: start with the requirements 13:51:09 rigo: a key requirement from the browsers, no unscoped bearer tokens 13:51:29 ... how do we translate things usable by secure elements, TEEs, to the Web 13:51:37 .... how do we pass messages in the API? 13:51:54 ... if they're unscoped, no browser wants to operate with them 13:52:12 Adrian: Google chrome lets you use USB 13:52:24 Markus: but you don't get full USB access 13:54:06 ... re open-scoped bearer tokens 13:54:17 ... smartcards make assumptions about how they will be used, in what context 13:54:35 ... if we open an API for any app to talk to any smartcard, you're mixing assumptions 13:54:41 ... you'll get catastrophe 13:54:59 ... you can design a new smartcard standard, with a new end-to-end authN protocol on top 13:55:22 ... if that's the only protocol you're allowd to pass to the smartcard 13:55:32 ... then it's only the new smartcards designed safely 13:55:47 screen has joined #hb-secure-services 13:55:49 q+ sebastien, peter, phil 13:55:51 ack Sebastien 13:56:12 Sebastien: you're talking about creating new standards, not talking to existing deployeed cards 13:56:17 Markus: yes 13:56:31 ... it's dangerous to open interfaces to legacy cards 13:56:37 q+ virginie 13:56:39 ack peter 13:56:51 MK: having web talking to EMV smart cards is extremely dangerous 13:57:16 Markus: end-to-end auth to the HSM 13:57:28 Peter: GP secure channel protocols are end-to-end 13:57:32 ... it is not selecting a channel, it is talking through to the other end on the server 13:58:13 Markus: browser must be able to talk only to interfaces designed for it 13:58:18 q+ 13:58:40 ack phil 13:58:43 ... lots of security problems come from combining systems 13:58:45 q+ rigo 13:58:50 q+ Sebastien 13:58:52 q- later 13:59:12 phil: end to end, global platform applet on the security itself. New EMV 13:59:25 MK: still tokenization 13:59:34 Phil: verious ways to do 14:00:13 MK: tokenized protocols (EMV) on top of that you create a nounce that is unique. Still don't have consent, the assurance, etc 14:00:30 ack virginie 14:01:03 virginie: end-to-end solution is secure. There is no value for browser makers to let such a channel happen. Content protection model perhaps 14:01:04 virginie: speaking as Gemalto, an end-to-end solution could be secure; I don't see support from browsers 14:02:14 rigo: don't let perfect be enemy of very good 14:02:48 ... proportionality between security and utility 14:04:20 Markus: the smartcard can talk to the browser a protocol that describes its context 14:05:00 ... wrapped in non-backwards-compatible protocol, so the browser speaks only to hardware designed for it 14:05:10 MK: make sure that the smartcard knows from which context it is contacted, know everything the browser knows. Only talk to new protocols 14:05:25 Klas: some of this sounds like FIDO U2F with origin-bound keys 14:06:08 rigo: Smartcard has a possession element, legally important at least in Europe 14:06:55 Adrian: hard to motivate, since there are no smartcards with that new protocol 14:07:05 Adrian: no smartcard with only new protocol 14:07:24 ... how can we allow people to use documents they already have 14:08:09 Rigo : eIDAS is coming and we may need a new protocol 14:08:14 (rigo, please correct) 14:08:35 wendy : where do we position between the chicken and the egg to have momentum 14:08:45 eIDAS has drawn up a full set of protocols within 2 years. So having a new protocol isn't that impossible 14:09:35 Wendy : how do me choose between supporting legacy smart card and this idea of new smart cards designed for the web 14:10:23 JH: most smartcards are on the same basis. How they do things is very different. If we have only one standard, it may have a bug and fail 14:10:24 Joerg : We need to offer something which is attractive, secured, deployed in a standardized way 14:11:55 Joerg : we need to balance the risk by user consent, authentication features, and provisding a flexible and adaptative solution 14:12:33 markus : dont believe smart card has a bright future, and the underlying problem is no user interface, user need to trust the user interface 14:13:11 MK: underlying prob with smart cards is that they have no UI. At the end I have all my trust in the UI device. Some of the devices rival smartcards security 14:13:41 markus : the secure enclave is a way to bring a new security technology, that is integrated, and starting to provide similar services as smart card 14:13:43 q+ 14:13:47 ... smartphone will be comparable to what smartcards can do. 14:13:50 ack rig 14:13:59 q= 14:14:27 queue= 14:14:33 markus : what are the technical merits of smartphones that can be leveraged by the browser 14:14:43 q? 14:14:48 markus : this is the challenge W3C is facing 14:15:28 MK: question for W3C: what an App can do what the Web can't do. App has access to OS, has appstore, keychain facilities, pin retry counters etc 14:15:29 markus : exemple : secure storage, sandbxing, key storage, key chain facilities, linked to biometry, pin retry counters 14:16:48 virginie: different type of security. trusted execution env. What can the browser leverage the next generation of secure technos 14:17:14 ... what is already in the native space, secure element etc, how to make that available to the Web 14:18:06 adrian : developers need to be responsable for what they are using, you already have native services that are well described with their security merits 14:18:18 Adrian: real competition is native app, agree (enumerates). Devs need to know what they are doing. 14:18:43 adrian : assuming that web dev knows how to take care of the security aspects 14:19:53 rigo : the smart card debated is not the right debate, a smartphone is a smart card, and the possession is the key point that makes the difference 14:20:22 rigo : we need to drive to the secure element some contextual infrmation, so that they can operate, we may design a new smart card for that 14:20:33 rigo : what we want is an interoperability layer 14:21:31 markus : we need to have more information being passed to the user, to get more context (recipient, purpose, amount of transaction, ...) 14:22:16 rigo : you can use the XHTML to do that, you can still have the browser but you will be back to the paper stage, to check everything 14:22:52 markus : we may gave an indicator that the web page was constructed by the browser 14:23:11 phofmanntsy: important native apps and web compete: Why are native apps are winning? They have access to OS and TEE and stuff 14:23:40 peter : all the ressources of the platform used by native applications are not made available to the browser (TEE, ...) 14:23:47 ... browser may invoke native app in payments e.g. but can't really respond itself 14:24:03 peter : this is a good saling point to brwser to compete with native apps 14:24:34 wseltzer: great marketing and technical pitch combine. Web lacks capabilities that people need. Can we bring them to the Web? 14:24:59 ... on trusted UI Web App Sec is considering some visibility response 14:25:24 ... request visibility API .. 14:25:37 MK: typography is a tricky field 14:25:58 wseltzer: was someone shown hte ad, a payment symbol etc... 14:26:47 MK: if smartcard acts like a web server and has a very simple template 14:27:47 virginie: 5 years ago java card 3 framework. Had no attraction .... 14:28:22 virginie : and the industry designed the famous smart card web server in OMA standardization body 14:28:27 JH: can we be better in the browser than in OS? Can check integrity 14:29:00 s/wseltzer: was/wseltzer: see WebAppSec RequestVisibility() API. e.g., was 14:29:01 ... problem occurs once you use special capabilities like UI 14:30:13 ... can switch off the virtual card in isolated env. As soon as procedural information, we are stuck 14:30:30 MK: browser is at merci of OS, mobile OS are different 14:31:25 .... browser does not communicate its OS it is not verified. 14:31:27 q? 14:33:02 q+ 14:34:51 RW: perhaps leverage the lesser functionality of the Web. 14:35:08 MK: privacy preserving attestion 14:35:16 wseltzer: will see more of that 14:36:27 ... perhaps let pass a certain amount of attestions if in need of authenticated communications 14:36:40 RRSAgent, please draft minutes 14:36:40 I have made the request to generate http://www.w3.org/2016/04/26-hb-secure-services-minutes.html rigo 15:03:14 q- 15:11:48 rigo has joined #hb-secure-services 15:13:25 wendy : we have a bunch of use case that may be attractive 15:13:50 .... * secure credential storage, keychains, and protections * attestation * trusted UI * biometry * a strong application security management (access control, digital signature, permissions, ...) 15:14:35 ... is that helpful listing ? is there any other capabilities w ebelieve are critical to native app, to be made available to the web apps ? 15:14:59 PhilH : in the workshop 2 years ago, we see the device communicating with proximity protocols 15:15:13 philP : that was raisong the question of the discovery 15:16:24 s/raisong/raising 15:16:53 philH : it means that there is a notion of human reminding what device was used 15:17:25 philH : this is a package discovery 15:18:08 Arnold Yau : (from samsung) there is the notion of veting/curation of the apps 15:18:39 wendy : a doable forst stpe would be to think of the minimum viable product we could construct ? 15:18:55 s/forst stpe/first step 15:19:22 wendy : we may work on it and make sure we work on security, pricavy and accessibility constraints 15:20:06 markus : web browser to have a decent key exchange protocol to remove passwords 15:20:36 s/web browser/I regret web browser to try 15:20:53 MK: look into protocols like JAKE, patents have expired 15:21:16 markus : there might have ways to include that, but it can may come with some sceurity challenges 15:21:27 s/sceurity /security 15:21:46 wendy : some of those discussions are happening in IETF, for adressing the HTTP layers 15:22:13 markus : this is weird as passwords are in the domain of W3C 15:24:35 q? 15:27:00 MK: all OS have keychains, browser could provide interface. But probably needs POSIX spec for keychains 15:32:05 => Virginie filtering actual suggestions on the chart 15:34:04 PhilH: continuous authentication support, risk assessment feedback mechanism 15:36:27 rigo: which information can be transported from web-hardware and hardware-web 15:38:25 a useful document would be to have a list point-by-point of the information that can be carried from the hardware layer in a given use case and what information (e.g. browsing context) should be transported to the smart card layer 15:41:10 I would vote for secure credential storage and attestation. 15:42:33 note : the use cases wiki will have ot be updated 15:42:46 s/ot/to 15:44:52 I lost the phone connection. Is the bridge still active? 15:46:56 transcation confirmation: Online benefit distribution with the Web 15:47:39 what you see what I want to confirm 15:52:48 Nice music, but will the phone bridge be re-activated? 15:52:50 => discussion about attestations 15:54:01 wseltzer: at some point a browser mediated web payment, someone will ask how do we make sure the user had the opportunity to chose the right transaction 15:59:03 rigo: we don't need to repeat the failed digital signature work, that failed because it had no middle ground 16:11:50 RRSAgent, please draft minutes 16:11:50 I have made the request to generate http://www.w3.org/2016/04/26-hb-secure-services-minutes.html rigo 16:20:52 Virginie: we'll work from use cases tomorrow, look at architecture, privacy, security, accessibility requirements 16:21:26 Virginie: I think you're free now 16:21:29 [applause] 16:21:33 RRSAgent, please draft minutes 16:21:33 I have made the request to generate http://www.w3.org/2016/04/26-hb-secure-services-minutes.html rigo 16:21:44 [adjourned; resume at 9local tomorrow] 17:33:21 Zakim has left #hb-secure-services