Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto contribution from PHoyer@hidglobal.com on 2015-01-30 (public-web-security@w3.org from February 2015)

From: <PHoyer@hidglobal.com>
Date: Fri, 30 Jan 2015 18:28:29 +0000
To: Brad Hill <hillbrad@fb.com>
Cc: Harry Halpin <hhalpin@w3.org>,Lu HongQian Karen <karen.lu@gemalto.com>,"public-web-security@w3.org" <public-web-security@w3.org>,"public-webcrypto@w3.org" <public-webcrypto@w3.org>,GALINDO Virginie <Virginie.Galindo@gemalto.com>,Wendy Seltzer <wseltzer@w3.org>
Message-ID: <OFED9CC2EB.E6365138-ON80257DDD.0064D687-80257DDD.00657C1E@prox.com>
Brad,
one point that I made at the workshop is that currently centrally issued
eIDs are being used on the web and with web applications.

So it is not that we are talking about introducing something new that
breaks privacy or security we are already in a world where this happens.

The people in W3C and in the W3 are uniquely positioned as willing experts
in the field to find a solution that is

a) homogenous in the approach and does not mean inexperienced web
developers have to wrestle with java / activX plugins potentially putting
other web apps accessed by the same browser at risk due to security lapses
in the plugins
b) can actually improve the situation and potentially find a way to
increase privacy and security of the existing solution especially as we
have mindshare of the browser development community

I completely share your view that we need to tackle this issue but is a WG
not exactly the right place to do this?

Philip




From: Brad Hill <hillbrad@fb.com>
To: Lu HongQian Karen <karen.lu@gemalto.com>, GALINDO Virginie
            <Virginie.Galindo@gemalto.com>, "public-webcrypto@w3.org"
            <public-webcrypto@w3.org>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>,
            Wendy Seltzer <wseltzer@w3.org>, Harry Halpin <hhalpin@w3.org>
Date: 29/01/2015 22:52
Subject: Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto
            contribution



I would like to see details of how this kind of API would or could interact
with the Same-Origin model of web security, specifically:

   1. Privacy and tracking.  How does the presence of specific crypto
      elements and discoverable keys which are not Origin-scoped not create
      privacy violations?
2. Origin security.  How are risks around identification of or
impersonation of the server-side of a transaction, and potential abuse of a
globally-scope key mitigated by  this kind of API design?

Without a clear discussion of how this API fits into the existing Web
security and threat model, I think it is inappropriate to proceed.  We
can't just throw away the fundamental security model that billions of users
and deployed applications depend on, and I see no evidence (at least in
these few slides) that such issues have been considered by this proposal.

Brad Hill

From: Lu HongQian Karen <karen.lu@gemalto.com>
Date: Wednesday, January 28, 2015 at 10:01 AM
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "
public-webcrypto@w3.org" <public-webcrypto@w3.org>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, Wendy
Seltzer <wseltzer@w3.org>, Harry Halpin <hhalpin@w3.org>
Subject: RE: [W3C Web Crypto WG] Rechartering discussion - Gemalto
contribution
Resent-From: <public-web-security@w3.org>
Resent-Date: Wednesday, January 28, 2015 at 10:04 AM

      Please review Gemalto’s contribution. We welcome your comments.

      Regards,
      Karen

      From: GALINDO Virginie [mailto:Virginie.Galindo@gemalto.com]
      Sent: Wednesday, January 07, 2015 3:48 AM
      To: public-webcrypto@w3.org
      Cc: public-web-security@w3.org; Wendy Seltzer; Harry Halpin
      Subject: [W3C Web Crypto WG] Rechartering discussion

      Dear all,

      Web Crypto WG charter [1] will end by the end of March. We need to
      prepare the next charter of Web Crypto.

      As a reminder, the conversation has started on this page :
      https://www.w3.org/Security/wiki/IG/webcryptonext_draft_charter

      Feel free to add you ideas and suggestions on the wiki and/or expose
      your opinion and question on the public-webcrypto@w3.org or
      public-webcrypto-comment@w3.org (for non W3C Web Crypto WG members).

      Regards,
      Virginie

      [1] http://www.w3.org/2011/11/webcryptography-charter.html



      This message and any attachments are intended solely for the
      addressees and may contain confidential information. Any unauthorized
      use or disclosure, either whole or partial, is prohibited.
      E-mails are susceptible to alteration. Our company shall not be
      liable for the message if altered, changed or falsified. If you are
      not the intended recipient of this message, please delete it and
      notify the sender.
      Although all reasonable efforts have been made to keep this
      transmission free from viruses, the sender will not be liable for
      damages caused by a transmitted virus.


      This message and any attachments are intended solely for the
      addressees and may contain confidential information. Any unauthorized
      use or disclosure, either whole or partial, is prohibited.
      E-mails are susceptible to alteration. Our company shall not be
      liable for the message if altered, changed or falsified. If you are
      not the intended recipient of this message, please delete it and
      notify the sender.
      Although all reasonable efforts have been made to keep this
      transmission free from viruses, the sender will not be liable for
      damages caused by a transmitted virus.
      This message and any attachments are intended solely for the
      addressees and may contain confidential information. Any unauthorized
      use or disclosure, either whole or partial, is prohibited.
      E-mails are susceptible to alteration. Our company shall not be
      liable for the message if altered, changed or falsified. If you are
      not the intended recipient of this message, please delete it and
      notify the sender.
      Although all reasonable efforts have been made to keep this
      transmission free from viruses, the sender will not be liable for
      damages caused by a transmitted virus


------------------------------------------------------------
HID Global GmbH
registered office: 65396 Walluf, Germany
municipal court: Wiesbaden, Germany
commercial register number: HRB 20928
Management board: Denis Hebert, Juergen Schnoebel, Marc Bielmann

Confidentiality Note: 
This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you.
Attachments

image/gif attachment: graycol.gif
Received on Monday, 2 February 2015 15:30:04 UTC