13:18:59 RRSAgent has joined #hb-secure-services 13:18:59 logging to http://www.w3.org/2016/04/21-hb-secure-services-irc 13:19:10 rrsagent, please set logs member 13:19:33 present+ wseltzer, rigo, Bruno, Virginie 13:20:05 Agenda: https://lists.w3.org/Archives/Public/public-hb-secure-services/2016Apr/0005.html 13:21:10 Chair: Virginie 13:21:27 brunoj has joined #hb-secure-services 13:21:33 hi 13:22:16 hi brunoj 13:24:34 agenda+ present the community group objective 13:24:41 agenda+ list the topics we believe we should discuss during the workshop 13:24:48 agenda+ create common understanding of milestones for our deliverables 13:24:57 agenda+ discuss whatever topic you want, related to hardware based secure services 13:25:02 Zakim has joined #hb-secure-services 13:25:12 https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda 13:25:33 present+ sebastian 13:25:50 SebastienBahloul has joined #hb-secure-services 13:25:53 agenda+ CG objective 13:25:53 agenda ? 13:26:00 agenda+ topics for workshop discussion 13:26:03 agenda+ milestones 13:26:05 agenda+ AOB 13:26:17 present+ SebastienBahloul 13:26:28 present- sebastian 13:26:43 agenda? 13:27:24 q+ 13:30:05 q- 13:31:11 wseltzer: CG is an opportunity to incubate work, to bring drafts and get into more detail of what the web needs to interface with secure services in hardware 13:31:36 brunoj: important to provide use cases; compare to what is done locally 13:31:45 ... provide security to a wider range of web users 13:31:55 zakim, take up agendum 1 13:31:55 agendum 1. "CG objective" taken up [from wseltzer] 13:32:24 virginie: CG uses public mailing list: public-hb-secure-services@w3.org 13:32:29 https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop 13:32:36 ... wiki ^ 13:33:05 ... that's an outline, please add 13:34:00 ... technical detail of how services are made available to the browser 13:34:37 ... technical challenges, e.g. same origin policy 13:34:43 https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop#4-technical-challenges 13:35:28 ... security and privacy considerations 13:36:14 ... this is a preview list: ready for modification 13:36:27 present+ Mark 13:37:43 marko has joined #hb-secure-services 13:38:22 https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop#4-technical-challenges 13:38:38 agenda? 13:41:19 scribe: rigo 13:41:24 scribenick: rigo 13:43:17 virginie: how to proceed from here: Issues under Github or should we discuss with Security IG 13:43:28 wseltzer: should use the wiki 13:43:44 ... on github 13:44:03 RRSAgent, please draft minutes 13:44:03 I have made the request to generate http://www.w3.org/2016/04/21-hb-secure-services-minutes.html rigo 13:44:30 wseltzer: this is a CG, is under the CG CLA, not under WG process 13:44:49 it is possible to edit and to create wiki pages 13:45:46 CLA https://www.w3.org/community/about/agreements/cla/ 13:46:39 Presentation by brunoj : https://lists.w3.org/Archives/Public/public-hb-secure-services/2016Apr/att-0009/Hardware_Based_Secure_Services_Community_Group-OT_Position_Paper_def.pdf 13:50:24 Ws has joined #hb-secure-services 13:51:06 Rrsagent, pointer? 13:51:06 See http://www.w3.org/2016/04/21-hb-secure-services-irc#T13-51-06 13:51:33 bruno: Use case - cannot sign or decrypt online documents in a web browser. User has to download, sign, upload the document - inconvenient for the user. 13:53:05 q? 13:54:19 q+ 13:55:24 Use case - webmail signing with hardware 13:56:23 q- 13:59:39 brunoj: need to prove that it is possible. Shared at workshop our aims with many participants 14:00:14 ...central to provide embedded security 14:00:27 ... related to identities (gov, corp) 14:01:33 ... want to use CG as a vehicule to push those solution. First target is to say that those features are legitimate, then prove that it works 14:02:00 ... maybe refine the strategy from the 2014 workshop is to avoid objection and go on 14:02:16 ... this is what we have in mind 14:02:24 q+ 14:02:36 q+ 14:02:43 marko: to what extend does that overlap with FIDO or payment 14:02:53 brunoj: authentication is topic in itself 14:03:16 ... can be one use case (payment) but not the only one. FIDO is a bit aside 14:03:54 wseltzer: FIDO is one specific model of authentication, has a separation between authentication and ID management 14:04:22 note : web authentication activity can be followed under https://github.com/w3c/webauthn 14:04:39 ... payments is specififying payment API, but assume that security for that comes from elsewhere 14:04:54 with their main deliverable being https://w3c.github.io/webauthn/ 14:05:19 s/authentication and ID management/web API and communications with the authenticator/ 14:05:40 SebastienBahloul: if we know the reason why the former initiatives have failed before 14:05:40 q+ 14:06:24 ... secure key, secure UI? Or is it only industry failed to demonstrate that next generation middleware can not be done? 14:06:32 ... so this is not new 14:06:45 ... or communication issue? 14:07:41 q+ 14:07:46 ack SebastienBahloul 14:08:17 virginie: APDU to WebApp was the wrong level to propose 14:08:20 virginie: Gemalto joined W3C and we discovered the web world and took time to understand the platform. We have been promoting level of service to the OWP. Signing it and send it to secure web app, 14:08:52 ... now there is the trusted secure element that forced us to go one level of abstraction upwards 14:08:59 ... we needed to propose service functions, at the right level of abstraction for TEE, secure element 14:09:20 ack virginie 14:09:27 ... now we have the right level of proposals, use cases, inlcuding citizenID and ?? 14:09:49 ... seems that citizenID has no market, browsers don't see value proposition 14:10:15 Virginie: Gemalto had in mind to standardise APDU sent to secure element - took a year to realise that this was not the right strategy. 14:10:25 .... eIDAS is not something that is touching the browser makers 14:12:11 wseltzer: expand on that: as we heard at the workshop couple of years ago. Browser see themselves as user agent, same origin, isolation, isolation per origin. They look at smartcard based solutions and see privacy issues, not wanting to make statements to the users about security, antecedent from open extensions and APIs 14:12:32 ... want a more focused functionality that is in line with browser's security model of the web 14:13:07 ... thinking about security, is it with the browser we are interacting or natively with applications, could use a different model for the latter 14:13:53 ... interoperability across devices will need to use the browser. So most straightforward way is to accommodate this model and cater to the samei origin model 14:15:09 ... identity poses challenge there, as the whole govID idea is that it is cross origin. That kind of detail would help us to make a good case 14:15:34 q? 14:15:41 ack wse 14:17:01 agenda? 14:17:52 brunoj: regarding the relation to FIDO. FIDO audience is larger. In terms of access focus on corporate 14:17:52 FIDO audience is larger than secure services in hardware. Not really the same. 14:18:07 q+ 14:18:19 brunoj: corporate identity 14:18:33 ... different levels of confidence, as well 14:19:04 virginie: my understanding is that coporate ID management is not excluded in FIDO 14:19:25 ... corporate ID has no standards 14:20:26 virgine: FIDO is trying to do standards for corporate ID, so should not address that use case 14:20:57 brunoj: relation to the WGs. want to be clear what is in our scope and what is not. There is a topic on target audience, especially having access to secure element 14:21:58 zakim, take up agendum 2 14:21:58 agendum 2. "topics for workshop discussion" taken up [from wseltzer] 14:22:02 virginie: use cases: citizen, payment, transportation, credential management 14:22:39 ... and what is a secure service. what is the difference to a normal service? different levels? are secure services standard? 14:22:50 ... CG shoudl describe teh different use cases 14:23:09 SebastienBahloul: ehealth is also on target? 14:23:14 q? 14:24:42 rigo: FIDO has authentication of devices but not people. eHealth has both. Do we do corporate ID? For ATM card, need knowledge and possession, that's the difference. 14:25:22 Model of knowledge and possession cannot be reproduced in middleware; why eIdas doesn't work on the web 14:25:24 rigo: get to knowledge+possession on the web, without middleware 14:26:59 rigo: Can't just do bearer tokens. 14:27:29 Virginie: how to translate to technical requirements? 14:27:51 API has to cater to a certain scheme to be useful. 14:28:49 virginie: what do you mean by "scheme"? For me it is a protocols and things that are already defined in standard services 14:29:42 SebastienBahloul: if you're relying on existing standards you can't provide what it needs to satisfy hardware industry and browser 14:30:14 virginie: Use cases of secure services that can fit into the Open Web Platform 14:30:24 ... if eIDAS can never fit the OWP, let's not start there 14:31:41 rigo: we can serve the key functions, even if it's not eIDAS as currently described 14:32:05 eIDAS based on possession and knowledge. Have to start with terminology, a lot of the terminology is not understandable 14:32:05 q+ 14:32:07 ack rigo 14:32:22 virginie: this is really the task of developing our use cases 14:32:39 ack wse 14:32:54 q+ 14:33:39 wseltzer: identity and citizen services are things that keep to come up that people want the web to make better. If we can find components that help this to happen while respecting privacy, than we made a big contributions 14:33:44 wendy: if we can identify critical components technology is ready to provide to web, we will have made a big contribution. Like having the use case, getting to core elements of what to provide to do that. 14:33:57 ... what are the core elements we need and which already exist already 14:34:08 q- 14:34:09 q? 14:34:57 q+ virginie, wseltzer 14:35:01 ack brunoj 14:35:08 brunoj: agree with the challenge, I think we have to keep citizenID. It is so specific, not only focus on this topic. There are already deployed solutions (names expamples) 14:35:12 ack virginie 14:35:20 begium eid 14:35:22 ack brunoj 14:35:28 q? 14:35:29 PIV 14:35:31 belgium eid 14:35:54 Nordic countries, PKI card 14:37:16 Nordic PKI card hardly be connected to the web. PKI card works in a sandbox, web in another sandbox, no connection between them, that's a problem. 14:37:50 brunoj: there are solutions, need to test and look at feasibility 14:38:34 wseltzer: Example currently deployed show demand; problems trying to solve; common elements that appear in multiple places - likely to be key features we should try to accommodate 14:38:40 wseltzer: the more we bring them together, the better. We have demand, proposed solutions, now have to see where there are communalities. 14:38:43 q+ 14:38:54 Q? 14:38:59 ... if we can do them better on the web, we have done a good contribution 14:39:03 ack wse 14:39:08 ack SebastienBahloul 14:39:23 wseltzer: let's gather examples. They show 1. demand, 2. common problems, and 3. common solutions 14:39:30 for teh scribe : SIA organisation 14:39:47 SebastienBahloul: can take some examples from SIA and look at their solutions for secure identity 14:40:39 virginie: have to have abstraction layer in our discussions. we don't have to enter into implementation details. 14:40:44 virginie: we need an abstractions layer, not only secure element, but also TEE etc.. Lesson from past 3 years discussion 14:41:00 RRSAgent, please draft minutes 14:41:00 I have made the request to generate http://www.w3.org/2016/04/21-hb-secure-services-minutes.html rigo 14:42:05 virginie: each of us should take the action to document one use case. 14:42:22 Virginie: suggests each participant documents one of the use cases. Provides references, help to figure out exactly what is in each use case. 14:42:27 ... something to help figure out what the use case is. Preference on use case? 14:42:28 q+ 14:42:39 brunoj: citizenID 14:43:23 ack brunoj 14:43:48 brunoj: webcyrpto would provide a wider range of services and has to be implemented by service providers 14:44:01 virginie: need good conribution on one use case 14:44:45 SebastienBahloul: working on same area as brunoj, but could provide some insight on payment. 14:45:04 virginie: will ask contributors from ?? to work on payments 14:45:05 Sebastien: comfortable with identity, but may be able to work on payment. Virginie: please work with Bruno on identity 14:45:16 q+ 14:45:20 ... will work on web crypto 14:45:27 ack wseltzer 14:45:50 wseltzer: identity is a rich use case. Several people bringing examples could be helpful 14:46:05 ... many possible use cases, but should focus on a few now. 14:46:31 I concur with Wendy: better to focus on a few use cases, will get more traction that way. 14:46:39 ... will get us the big pictures on who is interested, what are obstacles what is demand, what is commitment ... 14:46:45 ... will help us when going WG 14:47:04 ... whether it can be generalized 14:47:19 ... starting with a few concrete uses will be most productive 14:47:55 virginie: not standardising, but gathering convincing information for the browsers. agree with Wendy. 14:48:06 virginie: we are preparation work, not standardising a concrete full solution 14:48:45 topic: Workshop 14:48:55 Workshop: happening on Tuesday Wednesday 26-27 April. 14:49:02 https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda 14:49:57 Would like really open discussion; questions not resolved put back as open questions and move on. 14:50:15 20-30 people expected. From web industry. 14:50:17 RRSAgent, please draft minutes 14:50:17 I have made the request to generate http://www.w3.org/2016/04/21-hb-secure-services-minutes.html rigo 14:50:42 From CESG, from vendors. 14:52:11 Topic: Workmode of CG 14:52:28 virginie: we'll see after the workshop how we operate in the CG, such as bi-weekly calls 14:52:34 ... we'll de-brief after the workshop 14:52:40 AOB? No. 14:53:07 great to hear from you all, thanks! 14:53:25 RRSAgent, please draft minutes 14:53:25 I have made the request to generate http://www.w3.org/2016/04/21-hb-secure-services-minutes.html rigo 14:54:29 thanks rigo ! 14:54:34 RRSAgent, set log public 14:54:39 RRSAgent, please draft minutes 14:54:39 I have made the request to generate http://www.w3.org/2016/04/21-hb-secure-services-minutes.html rigo 14:54:50 and thanks marko, next time we will rotate the scribing ! 14:59:05 rigo, it seems that there are some missing pieces in the minutes 14:59:38 rigo, it seems that I am the stupid person who forgot to reload the minutes 14:59:44 rigo, all is perfect :) 15:05:14 RRSAgent, bye 15:05:14 I see no action items