See also: IRC log
<brunoj> hi
<wseltzer> hi brunoj
https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda
<wseltzer> wseltzer: CG is an opportunity to incubate work, to bring drafts and get into more detail of what the web needs to interface with secure services in hardware
<wseltzer> brunoj: important to provide use cases; compare to what is done locally
<wseltzer> ... provide security to a wider range of web users
<wseltzer> virginie: CG uses public mailing list: public-hb-secure-services@w3.org
<virginie> https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop
<wseltzer> ... wiki ^
<wseltzer> ... that's an outline, please add
<wseltzer> ... technical detail of how services are made available to the browser
<wseltzer> ... technical challenges, e.g. same origin policy
<wseltzer> ... security and privacy considerations
<wseltzer> ... this is a preview list: ready for modification
<scribe> scribe: rigo
<scribe> scribenick: rigo
virginie: how to proceed from here: Issues under Github or should we discuss with Security IG
wseltzer: should use the
wiki
... on github
... this is a CG, is under the CG CLA, not under WG process
<brunoj> it is possible to edit and to create wiki pages
CLA https://www.w3.org/community/about/agreements/cla/
Presentation by brunoj : https://lists.w3.org/Archives/Public/public-hb-secure-services/2016Apr/att-0009/Hardware_Based_Secure_Services_Community_Group-OT_Position_Paper_def.pdf
<marko> bruno: Use case - cannot sign or decrypt online documents in a web browser. User has to download, sign, upload the document - inconvenient for the user.
<marko> Use case - webmail signing with hardware
brunoj: need to prove that it is
possible. Shared at workshop our aims with many
participants
... central to provide embedded security
... related to identities (gov, corp)
... want to use CG as a vehicule to push those solution. First
target is to say that those features are legitimate, then prove
that it works
... maybe refine the strategy from the 2014 workshop is to
avoid objection and go on
... this is what we have in mind
marko: to what extend does that overlap with FIDO or payment
brunoj: authentication is topic
in itself
... can be one use case (payment) but not the only one. FIDO is
a bit aside
wseltzer: FIDO is one specific model of authentication, has a separation between web API and communications with the authenticator
<virginie> note : web authentication activity can be followed under https://github.com/w3c/webauthn
wseltzer: payments is specififying payment API, but assume that security for that comes from elsewhere
<virginie> with their main deliverable being https://w3c.github.io/webauthn/
SebastienBahloul: if we know the
reason why the former initiatives have failed before
... secure key, secure UI? Or is it only industry failed to
demonstrate that next generation middleware can not be
done?
... so this is not new
... or communication issue?
<wseltzer> virginie: APDU to WebApp was the wrong level to propose
virginie: Gemalto joined W3C and
we discovered the web world and took time to understand the
platform. We have been promoting level of service to the OWP.
Signing it and send it to secure web app,
... now there is the trusted secure element that forced us to
go one level of abstraction upwards
<wseltzer> ... we needed to propose service functions, at the right level of abstraction for TEE, secure element
virginie: now we have the right
level of proposals, use cases, inlcuding citizenID and ??
... seems that citizenID has no market, browsers don't see
value proposition
<marko> Virginie: Gemalto had in mind to standardise APDU sent to secure element - took a year to realise that this was not the right strategy.
virginie: eIDAS is not something that is touching the browser makers
wseltzer: expand on that: as we
heard at the workshop couple of years ago. Browser see
themselves as user agent, same origin, isolation, isolation per
origin. They look at smartcard based solutions and see privacy
issues, not wanting to make statements to the users about
security, antecedent from open extensions and APIs
... want a more focused functionality that is in line with
browser's security model of the web
... thinking about security, is it with the browser we are
interacting or natively with applications, could use a
different model for the latter
... interoperability across devices will need to use the
browser. So most straightforward way is to accommodate this
model and cater to the samei origin model
... identity poses challenge there, as the whole govID idea is
that it is cross origin. That kind of detail would help us to
make a good case
brunoj: regarding the relation to FIDO. FIDO audience is larger. In terms of access focus on corporate
<marko> FIDO audience is larger than secure services in hardware. Not really the same.
<wseltzer> brunoj: corporate identity
<wseltzer> ... different levels of confidence, as well
virginie: my understanding is
that coporate ID management is not excluded in FIDO
... corporate ID has no standards
<marko> virgine: FIDO is trying to do standards for corporate ID, so should not address that use case
brunoj: relation to the WGs. want to be clear what is in our scope and what is not. There is a topic on target audience, especially having access to secure element
virginie: use cases: citizen,
payment, transportation, credential management
... and what is a secure service. what is the difference to a
normal service? different levels? are secure services
standard?
... CG shoudl describe teh different use cases
SebastienBahloul: ehealth is also on target?
<marko> rigo: FIDO has authentication of devices but not people. eHealth has both. Do we do corporate ID? For ATM card, need knowledge and possession, that's the difference.
<marko> Model of knowledge and possession cannot be reproduced in middleware; why eIdas doesn't work on the web
<wseltzer> rigo: get to knowledge+possession on the web, without middleware
<marko> rigo: Can't just do bearer tokens.
<marko> Virginie: how to translate to technical requirements?
<marko> API has to cater to a certain scheme to be useful.
virginie: what do you mean by "scheme"? For me it is a protocols and things that are already defined in standard services
SebastienBahloul: if you're relying on existing standards you can't provide what it needs to satisfy hardware industry and browser
<wseltzer> virginie: Use cases of secure services that can fit into the Open Web Platform
<wseltzer> ... if eIDAS can never fit the OWP, let's not start there
<wseltzer> rigo: we can serve the key functions, even if it's not eIDAS as currently described
<marko> eIDAS based on possession and knowledge. Have to start with terminology, a lot of the terminology is not understandable
virginie: this is really the task of developing our use cases
wseltzer: identity and citizen services are things that keep to come up that people want the web to make better. If we can find components that help this to happen while respecting privacy, than we made a big contributions
<marko> wendy: if we can identify critical components technology is ready to provide to web, we will have made a big contribution. Like having the use case, getting to core elements of what to provide to do that.
wseltzer: what are the core elements we need and which already exist already
brunoj: agree with the challenge, I think we have to keep citizenID. It is so specific, not only focus on this topic. There are already deployed solutions (names expamples)
<brunoj> begium eid
<wseltzer> PIV
belgium eid
<wseltzer> Nordic countries, PKI card
<marko> Nordic PKI card hardly be connected to the web. PKI card works in a sandbox, web in another sandbox, no connection between them, that's a problem.
brunoj: there are solutions, need to test and look at feasibility
<marko> wseltzer: Example currently deployed show demand; problems trying to solve; common elements that appear in multiple places - likely to be key features we should try to accommodate
wseltzer: the more we bring them
together, the better. We have demand, proposed solutions, now
have to see where there are communalities.
... if we can do them better on the web, we have done a good
contribution
<wseltzer> wseltzer: let's gather examples. They show 1. demand, 2. common problems, and 3. common solutions
<virginie> for teh scribe : SIA organisation
SebastienBahloul: can take some examples from SIA and look at their solutions for secure identity
<marko> virginie: have to have abstraction layer in our discussions. we don't have to enter into implementation details.
virginie: we need an abstractions
layer, not only secure element, but also TEE etc.. Lesson from
past 3 years discussion
... each of us should take the action to document one use
case.
<marko> Virginie: suggests each participant documents one of the use cases. Provides references, help to figure out exactly what is in each use case.
virginie: something to help figure out what the use case is. Preference on use case?
brunoj: citizenID
... webcyrpto would provide a wider range of services and has
to be implemented by service providers
virginie: need good conribution on one use case
SebastienBahloul: working on same area as brunoj, but could provide some insight on payment.
virginie: will ask contributors from ?? to work on payments
<marko> Sebastien: comfortable with identity, but may be able to work on payment. Virginie: please work with Bruno on identity
virginie: will work on web crypto
wseltzer: identity is a rich use
case. Several people bringing examples could be helpful
... many possible use cases, but should focus on a few now.
<marko> I concur with Wendy: better to focus on a few use cases, will get more traction that way.
wseltzer: will get us the big
pictures on who is interested, what are obstacles what is
demand, what is commitment ...
... will help us when going WG
... whether it can be generalized
... starting with a few concrete uses will be most
productive
<marko> virginie: not standardising, but gathering convincing information for the browsers. agree with Wendy.
virginie: we are preparation work, not standardising a concrete full solution
<marko> Workshop: happening on Tuesday Wednesday 26-27 April.
<wseltzer> https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda
<marko> Would like really open discussion; questions not resolved put back as open questions and move on.
<marko> 20-30 people expected. From web industry.
<marko> From CESG, from vendors.
<wseltzer> virginie: we'll see after the workshop how we operate in the CG, such as bi-weekly calls
<wseltzer> ... we'll de-brief after the workshop
<marko> AOB? No.
<wseltzer> great to hear from you all, thanks!
<virginie> thanks rigo !