hb-secure-services call
21 Apr 2016


See also: IRC log


Bruno Javary, Sebastien Bahloul, Virginie Galindo, Wendy Seltzer, Mark Orzechowski
Virginie Galindo
Rigo, Wendy, Mark


<brunoj> hi

<wseltzer> hi brunoj


<wseltzer> wseltzer: CG is an opportunity to incubate work, to bring drafts and get into more detail of what the web needs to interface with secure services in hardware

<wseltzer> brunoj: important to provide use cases; compare to what is done locally

<wseltzer> ... provide security to a wider range of web users

CG objective

<wseltzer> virginie: CG uses public mailing list: public-hb-secure-services@w3.org

<virginie> https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop

<wseltzer> ... wiki ^

<wseltzer> ... that's an outline, please add

<wseltzer> ... technical detail of how services are made available to the browser

<wseltzer> ... technical challenges, e.g. same origin policy

<wseltzer> https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop#4-technical-challenges

<wseltzer> ... security and privacy considerations

<wseltzer> ... this is a preview list: ready for modification

<virginie> https://github.com/w3c/websec/wiki/hardware-based-secure-services-:-topics-for-the-workshop#4-technical-challenges

<scribe> scribe: rigo

<scribe> scribenick: rigo

virginie: how to proceed from here: Issues under Github or should we discuss with Security IG

wseltzer: should use the wiki
... on github
... this is a CG, is under the CG CLA, not under WG process

<brunoj> it is possible to edit and to create wiki pages

CLA https://www.w3.org/community/about/agreements/cla/

Presentation by brunoj : https://lists.w3.org/Archives/Public/public-hb-secure-services/2016Apr/att-0009/Hardware_Based_Secure_Services_Community_Group-OT_Position_Paper_def.pdf

<marko> bruno: Use case - cannot sign or decrypt online documents in a web browser. User has to download, sign, upload the document - inconvenient for the user.

<marko> Use case - webmail signing with hardware

brunoj: need to prove that it is possible. Shared at workshop our aims with many participants
... central to provide embedded security
... related to identities (gov, corp)
... want to use CG as a vehicule to push those solution. First target is to say that those features are legitimate, then prove that it works
... maybe refine the strategy from the 2014 workshop is to avoid objection and go on
... this is what we have in mind

marko: to what extend does that overlap with FIDO or payment

brunoj: authentication is topic in itself
... can be one use case (payment) but not the only one. FIDO is a bit aside

wseltzer: FIDO is one specific model of authentication, has a separation between web API and communications with the authenticator

<virginie> note : web authentication activity can be followed under https://github.com/w3c/webauthn

wseltzer: payments is specififying payment API, but assume that security for that comes from elsewhere

<virginie> with their main deliverable being https://w3c.github.io/webauthn/

SebastienBahloul: if we know the reason why the former initiatives have failed before
... secure key, secure UI? Or is it only industry failed to demonstrate that next generation middleware can not be done?
... so this is not new
... or communication issue?

<wseltzer> virginie: APDU to WebApp was the wrong level to propose

virginie: Gemalto joined W3C and we discovered the web world and took time to understand the platform. We have been promoting level of service to the OWP. Signing it and send it to secure web app,
... now there is the trusted secure element that forced us to go one level of abstraction upwards

<wseltzer> ... we needed to propose service functions, at the right level of abstraction for TEE, secure element

virginie: now we have the right level of proposals, use cases, inlcuding citizenID and ??
... seems that citizenID has no market, browsers don't see value proposition

<marko> Virginie: Gemalto had in mind to standardise APDU sent to secure element - took a year to realise that this was not the right strategy.

virginie: eIDAS is not something that is touching the browser makers

wseltzer: expand on that: as we heard at the workshop couple of years ago. Browser see themselves as user agent, same origin, isolation, isolation per origin. They look at smartcard based solutions and see privacy issues, not wanting to make statements to the users about security, antecedent from open extensions and APIs
... want a more focused functionality that is in line with browser's security model of the web
... thinking about security, is it with the browser we are interacting or natively with applications, could use a different model for the latter
... interoperability across devices will need to use the browser. So most straightforward way is to accommodate this model and cater to the samei origin model
... identity poses challenge there, as the whole govID idea is that it is cross origin. That kind of detail would help us to make a good case

brunoj: regarding the relation to FIDO. FIDO audience is larger. In terms of access focus on corporate

<marko> FIDO audience is larger than secure services in hardware. Not really the same.

<wseltzer> brunoj: corporate identity

<wseltzer> ... different levels of confidence, as well

virginie: my understanding is that coporate ID management is not excluded in FIDO
... corporate ID has no standards

<marko> virgine: FIDO is trying to do standards for corporate ID, so should not address that use case

brunoj: relation to the WGs. want to be clear what is in our scope and what is not. There is a topic on target audience, especially having access to secure element

topics for workshop discussion

virginie: use cases: citizen, payment, transportation, credential management
... and what is a secure service. what is the difference to a normal service? different levels? are secure services standard?
... CG shoudl describe teh different use cases

SebastienBahloul: ehealth is also on target?

<marko> rigo: FIDO has authentication of devices but not people. eHealth has both. Do we do corporate ID? For ATM card, need knowledge and possession, that's the difference.

<marko> Model of knowledge and possession cannot be reproduced in middleware; why eIdas doesn't work on the web

<wseltzer> rigo: get to knowledge+possession on the web, without middleware

<marko> rigo: Can't just do bearer tokens.

<marko> Virginie: how to translate to technical requirements?

<marko> API has to cater to a certain scheme to be useful.

virginie: what do you mean by "scheme"? For me it is a protocols and things that are already defined in standard services

SebastienBahloul: if you're relying on existing standards you can't provide what it needs to satisfy hardware industry and browser

<wseltzer> virginie: Use cases of secure services that can fit into the Open Web Platform

<wseltzer> ... if eIDAS can never fit the OWP, let's not start there

<wseltzer> rigo: we can serve the key functions, even if it's not eIDAS as currently described

<marko> eIDAS based on possession and knowledge. Have to start with terminology, a lot of the terminology is not understandable

virginie: this is really the task of developing our use cases

wseltzer: identity and citizen services are things that keep to come up that people want the web to make better. If we can find components that help this to happen while respecting privacy, than we made a big contributions

<marko> wendy: if we can identify critical components technology is ready to provide to web, we will have made a big contribution. Like having the use case, getting to core elements of what to provide to do that.

wseltzer: what are the core elements we need and which already exist already

brunoj: agree with the challenge, I think we have to keep citizenID. It is so specific, not only focus on this topic. There are already deployed solutions (names expamples)

<brunoj> begium eid

<wseltzer> PIV

belgium eid

<wseltzer> Nordic countries, PKI card

<marko> Nordic PKI card hardly be connected to the web. PKI card works in a sandbox, web in another sandbox, no connection between them, that's a problem.

brunoj: there are solutions, need to test and look at feasibility

<marko> wseltzer: Example currently deployed show demand; problems trying to solve; common elements that appear in multiple places - likely to be key features we should try to accommodate

wseltzer: the more we bring them together, the better. We have demand, proposed solutions, now have to see where there are communalities.
... if we can do them better on the web, we have done a good contribution

<wseltzer> wseltzer: let's gather examples. They show 1. demand, 2. common problems, and 3. common solutions

<virginie> for teh scribe : SIA organisation

SebastienBahloul: can take some examples from SIA and look at their solutions for secure identity

<marko> virginie: have to have abstraction layer in our discussions. we don't have to enter into implementation details.

virginie: we need an abstractions layer, not only secure element, but also TEE etc.. Lesson from past 3 years discussion
... each of us should take the action to document one use case.

<marko> Virginie: suggests each participant documents one of the use cases. Provides references, help to figure out exactly what is in each use case.

virginie: something to help figure out what the use case is. Preference on use case?

brunoj: citizenID
... webcyrpto would provide a wider range of services and has to be implemented by service providers

virginie: need good conribution on one use case

SebastienBahloul: working on same area as brunoj, but could provide some insight on payment.

virginie: will ask contributors from ?? to work on payments

<marko> Sebastien: comfortable with identity, but may be able to work on payment. Virginie: please work with Bruno on identity

virginie: will work on web crypto

wseltzer: identity is a rich use case. Several people bringing examples could be helpful
... many possible use cases, but should focus on a few now.

<marko> I concur with Wendy: better to focus on a few use cases, will get more traction that way.

wseltzer: will get us the big pictures on who is interested, what are obstacles what is demand, what is commitment ...
... will help us when going WG
... whether it can be generalized
... starting with a few concrete uses will be most productive

<marko> virginie: not standardising, but gathering convincing information for the browsers. agree with Wendy.

virginie: we are preparation work, not standardising a concrete full solution


<marko> Workshop: happening on Tuesday Wednesday 26-27 April.

<wseltzer> https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda

<marko> Would like really open discussion; questions not resolved put back as open questions and move on.

<marko> 20-30 people expected. From web industry.

<marko> From CESG, from vendors.

Workmode of CG

<wseltzer> virginie: we'll see after the workshop how we operate in the CG, such as bi-weekly calls

<wseltzer> ... we'll de-brief after the workshop

<marko> AOB? No.

<wseltzer> great to hear from you all, thanks!

<virginie> thanks rigo !

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by vi
last update $ID: $