Hardware-Based Secure Services CG, F2F Day 2

27 Apr 2016


See also: IRC log




<rigo> => presentation round

<virginie> All notes and finding from yesterday are here : https://v.etherpad.org/p/Hardware_Security

<virginie> The live minutes of yesterday are available here : https://www.w3.org/2016/04/26-hb-secure-services-minutes.html

<virginie> agenda is here : https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda

<drogersuk> Wendy summarises the main points from the 26th

<drogersuk> A goal for today is to keep going with the work from yesterday and confirm that the use cases and features in etherpad are what we want to do

<drogersuk> ...outlining what these APIs may look like?

<drogersuk> ...how do we build that into the web, what are some of the functions?

<drogersuk> ...privacy and security considerations

<drogersuk> ...importance of accessibility

<drogersuk> ...what other dependencies and interactions we have

<virginie> David : we will have champions for each use case

<virginie> S├ębastien contributed some pieces on use cases

<virginie> Don ; where is that executed ?

<virginie> Sebastien : its a javascript, so in the browser, and it will be up to the browsre to execute it depending on its implementation

<virginie> Don : the use case I have in mind is the remote entity requesting to sign something, we may pass the data in clear.

<virginie> Paul : there is some effirt to do to convince that we can do that, and can we provide the API

<virginie> Paul : when you sign, you might need to give some contextualinformation to the user.

<virginie> Paul : explaining all the possible WYSWYS

<virginie> sebastien : the context and message are going together seems to be a proposal

Peter: Germany digital signature law had certified display component
... can we get there in the browser? or how close?

<rigo> KMS = Key management selection

flipchart image: https://github.com/w3c/websec/blob/gh-pages/transaction_confirmation.jpg

<Sebastien> The WSD of the transaction confirmation / non repudiation use case: https://www.websequencediagrams.com/?lz=dGl0bGUgVHJhbnNhY3Rpb24gY29uZmlybWF0aW9uCgpwYXJ0aWNpcGFudCBFbmQtdXNlciBhcyBFVQAODVNlcnZpY2UgUHJvdmlkAB0GU1AAMQ1Ccm93ADYHQlIASw1UcnVzdGVkICBVSSAoVEUsIE9TIG9yIE1XKSBhcyBUVUkAXA9jdXJlIFN0b3JhZ2UAdQVlciAoZVNFLCBTSU0sIE5GQy9CTEUgU0UgLi4uAD8FU0NTCgpFVS0-U1A6IFJlcXVlc3Qgc2Vuc2l0aXZlIG9wZXIAgWoGU1AtPkJSOiBEZWxpdmVyIHRoZSBIVE1ML0pTIHBhZ2UKQlI[CUT]

<Sebastien> Sorry: the good one: https://www.websequencediagrams.com/?lz=dGl0bGUgVHJhbnNhY3Rpb24gY29uZmlybWF0aW9uCgpwYXJ0aWNpcGFudCBFbmQtdXNlciBhcyBFVQAODVNlcnZpY2UgUHJvdmlkAB0GU1AAMQ1Ccm93ADYHQlIASw1UcnVzdGVkICBVSSAoVEUsIE9TIG9yIE1XKSBhcyBUVUkAXA9jdXJlIFN0b3JhZ2UAdQVlciAoZVNFLCBTSU0sIE5GQy9CTEUgU0UgLi4uAD8FU0NTCgpFVS0-U1A6IFJlcXVlc3Qgc2Vuc2l0aXZlIG9wZXIAgWoGU1AtPkJSOiBEZWxpdmVyIHRoZSBIVE1ML0pTIHBhZ2UKQlIAGwZKUyBjb21wdXQAgiEHYWx0IE5STSBvbmx5IChub24gcm[CUT]

<Sebastien> URL is shortened by the IRC => complete link on etherpad

<ahana> Hi all, been detained by the lurgy so joining late on IRC. Ahana Datta, Security Engineer at the Ministry of Justice

Don: describing the GP TEE, TUI
... high-level user authentication for trusted application
... signed and authorized to run in TEE
... can display PNG image (with restrictions)
... overlaid with plain text
... give it a text string and it overlays
... Displaying confidential information; no input other than 4 buttons
... ok, cancel, next, prev
... you can change the buttons
... everything else is under control of TEE
... trusted app doesn't get to change it

<virginie> Specification can be found under Trusted User Interface API Specification v1.0 | GPD_SPE_020 http://www.globalplatform.org/specificationsdevice.asp

Don: 2d mode of operation is the same as the first, but adds entry field
... expected for PIN entry
... field can be displayed or not (*s)
... 3d mode, same with 2 entry fields, e.g. username pwd
... message boxes under control fo TEE as to format
... calling app just gets to insert text
... Next version: TEE can report back whether biometric was provided by user
... return handle which trusted app can use to determine which biometric, i.e., recognizing handle

<rigo> ahana, can I have your email to complete the list of attendees?

<ahana> ahana.datta@digital.justice.gov.uk

Don: currently, pretty simple display, user feedback
... There wasn't a lot of pull for that work
... SPs were using different intereface, more like framebuffer
... framebuffer, you have this size screen, you can write to it to display to user
... then using event-driven interface to report, e.g., finger pressed
... GP is now standardizing low-level interface, framebuffer, input event-driven
... If you wanted to put this [previously discussed] app into the TEE
... you'd make it a TA
... get a UUID

<ahana> poor moj

Don: GP will provide APIs; allow adding of APIs that don't break the protection model
... this group could define UUID if it met GP rules

Brian: bridging the gap between the JavaScript and GP

wseltzer: Next, we need to test the plausibility with service providers (the "customers" of the API) and implementors

virginie: Sebastien, are you willing to edit?

Sebastien: yes
... I invite co-editors

wseltzer: do we have volunteers to talk with service providers?

virginie: Gemalto will

brian: If I can get internal agreement at Visa

wseltzer: I'll add some of the questions we want to ask
... and let's get a 1-2 pager for circulation with people who aren't in the room

Secure Credential Storage and Management

<virginie> Note that web crypto API is here : https://www.w3.org/TR/WebCryptoAPI/

<virginie> That API may open the dependency paragraph

<virginie> rigo : possession and knowledge can be different from an external secure chip and embedded secure chip

Rigo: identity

<virginie> ahana, we are working on https://v.etherpad.org/p/Hardware_Security

<ahana> cheers

<virginie> Rigo : recommends that we stay open enough to be compatible with identity scheme that are not X509 compliant

Don: GP TEE has been avoiding X.509
... public review starting on management framework
... not using any standard certificate structure
... a bit of ASN.1

Paul: if you're storing public-private keypairs with a handle, maybe you don't care about certificate formats

Don: you could use GP standards for provisioning data and keys for SE and TEE
... SE uses methodology, TEE, OS, browser, each use methodology

<ahana> At MoJ, we've begun to use Amazon's KMS for key management and IAM for access

<ahana> https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

[again, most note-taking is at the bottom of the etherpad, https://v.etherpad.org/p/Hardware_Security ]

<virginie> Rigo : expose a case where a key is enriched with metadata such as domains authorized to use it

<virginie> igo : the metadata can be updated later

virginie: Revocation?
... both revoking access to a credential, and invalidating the credential

<virginie> https://www.w3.org/TR/WebCryptoAPI/

<virginie> https://www.w3.org/TR/WebCryptoAPI/#algorithm-recommendations

<Sebastien> https://www.w3.org/TR/webcrypto-key-discovery/

<ahana> :D

<donfel01> W3C key discovery : Use of HSM and TEE for stores is mentioned at end of section 1 (2nd last paragraph)

<virginie> https://www.linaro.org/

<Adrian> Open TEE project https://github.com/Open-TEE/project

<drogersuk> Discussion on how to maintain the momentum of the excellent work done over the past two days

<drogersuk> Wendy continues, the CG can have mailing lists, calls, can continue in etherpad if we want too

<drogersuk> ...getting this work done in the web platform needs clear plans, champions etc to move it forward


the mailing list: https://lists.w3.org/Archives/Public/public-hb-secure-services/

<drogersuk> Virginie explains timing aspects

<drogersuk> ...aims to re-write the charter with input from companies that objected

<drogersuk> ...WG creation could theoretically be done by September for TPAC

<drogersuk> ...in Lisbon

<drogersuk> ...if we are a working group, we could meet there

<drogersuk> ...This is not the major reason, but it is a good opportunity to aim for

TPAC, https://www.w3.org/2016/09/TPAC/

<drogersuk> ..conf call to be organised by Virginie for 2/3 weeks

drogersuk: anything we've missed? that we're headed fo doom?
... no? good.
... People have asked, where are the browser vendors?
... it's a long plane flight for many, and they had concerns about the scope initially proposed
... as we get tighter scoped, we'll more interest from those thinking about making patent commitments and implementations

<drogersuk> Wendy thanks everyone for their fantastic input and encourages people to stay involved. Rigo and Wendy are available for any process questions, chairs are available for subject matter questions.

drogersuk: thanks to MoFo for generous hosting

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/04/27 14:54:33 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/ocntextual /contextual/
Succeeded: s/complaint/compliant/
Succeeded: s/GP has been avoiding X.509/GP TEE has been avoiding X.509/
No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer

WARNING: No "Present: ... " found!
Possibly Present: Adrian Atamli Don Paul PaulW Peter Rigo Rob Sebastien Sorry acouvert ahana brian colin donfel01 drogersuk hb-secure-services https hvirji joined jplyle jpyle klas left phofmanntsy virginie wseltzer
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Agenda: https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 27 Apr 2016
Guessing minutes URL: http://www.w3.org/2016/04/27-hb-secure-services-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]