See also: IRC log
.
<scribe> scribenick: bhill2
vg: this is a place to discuss
new topics in security not in other WGs
... try to have regular calls
... introduced new topics, new security review process,
creating a group of security experts
... not a lot of security experts available to participate at
this general level
... maybe that means that w3c already addresses the specific
needs (e.g. with WebAppSec & WebCrypto)
... but still value in maintaining this group, so having
quarterly meetings for people interested
... summarize work happening in other groups and bring up new
topics
... recent new topics included overlap of security and
accesibility
... how to do security reviews across different w3c
deliverables
... still have the existing self-assessment questionnaire
... charter about to expire, need to renew or extend
... have to report the planned destiny of the group to the
AC
... w3c reorganizing; Sam is our contact for the week at
least
... do we need a new chair / co-chair?
ryan ware: question about questionnaire
vg: been around 1 year
rw: have groups doing the questionnaire found issues?
vg: some have said it was
helpful, others still expect "expert" review
... mikewest has been the primary author, published through the
TAG
mkwst: useful in its current
state but either too detailed or not detailed enough
... in a middle ground where not clear how people should use
it
... PING has been interested in making it more useful
twhalen: different set of
questions for people doing review vs. doing spec
authoriing
... we have found it useful
... have interest in picking it up and working with it
vg: but privacy related
twhalen: yes, not general security but privacy specific
hadleybeeman: TAG would love
that, having something to help assist thinking about security
and privacy is very useful
... needs more work and attention, how we use the term privacy
depends on the context / content vs. browser
olivier: some other IGs are
focusing more on gap analysis and spinning off WGs
... doesn't seem to be much of that here: because there isn't a
gap or we're not in the right layer
vg: what I've been trying to do
is to connect to new needs from members
... but not much participation on the list about how to do
that
... major blocker on topics has been lack of contributors
... is anyone willing to spend 10 hours maximum working on this
questionnaire to improve it
<rrware> I need to step out for 30 minutes. Be back.
vg: ongoing activity, feel recharter is more appropriate than extension
(my connection is too unreliable to continue scribing, I think, as is my jetlagged brain)
<wseltzer> drogers: bridging the security research community to W3C
<wseltzer> [volunteers to work on the Security Questionnaire earlier: rrware, Kepeng, schuki/GSMA ]
<wseltzer> vg: other ideas we heard, domain security; trheat modeling
<hadleybeeman> drogers: Where is our boundary, re domain/DNS security?
<hadleybeeman> yoshiro: Not sure. Wide range of technologies.
<hadleybeeman> drogers: misplaced trust in the domain name.
<hadleybeeman> virginie: Having a focused discussion on that during a call would be helpful.
<hadleybeeman> ????: Re threat modelling. Started from the IETF protocols. There were problems in establishing this primary agreement, it was the source of vulnerabilities.
<rrware> back
<hadleybeeman> ...If we are reviewing specifications, there could be some broader context integrated into the view.
<hadleybeeman> drogers: Right. Security protocol verification is IETF's.
<hadleybeeman> kaorumaeda: For W3C context; what the user is presented? What visual marks on the browser might they see?
<hadleybeeman> drogers: The security model of the web (which isn't written down)
<hadleybeeman> ????: Sometimes this isn't standardised. The browser vendors decide for themselves.
<hadleybeeman> ...Something safer
<hadleybeeman> drogers: there are a lot of academic papers on this
<hadleybeeman> mikewest: Chrome is going to negative signals of insecurity. You should expect to be secure; we'll tell you if you're not.
<hadleybeeman> ...We'll be affirmatively marking an HTTP page with a password field as BAD.
<hadleybeeman> ...You shouldn't have to detect green (meaning secure); you'll look for red. (Meaning: not)
<hadleybeeman> virginie: This relates also with what's going on with Permissions. Direct interaction with the user.
<hadleybeeman> ...How do they treat this interaction... how to inject the security balance into this interaction.
<hadleybeeman> [Discussion about Adrienne Porter-Felt's research. Tech lead for Chrome Security UI]
<hadleybeeman> drogers: So there is security usability, within the general task of writing down the Web security model
<hadleybeeman> ...Problem: there is no guidance for anybody.
<hadleybeeman> ...We talked about this before, on webplatform.org.
<hadleybeeman> virginie: to sum up... wseltzer, if we were to design a new charter: being the place where you drink tea and talk about security, PLUS being the place where education around vulnerabilities on the open web platform,
<hadleybeeman> ...discussion about usabilitiy
<hadleybeeman> wseltzer: I'll work with W3T to share a proposed draft charter.
<hadleybeeman> ...I think we want to be specific enough to give people the info so they can tell us if they will send people to do the work
<hadleybeeman> ...With my strategy hat on, it's interesting to hear the ideas about incubating new work. We don't need to be so specific there, but we can say "might include usability, anti-spoofing, etc"
<hadleybeeman> ...Because one of our goals in incubation is to help groups to iterate.
<hadleybeeman> ...To do that, we may spawn off some community groups, add use cases to existing community groups. Bring back promising stuff to a WG to standards-track dev with patent policies, etc.
<hadleybeeman> drogers: is it unusual for IGs to have general presentations on topics of interest?
<hadleybeeman> wseltzer: No, that's appropriate. Web Payments IG have done some of that.
<hadleybeeman> hadleybeeman: Can be woolly without some direction.
<hadleybeeman> drogers: In security, we can be responding to topical issues; working out how we need to respond.
<hadleybeeman> ...Patching specs, new specs, etc.
<hadleybeeman> virginie: Wendy is going to lead the strategy. Ideas to her.
<hadleybeeman> jeffjaffe: [Introduces himself]
<hadleybeeman> ...Started a Security Research Group at IBM research in the 1980s
<hadleybeeman> ...Spent a few years running IBM's security and networking business
<hadleybeeman> ...In various other jobs, I keep trying to understand how to make things secure and haven't yet figured it out. But it's important.
<hadleybeeman> virginie: Re Authentication of individuals... 5-min presentation
<hadleybeeman> Kepeng: [referencing slides]
<hadleybeeman> ...Real name authentication
<hadleybeeman> ...Security threats in biometric authentication. Inject into the template. During the transmission, it could be lost/stolen
<hadleybeeman> ...We use anti-spoofing detection. This is about making some movements or gestures to avoid a static information. You can move your hands, open/close your mouth, blink your eyes — to prove you're not a picture.
<hadleybeeman> ...In Alibaba, we use fingerprint authentication, face recognition and iris. We have 100million users. We use for payment, egovernment and e-commerce.
<hadleybeeman> ...This is a framework. We have a mobile device side and a server.
<hadleybeeman> ...We have process flows. local and remote verification
<hadleybeeman> ...The user can request authentication verification. Goes to the server, and the server asks for a specific kind of biometric info, like a fingerprint.
<hadleybeeman> ...The user can then send it for verification. The server sends back a result.
<hadleybeeman> virginie: The process flow is implemented in mobile devices and you want to bring it to the web?
<hadleybeeman> kepeng: yes
<hadleybeeman> ...Work happening at the Internet Finance Authentication Alliance. Related to FIDO.
<hadleybeeman> ...Standardisation opportunities at the W3C for interactions with the browser
<hadleybeeman> ...and which WG? WebAuth? WebSec? Any CGs?
<hadleybeeman> virginie: any feedback?
<wseltzer> sangwhan: how do you address the problem of coercion for biometrics?
<wseltzer> ... you can't so easily refuse to give up a fingerprint
<wseltzer> drogers: see also the sleeping parent attack
<wseltzer> Sebastien: there's a database in India
<wseltzer> drogers: does gov give you the daabase, or API?
<hadleybeeman> Natasha: That’s no different to coercing someone to give you their password.
<hadleybeeman> drogers: like the “sleeping parent” problem in iOS.
<hadleybeeman> ...Citizens register their biometric data, so that’s held in another place. The majority of biometric stuff happening in the GSMA world is not leaving the device
<hadleybeeman> Hadleybeeman: this would be illegal in European Union countries. It would violate the Data Protection laws.
<hadleybeeman> wseltzer: This is out of scope for the chartered WebAuth group. This would be a good place to discuss what to do with these ideas.
<hadleybeeman> drogers: so your questions here are about access to the biometric sensor? So you need an API to the biometric sensor?
<lukasz> hello!
<hadleybeeman> virginie: I suggest we put these into discussion for the WebSec IG
<lukasz> oh hey hadleybeeman
<hadleybeeman> natasha: This is different for very large companies, who can have contracts with existing databases.
<hadleybeeman> virginie: might be different use cases ,depending on the business and the local laws.
<wseltzer> drogers: [see slides]
<wseltzer> ... HBSS workshop in London, hosted by MoFo, brought in good expertise
<wseltzer> ... since then, group has been working, led by Sebastien
<wseltzer> mkwst: I'll look into this
<wseltzer> drogers: there seems to be increasing interest in hardware security; our aim is to identify and prioritize
<wseltzer> vg: we have some demonstrations
<wseltzer> ... objectives, to discuss next steps for the CG work
<wseltzer> ... CG developed a report explaining use cases: egovernment, ebanking
<wseltzer> ... security sensitive operations, e.g. signing documents
<wseltzer> ... work to describe API for 2 techncial features
<wseltzer> ... secure management of credentials for cryptographic operation in hardware-based technology
<wseltzer> ... 2d, secure transaction confirmation
<wseltzer> ... over to you, Sebastien
<Sebastien> https://rawgit.com/w3c/websec/gh-pages/hbss.html
<wseltzer> CG Report: Hardware Based Secure Services features
<wseltzer> Sebastien: aim to enable use and management of secure services, hardware-based solution
<wseltzer> Sebastien: [summarizes report's goals]
<wseltzer> ... question about request validation by the end user
<wseltzer> ... bridge between low-level API and Web
<wseltzer> ... replace management by extensions or Java plugins
<wseltzer> ... for pre-existing keys
<wseltzer> ... Give the end-user enough information to know what they're signing or authorizing, not just a binary blob
<wseltzer> ... Transaction confirmation: give user something readable to understand and accept = user consent
<wseltzer> ... e.g. if end-user is requested to accept a withdrawal from an account
<wseltzer> ... non-repudiation message
<wseltzer> ... sign operation, with non-repudation message and binary data
<wseltzer> ... these need to generate requirements on operating system environment
<wseltzer> vg: CG goal to make minimal viable product for those APIs
<wseltzer> ... also capture what we can do, don't know how to do.
<wseltzer> Sebastien: second, key management
<wseltzer> ... classical crypto matters, based in secure element
<wseltzer> ... so it looks like webcrypto API plus implmentation paramater to say whether it's software or hardware
<wseltzer> vg: this part drafted by Aurelien from Gemalto, who couldn't be here
<wseltzer> Sebastien: Section 5, implementation requirements
<wseltzer> vg: report got CG review
<wseltzer> ... about 10 people actively reviewed
<wseltzer> ... goal here to get broader feedback. Is it workable?
<wseltzer> [coffee break]
<wseltzer> [return in 20 min]
<wseltzer> [returned]
<wseltzer> [discussion of WebUSB]
<wseltzer> bhill2: FIDO UAF v1 had a transaction verification capability
<wseltzer> ... signing over a DOMstring turns out to be really tricky because of fonts, unicode
<wseltzer> ... then made it a bitmap
<wseltzer> Sebastien: but accessibility challenges with images
<wseltzer> bhill2: we had ASCII or image, not unicode
<wseltzer> JeffH: transaction confirmation is an optional extension in WebAuthn
<wseltzer> ... we changed the confirmation string
<wseltzer> vg: todo, liaise with WebAuthn
<wseltzer> Sebastien: back to the issues: attestation retrieval by issuing authority
<wseltzer> ... post-issuance of keys
<wseltzer> ... secure context
<wseltzer> vg: WebCrypto rcently decided to require secure contexts
<wseltzer> Sebastien: identity attributes
<wseltzer> vg: for futre development
<wseltzer> drogers: attribute based encryption... it's fairly new, suggest we don't go there now
<wseltzer> Ketan: don't you need user attributes for individual autentication?
<wseltzer> ... WebAuthn takes care of device authentication
<wseltzer> vg: Does API require attributes to be usable?
<wseltzer> Ketan: Gap is to do all the web API requirements at the hardware level
<wseltzer> ... we have webcrypto, what's missing is ability to address a key on a device
<wseltzer> ... as Sebastien pointed out
<wseltzer> vg: do you need discovery and user interaction?
<wseltzer> Ketan: you can provide API, or discovery function
<wseltzer> vg: do you believe it has to have discovery of keys, or of physical devices?
<wseltzer> Ketan: key-level
<wseltzer> ... user decides which key to use
<wseltzer> Sebastien: privacy issues pose problem with key discovery at API level
<wseltzer> ... need way to filter
<wseltzer> ... trusted UI presents filtered choice to user
<wseltzer> Sebastien: todos, a few typos, implementation security requirements
<wseltzer> vg: next steps: what to do with this report and demo
<wseltzer> ... we need to talk to UA providers, see their interest in WG creation
<wseltzer> drogers: we should validate what we've written with those prior commments
<wseltzer> ... ID gaps with WebAuthn
<wseltzer> ... we were asked to draft APIs, privde requiremens, demos
<wseltzer> ... you've done a great job
<wseltzer> vg: next steps: improving, socializing, start drafting WG charter if there's interest
<wseltzer> drogers: deadline for feedback
<wseltzer> vg: one month?
<wseltzer> drogers: give Sebastien another week to finalize and publish report
<wseltzer> ... one month feedback period
<wseltzer> drogers: virginie and I will try to document the feedback
<wseltzer> ... by early Nov
<wseltzer> vg: reporing to the CG what's UA reaction to our proposal
<wseltzer> ... I'll give brief reprot at today's AC meeting
<wseltzer> wseltzer: the CG should publish Final Specification to lock-in patent commitments
<wseltzer> ... and then go through evaluation with ecosystem
<wseltzer> drogers: so by December, be ready to go to AC, if that's the conclusion
<wseltzer> vg: security jam session Wednesday
<wseltzer> ... status update on W3C work, collect potential new security needs
<wseltzer> ... and I'll give update in AC meeting
<wseltzer> wseltzer: Thanks Virginie, and also David, Sebastien, Aurelien for working on the CG report
<wseltzer> schuki: you can also do presentation to IETF SAAG
<wseltzer> JeffH: consider the FIDO Alliance's work as a different way to do biometric verification
<wseltzer> ... it's bad for privacy to keep a public database of biometrics
<wseltzer> bhill2: recent paper showing that 3 photographs were enough to break biompetric proof of liveness
<wseltzer> Sebastien: and yet many countries are using biometrisc for ID verification
<wseltzer> bhill2: once you start shipping biometrics over the wire, you're opening up new attacks
<wseltzer> marta: more border crossings now using automated gates
<wseltzer> bhill2: still scale difference from the possibility of a data breach, biometrics aren't secret even if people would like to treat them as secret
<wseltzer> ... not every problem is a good idea to solve
<wseltzer> bhill2: I'm not saying the problems aren't legitimate; rather, as security experts, we have the responsibility to make sure we're solving them in a good way
<wseltzer> ... not creating privacy/security nuclear waste
<wseltzer> dsinger: if someone wants to claim "I'm the person whose ID was verified," we might want to find a better way to address
<wseltzer> kepeng: I agree that the solution raises some privacy issues
<wseltzer> ... password and verification codes also have some flaws
<wseltzer> ... this one is not perfect, but it works in China
<wseltzer> Ryan: this one is a flaw that we already know is trivially exploitable
<wseltzer> marta: and if biometric data is stolen, you can't change it
<wseltzer> JeffH: it's not a secret; we all are shairng our biometric data right here
<wseltzer> ... we need to figure out how to use it in a secure fashion
<wseltzer> bhill2: we have it because everyone wants to share photos
<wseltzer> ... and on the other side, theres the OPM data breach
<wseltzer> dsinger: further, photos have data about more than one person; we don't have good handle on the privacy and security issues that raises
<wseltzer> bruno: linking biometric to "real" identity, what does that mean?
<wseltzer> ... I think this is important work
<wseltzer> Ketan: Why doesn't FIDO do this?
<Sebastien> (face spoofing: https://www.youtube.com/watch?v=ohmajJTcpNk#t=206)
<wseltzer> JeffH: it's out of scope. We self-assert all the time; for the vast majority of transactions, that's sufficient
<wseltzer> Bruno: bank is acting as identity provider
<wseltzer> JeffH: Kantara initiative has done work on identity proofing
<wseltzer> dsinger: about singular identity; bank is only confirming that the user of the credit card is the person to whom they issued it
<wseltzer> ... I don't have a singular identity
<wseltzer> hadleybeeman: that's more complicated when talking about money laundering regulation
<wseltzer> drogers: preregistration fraud
<wseltzer> ... e.g., someone who lives in a village suddenly gets a passport and doesn't know it, and someone else is traveling on it
<wseltzer> bhill2: what can we do in W3C? create interesting primitives and let others work with them
<wseltzer> ... e.g. attestable sensors on a device
<wseltzer> ... would let someone else build proof of liveness from two cameras
<wseltzer> marta: can we standardize what should be forbidden?
<wseltzer> ... to tell people not to do it
<wseltzer> mkwst: WG note or TAG Finding
<wseltzer> hadleybeeman: TAG findings need to be based n architecture of the web
<wseltzer> drogers: one of the strengths of FIDO is that the biometric remains on the device
<wseltzer> ... attestation, we know that the device is happy with the situation, not what the biometric scanned was.
<wseltzer> bhill2: I'm a FB user, I lost my device, how do I log in? Solution isn't just "take a selfie and send it over the wire"
<wseltzer> ... it's a real use case
<wseltzer> ... putting together measures from attested sensors is a more interesting solution
<wseltzer> ... W3C makes voluntary reocmmentaitons, not certification. FIDO certifies, and can say "shalt not"
<wseltzer> mkwst: data from attested sensors can be biometric too
<wseltzer> bhill2: hypothetical attested camera wouldn
<wseltzer> ... wouldn't be ok in FIDO
<wseltzer> JeffH: you get attestation of the device as a public-private key set up at manufacturing time; sign message with the private key, metadata service gives attributes aobut the authenticator
<wseltzer> ... if you care
<wseltzer> mkwst: in many cases, you care about continuity, not identity
<wseltzer> JeffH: WebAuthn (FIDO is only the certification)
<wseltzer> ... registration, create a new public-private key
<wseltzer> ... user verification is local, abstracted away
<wseltzer> ... WebAuthn relying parties don't see the means of local authenticaiton;but keys minted on a per relying party basis
<wseltzer> vg: there's still work to do
<wseltzer> ... on the security and privacy considerations, and on what the Open Web platform needs
<wseltzer> bhill2: I share the use case, we'd love to solve it correctly
<wseltzer> vg: Wednesday's session will be broad
<wseltzer> vg: look for follow-up in WebSec IG and HBSS CG
<wseltzer> Ketan: follow-up?
<wseltzer> vg: we'll have some debriefs on HBSS
<wseltzer> [adjourned]
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/???/olivier/ Succeeded: s/???/yoshiro/ Succeeded: s/????/kaorumaeda/ Succeeded: s/dodgers/drogers/ Succeeded: s/whitelist/transaction verification/ Succeeded: s/one/once/ Succeeded: s/bread/broad/ Succeeded: s/[adjourned]// Found ScribeNick: bhill2 Inferring Scribes: bhill2 Present: bhill2 hadleybeeman tara OlivierThereaux SangwhanMoon shigeya wseltzer schuki Kaoru_Maeda WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 19 Sep 2016 Guessing minutes URL: http://www.w3.org/2016/09/19-websec-minutes.html People with action items:[End of scribe.perl diagnostic output]