Last week's meeting: https://www.w3.org/2018/01/30-wpwg-minutes
https://github.com/w3c/webpayments-methods-tokenization/issues/25
https://github.com/w3c/webpayments-methods-tokenization/issues
https://github.com/w3c/webpayments-methods-tokenization/issues/34
<scribe> ACTION: Manash to craft a tokenization response data example
<trackbot> Created ACTION-82 - Craft a tokenization response data example [on Manash Bhattacharjee - due 2018-02-13].
Topic Issue 35
https://github.com/w3c/webpayments-methods-tokenization/issues/35
stpeter: When you have an encryption operation you specify what's required/optional, what's normalized, etc.
IJ: Any good practice to draw upon for how to leverage encryption?
stpeter: Unless we say how we are creating inputs (e.g., with JSON) we won't get consistentcy
https://tools.ietf.org/html/rfc7516
scribe: e.g., you will need
detail like "concat this and this and this..."
... will it be easier to move out of wiki page?
https://w3c.github.io/webpayments-methods-tokenization/index.html
stpeter: I'd be happy to make contributions to a spec
+1
stpeter: I will look around at some specs how to leverage encryption
<scribe> ACTION: stpeter to look for example of leveraging crypto and how to specify inputs, etc.
<trackbot> Created ACTION-83 - Look for example of leveraging crypto and how to specify inputs, etc. [on Peter Saint-Andre - due 2018-02-13].
<scribe> ACTION: Ian to look for example of leveraging crypto and how to specify inputs, etc.
<trackbot> 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs, ijmad).
IJ: Any experimentation with encryption yet?
Manash: Not yet
IJ: Is there encryption of token in Apple Pay ?
Manash: Merchant shares public
key with apple as part of onboarding..when apple pay sends back
credentials they encrypt with the merchant public key
... the proposal that we have here satisfies that.
<scribe> ACTION: Ian to ping Apple about encryption of tokens from Apple Pay
<trackbot> 'Ian' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., IFSF-EFT-WG-Lead, ijacobs, ijmad).
https://github.com/w3c/webpayments-methods-tokenization/issues/36
stpeter: This is typically a big job...you want to be thorough about actors, context, where data flows, interactions, etc.
https://tools.ietf.org/html/rfc6819
scribe: there are frameworks for
doing this sort of analysis
... such as https://www.owasp.org/index.php/Threat_Risk_Modeling
... I've done these before..I could do some high-level work on
this.
... I've put together who the actors are, and possible
threats
... then you can dig down deeper from there
... but even getting actor names and potential hackers and
classes of attacks are useful
IJ: Any work done at EMVCo on this?
Clinton: From an EMVCo we did not discuss at a spec level
IJ: Would threat modeling be useful? Any guidance for managing the relationship?
Clinton: From an EMVCo
perspective, we don't have any representation on the call
today.
... suggest working through Bastien on right path for an
analysis.
Ken: I support this.
... but given challenges in different organizational models not
sure how this would work yet
IJ: I think from w3c perspective would want to do this publicly in this task force; not sure whether that would be palatable.
Ken: I would be happy to work with you on a work product
iJ: +1
stpeter: Is the spec that we're
working on intended to be generalized ?
... or Web interaction model for reusing EMVCo
tokenization
... that will have an impact on the threat modeling
Manash: We are trying to align as
much as possible with the EMVCo tokenization
... I don't think we need to do a threat modeling at this
time.
IJ: I would lean toward designing for the specific; and based on history
Manash: Regarding threat
modeling...we have internally discussed threat modeling...we
are relying on the same concept and W3C is not coming up with
new concepts
... what we need to be comfortable with in terms of risk
perception, is public key encryption
... we need to ensure this aligns with w3c encryption
philosophy
IJ: Does it raise new issues to move from closed systems to open?
<clintonrallen> +q
Manash: We are using things that
others have already deployed (in native wallets) so i think
it's been road-tested
... though we are trying to replicate env. in standard way, we
are modeling on existing market solutions
clintonrallen: Regarding threat
models ... within EMVCo the tokenization spec is a framework
and doesn't really have a lot of guidance on the security
aspects
... my suggestion is that the W3C participants should guide
efforts regarding security aspects of w3c tokenization
IJ: I am inclined to at least broach the threat model topic to confirm Manash's hypothesis
stpeter: I'm sure that people
involved have done good work, but that to me is not 100%
convincing
... we are introducing software into new kind of environment
(e.g., web is open compared to other platforms)
... might be helpful to have an independent look at this
... if we think that there might be some areas to at least call
out in a security considerations section
IJ: Any security considerations portions of EMVCo specs? We could start there.
Ken: I hear Peter's point ... and
yet from a brand perspective it may not be appealing to go back
and do an analysis.
... I'd be supportive a 1-pager and happy to review it.
https://www.iso.org/standard/68669.html
https://w3c.github.io/webpayments/proposals/charter-2017
IJ: Let's take offline next steps of threat modeling
stpeter: +1
<clintonrallen> +q
13 February