-
Notifications
You must be signed in to change notification settings - Fork 22
hardware based secure services : topics for the workshop
This page is gathering the items that the hardware-based secure services community group should address during in a way or in another during the lifetime of the community group. This will guide the conversations during the workshop in London, for which an agenda can be found under https://github.com/w3c/websec/wiki/hb-secure-services-workshop-:-agenda
#0. what is a secure service ? How to define the security of a service ? Is it by some attacks resistance merit ? Do we need different level ? Do we leave that open to the implementers ? Are secure services only standard services ? Can we create an attestation representing the security 'journey' of the service, specially when it combines platform, hardware token, and software pieces ?
secure credential
transaction confirmation
in few words : be able to re-use citizen identity schemes in order to authenticate to government or citizen services.
European reference : eIDAS solution [http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0282+0+DOC+XML+V0//EN]
US reference : PIV [https://en.wikipedia.org/wiki/FIPS_201]
in few words : be able to have web crypto operations running in protected environements.
As Use case of high level access, we have to consider digital signature : Document or transaction
- JavaScript creates hash of the presented document.
- Hash is sent to secure hardware for signature.
- Optionally, hash made on-card
The only existing solutions today are pure local (middleware + heavy client) or pure online (where key material is not under control of the user).
in few words : make sure the envisaged web payment solution, can get benefit of the TEE or SE based payement applications.
in few words : reusing an identity built for mobility, to enter multi-modal services
in few words : using things services for data management Note : sensor API is under development in W3C
in few words : getting rid of password, using 2FA is a possible way to make the web more secure, another track could be to enforce protaction around password management on the web.
#6.bis accessibility considerations Some security measures may not be adapted to people with disabilities (fingerprint, consent tap, ...), interaction might be adapted and/or described (to avoid frictions, bad usage and social pressure).
Workshop report is available : https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/report.html Workshop presentations:https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/Overview.html#schedule
Features to be developped in W3C : https://www.w3.org/Security/wiki/IG/W3C_security_roadmap
Hardware security WG charter presented for W3C review https://w3c.github.io/websec/hasec-charter Result of the review : 24 answers (4 objections, 2 abstains)
Is under public review http://globalplatform.github.io/WebApis-for-SE/doc/.