IRC log of websec on 2016-09-19

Timestamps are in UTC.

12:57:32 [RRSAgent]

RRSAgent has joined #websec

12:57:32 [RRSAgent]

logging to http://www.w3.org/2016/09/19-websec-irc

12:58:41 [weiler]

weiler has joined #websec

12:59:39 [bhill2]

bhill2 has joined #websec

13:00:53 [bhill2]

bhill2 has joined #websec

13:01:06 [bhill2]

present+ bhill2

13:03:33 [tara]

tara has joined #websec

13:11:08 [bhill2]

.

13:11:39 [hadleybeeman]

Present+ hadleybeeman

13:11:59 [tara]

present+ tara

13:12:02 [olivier]

Present+ OlivierThereaux

13:12:10 [bhill2]

TOPIC: Security IG status

13:12:17 [bhill2]

scribenick: bhill2

13:12:40 [bhill2]

vg: this is a place to discuss new topics in security not in other WGs

13:12:58 [bhill2]

... try to have regular calls

13:13:17 [bhill2]

... introduced new topics, new security review process, creating a group of security experts

13:13:19 [sangwhan]

Present+SangwhanMoon

13:13:31 [bhill2]

... not a lot of security experts available to participate at this general level

13:13:48 [bhill2]

... maybe that means that w3c already addresses the specific needs (e.g. with WebAppSec & WebCrypto)

13:14:11 [bhill2]

... but still value in maintaining this group, so having quarterly meetings for people interested

13:14:24 [bhill2]

... summarize work happening in other groups and bring up new topics

13:14:47 [bhill2]

... recent new topics included overlap of security and accesibility

13:15:10 [bhill2]

... how to do security reviews across different w3c deliverables

13:15:25 [bhill2]

... still have the existing self-assessment questionnaire

13:16:13 [bhill2]

... charter about to expire, need to renew or extend

13:16:41 [bhill2]

... have to report the planned destiny of the group to the AC

13:17:22 [bhill2]

... w3c reorganizing; Sam is our contact for the week at least

13:17:42 [bhill2]

... do we need a new chair / co-chair?

13:17:57 [hadleybeeman]

q?

13:18:19 [Kepeng]

Kepeng has joined #websec

13:18:19 [hadleybeeman]

q- chaals

13:19:34 [bhill2]

ryan ware: question about questionnaire

13:19:42 [bhill2]

vg: been around 1 year

13:20:04 [shigeya]

present+ shigeya

13:20:10 [bhill2]

rw: have groups doing the questionnaire found issues?

13:20:29 [bhill2]

vg: some have said it was helpful, others still expect "expert" review

13:21:13 [bhill2]

vg: mikewest has been the primary author, published through the TAG

13:21:37 [bhill2]

mkwst: useful in its current state but either too detailed or not detailed enough

13:21:42 [brunoj]

brunoj has joined #websec

13:21:46 [bhill2]

... in a middle ground where not clear how people should use it

13:21:57 [bhill2]

... PING has been interested in making it more useful

13:22:21 [bhill2]

twhalen: different set of questions for people doing review vs. doing spec authoriing

13:22:28 [bhill2]

... we have found it useful

13:22:46 [bhill2]

... have interest in picking it up and working with it

13:22:52 [bhill2]

vg: but privacy related

13:23:09 [bhill2]

twhalen: yes, not general security but privacy specific

13:23:23 [hwlee]

hwlee has joined #websec

13:23:43 [bhill2]

hadleybeeman: TAG would love that, having something to help assist thinking about security and privacy is very useful

13:24:01 [bhill2]

... needs more work and attention, how we use the term privacy depends on the context / content vs. browser

13:25:32 [bhill2]

???: some other IGs are focusing more on gap analysis and spinning off WGs

13:25:47 [schuki]

s/???/olivier

13:25:59 [wseltzer]

present+ wseltzer

13:26:08 [schuki]

present+ schuki

13:26:31 [bhill2]

... doesn't seem to be much of that here: because there isn't a gap or we're not in the right layer

13:26:31 [bhill2]

vg: what I've been trying to do is to connect to new needs from members

13:26:32 [bhill2]

... but not much participation on the list about how to do that

13:26:35 [bhill2]

... major blocker on topics has been lack of contributors

13:26:43 [wseltzer]

rrsagent, make logs public

13:27:37 [bhill2]

... is anyone willing to spend 10 hours maximum working on this questionnaire to improve it

13:29:02 [mkwst]

mkwst has joined #websec

13:29:07 [rrware]

I need to step out for 30 minutes. Be back.

13:29:59 [bhill2]

vg: ongoing activity, feel recharter is more appropriate than extension

13:29:59 [bhill2]

bhill2 has joined #websec

13:37:12 [bhill2]

(my connection is too unreliable to continue scribing, I think, as is my jetlagged brain)

13:37:20 [wseltzer]

drogers: bridging the security research community to W3C

13:38:17 [wseltzer]

[volunteers to work on the Security Questionnaire earlier: rrware, Kepeng, schuki/GSMA ]

13:39:09 [wseltzer]

vg: other ideas we heard, domain security; trheat modeling

13:39:56 [hadleybeeman]

drogers: Where is our boundary, re domain/DNS security?

13:40:12 [hadleybeeman]

???: Not sure. Wide range of technologies.

13:40:22 [hadleybeeman]

drogers: misplaced trust in the domain name.

13:40:27 [schuki]

s/???/yoshiro

13:40:41 [hadleybeeman]

virginie: Having a focused discussion on that during a call would be helpful.

13:41:30 [hadleybeeman]

????: Re threat modelling. Started from the IETF protocols. There were problems in establishing this primary agreement, it was the source of vulnerabilities.

13:41:46 [rrware]

back

13:41:50 [hadleybeeman]

...If we are reviewing specifications, there could be some broader context integrated into the view.

13:42:07 [hadleybeeman]

drogers: Right. Security protocol verification is IETF's.

13:42:30 [hadleybeeman]

????: For W3C context; what the user is presented? What visual marks on the browser might they see?

13:42:45 [hadleybeeman]

drogers: The security model of the web (which isn't written down)

13:42:56 [shigeya]

s/????/kaorumaeda/

13:43:04 [hadleybeeman]

????: Sometimes this isn't standardised. The browser vendors decide for themselves.

13:43:11 [hadleybeeman]

...Something safer

13:43:17 [hadleybeeman]

drogers: there are a lot of academic papers on this

13:43:40 [hadleybeeman]

mikewest: Chrome is going to negative signals of insecurity. You should expect to be secure; we'll tell you if you're not.

13:43:56 [hadleybeeman]

...We'll be affirmatively marking an HTTP page with a password field as BAD.

13:44:18 [hadleybeeman]

...You shouldn't have to detect green (meaning secure); you'll look for red. (Meaning: not)

13:44:39 [hadleybeeman]

virginie: This relates also with what's going on with Permissions. Direct interaction with the user.

13:44:55 [hadleybeeman]

...How do they treat this interaction... how to inject the security balance into this interaction.

13:45:30 [hadleybeeman]

[Discussion about Adrienne Porter-Felt's research. Tech lead for Chrome Security UI]

13:45:56 [hadleybeeman]

drogers: So there is security usability, within the general task of writing down the Web security model

13:46:06 [hadleybeeman]

...Problem: there is no guidance for anybody.

13:46:16 [hadleybeeman]

...We talked about this before, on webplatform.org.

13:46:49 [wseltzer]

q+

13:47:07 [hadleybeeman]

virginie: to sum up... wseltzer, if we were to design a new charter: being the place where you drink tea and talk about security, PLUS being the place where education around vulnerabilities on the open web platform,

13:47:21 [hadleybeeman]

...discussion about usabilitiy

13:47:35 [hadleybeeman]

wseltzer: I'll work with W3T to share a proposed draft charter.

13:47:55 [hadleybeeman]

...I think we want to be specific enough to give people the info so they can tell us if they will send people to do the work

13:48:08 [sangwhan]

RRSAgent, draft minutes

13:48:08 [RRSAgent]

I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html sangwhan

13:48:19 [sangwhan]

RRSAgent, make minutes public

13:48:19 [RRSAgent]

I'm logging. I don't understand 'make minutes public', sangwhan. Try /msg RRSAgent help

13:48:21 [hadleybeeman]

...With my strategy hat on, it's interesting to hear the ideas about incubating new work. We don't need to be so specific there, but we can say "might include usability, anti-spoofing, etc"

13:48:31 [hadleybeeman]

...Because one of our goals in incubation is to help groups to iterate.

13:48:41 [sangwhan]

RRSAgent, minutes are public

13:48:41 [RRSAgent]

I'm logging. I don't understand 'minutes are public', sangwhan. Try /msg RRSAgent help

13:49:05 [hadleybeeman]

...To do that, we may spawn off some community groups, add use cases to existing community groups. Bring back promising stuff to a WG to standards-track dev with patent policies, etc.

13:49:23 [hadleybeeman]

drogers: is it unusual for IGs to have general presentations on topics of interest?

13:49:36 [hadleybeeman]

wseltzer: No, that's appropriate. Web Payments IG have done some of that.

13:50:23 [hadleybeeman]

hadleybeeman: Can be woolly without some direction.

13:50:45 [hadleybeeman]

drogers: In security, we can be responding to topical issues; working out how we need to respond.

13:50:53 [hadleybeeman]

...Patching specs, new specs, etc.

13:51:24 [hadleybeeman]

virginie: Wendy is going to lead the strategy. Ideas to her.

13:51:41 [hadleybeeman]

jeffjaffe: [Introduces himself]

13:51:50 [hadleybeeman]

...Started a Security Research Group at IBM research in the 1980s

13:52:01 [hadleybeeman]

...Spent a few years running IBM's security and networking business

13:52:16 [hadleybeeman]

...In various other jobs, I keep trying to understand how to make things secure and haven't yet figured it out. But it's important.

13:52:45 [hadleybeeman]

virginie: Re Authentication of individuals... 5-min presentation

13:53:24 [kaorumaeda_]

kaorumaeda_ has joined #websec

13:53:42 [hadleybeeman]

Kepeng: [referencing slides]

13:53:50 [hadleybeeman]

...Real name authentication

13:54:59 [hadleybeeman]

...Security threats in biometric authentication. Inject into the template. During the transmission, it could be lost/stolen

13:55:37 [hadleybeeman]

...We use anti-spoofing detection. This is about making some movements or gestures to avoid a static information. You can move your hands, open/close your mouth, blink your eyes — to prove you're not a picture.

13:56:23 [hadleybeeman]

...In Alibaba, we use fingerprint authentication, face recognition and iris. We have 100million users. We use for payment, egovernment and e-commerce.

13:56:49 [hadleybeeman]

...This is a framework. We have a mobile device side and a server.

13:57:57 [sangwhan]

q+

13:58:01 [hadleybeeman]

...We have process flows. local and remote verification

13:59:57 [hadleybeeman]

...The user can request authentication verification. Goes to the server, and the server asks for a specific kind of biometric info, like a fingerprint.

13:59:57 [hadleybeeman]

...The user can then send it for verification. The server sends back a result.

13:59:58 [hadleybeeman]

virginie: The process flow is implemented in mobile devices and you want to bring it to the web?

13:59:58 [hadleybeeman]

kepeng: yes

13:59:58 [hadleybeeman]

...Work happening at the Internet Finance Authentication Alliance. Related to FIDO.

13:59:58 [hadleybeeman]

...Standardisation opportunities at the W3C for interactions with the browser

14:00:00 [hadleybeeman]

...and which WG? WebAuth? WebSec? Any CGs?

14:00:12 [hadleybeeman]

virginie: any feedback?

14:00:14 [sangwhan]

q?

14:00:15 [Sebastien]

q+

14:00:29 [wseltzer]

q- later

14:00:33 [wseltzer]

ack sangwhan

14:00:41 [sangwhan]

q+

14:00:58 [wseltzer]

q=sangwhan, Sebastien, wseltzer

14:01:06 [wseltzer]

queue=sangwhan, Sebastien, wseltzer

14:02:00 [wseltzer]

ack sangwhan

14:03:14 [wseltzer]

sangwhan: how do you address the problem of coercion for biometrics?

14:03:30 [wseltzer]

... you can't so easily refuse to give up a fingerprint

14:03:40 [wseltzer]

drogers: see also the sleeping parent attack

14:04:09 [keiji]

keiji has joined #websec

14:04:25 [wseltzer]

Sebastien: there's a database in India

14:04:54 [wseltzer]

drogers: does gov give you the daabase, or API?

14:05:18 [hadleybeeman]

Natasha: That’s no different to coercing someone to give you their password.

14:05:18 [hadleybeeman]

dodgers: like the “sleeping parent” problem in iOS.

14:05:24 [hadleybeeman]

...Citizens register their biometric data, so that’s held in another place. The majority of biometric stuff happening in the GSMA world is not leaving the device

14:05:35 [hadleybeeman]

Hadleybeeman: this would be illegal in European Union countries. It would violate the Data Protection laws.

14:05:55 [hadleybeeman]

wseltzer: This is out of scope for the chartered WebAuth group. This would be a good place to discuss what to do with these ideas.

14:06:21 [hadleybeeman]

drogers: so your questions here are about access to the biometric sensor? So you need an API to the biometric sensor?

14:06:23 [lukasz]

lukasz has joined #websec

14:06:27 [lukasz]

hello!

14:06:34 [hadleybeeman]

virginie: I suggest we put these into discussion for the WebSec IG

14:06:39 [Sebastien]

q-

14:07:16 [Yoshiro]

Yoshiro has joined #websec

14:07:21 [lukasz]

oh hey hadleybeeman

14:08:24 [wseltzer]

q-

14:08:39 [hadleybeeman]

topic: Hardware Based Secure Services CG

14:08:49 [wseltzer]

s/dodgers/drogers/

14:09:08 [hadleybeeman]

natasha: This is different for very large companies, who can have contracts with existing databases.

14:09:08 [hadleybeeman]

virginie: might be different use cases ,depending on the business and the local laws.

14:09:19 [wseltzer]

drogers: [see slides]

14:10:08 [wseltzer]

... HBSS workshop in London, hosted by MoFo, brought in good expertise

14:10:48 [wseltzer]

... since then, group has been working, led by Sebastien

14:11:54 [wseltzer]

http://googleforwork.blogspot.pt/2016/09/pushing-the-boundary-of-Chrome-OS-Security-with-Verified-Access.html

14:12:10 [wseltzer]

mkwst: I'll look into this

14:12:43 [wseltzer]

drogers: there seems to be increasing interest in hardware security; our aim is to identify and prioritize

14:13:29 [wseltzer]

vg: we have some demonstrations

14:13:44 [wseltzer]

... objectives, to discuss next steps for the CG work

14:14:02 [wseltzer]

... CG developed a report explaining use cases: egovernment, ebanking

14:14:14 [wseltzer]

... security sensitive operations, e.g. signing documents

14:14:27 [wseltzer]

... work to describe API for 2 techncial features

14:14:50 [wseltzer]

... secure management of credentials for cryptographic operation in hardware-based technology

14:15:07 [wseltzer]

... 2d, secure transaction confirmation

14:15:19 [wseltzer]

... over to you, Sebastien

14:16:03 [Sebastien]

https://rawgit.com/w3c/websec/gh-pages/hbss.html

14:16:26 [wseltzer]

-> https://rawgit.com/w3c/websec/gh-pages/hbss.html CG Report: Hardware Based Secure Services features

14:16:50 [wseltzer]

Sebastien: aim to enable use and management of secure services, hardware-based solution

14:17:46 [wseltzer]

Sebastien: [summarizes report's goals]

14:19:06 [wseltzer]

... question about request validation by the end user

14:19:24 [wseltzer]

... bridge between low-level API and Web

14:20:11 [wseltzer]

... replace management by extensions or Java plugins

14:20:27 [wseltzer]

... for pre-existing keys

14:21:26 [wseltzer]

... Give the end-user enough information to know what they're signing or authorizing, not just a binary blob

14:21:51 [wseltzer]

... Transaction confirmation: give user something readable to understand and accept = user consent

14:22:21 [wseltzer]

... e.g. if end-user is requested to accept a withdrawal from an account

14:22:38 [wseltzer]

... non-repudiation message

14:22:57 [wseltzer]

... sign operation, with non-repudation message and binary data

14:24:17 [wseltzer]

... these need to generate requirements on operating system environment

14:24:34 [wseltzer]

vg: CG goal to make minimal viable product for those APIs

14:24:45 [wseltzer]

... also capture what we can do, don't know how to do.

14:25:24 [wseltzer]

Sebastien: second, key management

14:25:32 [wseltzer]

... classical crypto matters, based in secure element

14:25:56 [wseltzer]

... so it looks like webcrypto API plus implmentation paramater to say whether it's software or hardware

14:26:19 [wseltzer]

vg: this part drafted by Aurelien from Gemalto, who couldn't be here

14:27:20 [wseltzer]

Sebastien: Section 5, implementation requirements

14:27:56 [wseltzer]

vg: report got CG review

14:28:07 [wseltzer]

... about 10 people actively reviewed

14:28:33 [wseltzer]

... goal here to get broader feedback. Is it workable?

14:28:39 [wseltzer]

[coffee break]

14:28:44 [wseltzer]

rrsagent, draft minutes

14:28:44 [RRSAgent]

I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html wseltzer

14:28:57 [wseltzer]

[return in 20 min]

14:32:45 [hadleybeeman]

rrsagent, pointer?

14:32:45 [RRSAgent]

See http://www.w3.org/2016/09/19-websec-irc#T14-32-45

14:42:53 [rrware]

rrware has joined #websec

14:48:59 [shigeya]

shigeya has joined #websec

14:50:25 [kaorumaeda]

kaorumaeda has joined #websec

14:51:34 [kaorumaeda_]

kaorumaeda_ has joined #websec

15:06:16 [chaals]

chaals has joined #websec

15:14:31 [Yoshiro]

Yoshiro has joined #websec

15:21:24 [wseltzer]

[returned]

15:21:32 [wseltzer]

[discussion of WebUSB]

15:26:29 [wseltzer]

bhill2: FIDO UAF v1 had a whitelist capability

15:26:54 [wseltzer]

... signing over a DOMstring turns out to be really tricky because of fonts, unicode

15:27:02 [wseltzer]

s/whitelist/transaction verification/

15:27:07 [wseltzer]

... then made it a bitmap

15:27:24 [wseltzer]

Sebastien: but accessibility challenges with images

15:27:35 [wseltzer]

bhill2: we had ASCII or image, not unicode

15:27:49 [wseltzer]

JeffH: transaction confirmation is an optional extension in WebAuthn

15:27:59 [wseltzer]

... we changed the confirmation string

15:28:52 [wseltzer]

vg: todo, liaise with WebAuthn

15:29:57 [wseltzer]

Sebastien: back to the issues: attestation retrieval by issuing authority

15:31:09 [wseltzer]

... post-issuance of keys

15:31:13 [wseltzer]

... secure context

15:31:28 [wseltzer]

vg: WebCrypto rcently decided to require secure contexts

15:32:01 [wseltzer]

Sebastien: identity attributes

15:32:21 [wseltzer]

vg: for futre development

15:32:44 [wseltzer]

drogers: attribute based encryption... it's fairly new, suggest we don't go there now

15:33:50 [wseltzer]

Ketan: don't you need user attributes for individual autentication?

15:33:59 [wseltzer]

... WebAuthn takes care of device authentication

15:34:49 [wseltzer]

vg: Does API require attributes to be usable?

15:35:02 [wseltzer]

Ketan: Gap is to do all the web API requirements at the hardware level

15:37:05 [wseltzer]

... we have webcrypto, what's missing is ability to address a key on a device

15:37:12 [wseltzer]

... as Sebastien pointed out

15:37:21 [wseltzer]

vg: do you need discovery and user interaction?

15:37:36 [wseltzer]

Ketan: you can provide API, or discovery function

15:37:54 [wseltzer]

vg: do you believe it has to have discovery of keys, or of physical devices?

15:38:02 [wseltzer]

Ketan: key-level

15:38:25 [wseltzer]

... user decides which key to use

15:39:01 [wseltzer]

Sebastien: privacy issues pose problem with key discovery at API level

15:39:21 [wseltzer]

... need way to filter

15:39:36 [wseltzer]

... trusted UI presents filtered choice to user

15:42:15 [keiji]

keiji has joined #websec

15:42:16 [wseltzer]

Sebastien: todos, a few typos, implementation security requirements

15:43:14 [wseltzer]

vg: next steps: what to do with this report and demo

15:43:32 [wseltzer]

... we need to talk to UA providers, see their interest in WG creation

15:44:10 [wseltzer]

drogers: we should validate what we've written with those prior commments

15:44:23 [wseltzer]

... ID gaps with WebAuthn

15:45:20 [wseltzer]

... we were asked to draft APIs, privde requiremens, demos

15:45:24 [wseltzer]

... you've done a great job

15:45:58 [shigeya]

shigeya has joined #websec

15:46:16 [wseltzer]

vg: next steps: improving, socializing, start drafting WG charter if there's interest

15:46:28 [wseltzer]

drogers: deadline for feedback

15:46:49 [wseltzer]

vg: one month?

15:47:07 [wseltzer]

drogers: give Sebastien another week to finalize and publish report

15:47:16 [wseltzer]

... one month feedback period

15:47:22 [wseltzer]

q+

15:47:38 [wseltzer]

drogers: virginie and I will try to document the feedback

15:47:59 [wseltzer]

... by early Nov

15:48:19 [kaorumaeda_]

present+ Kaoru_Maeda

15:48:21 [wseltzer]

vg: reporing to the CG what's UA reaction to our proposal

15:48:50 [wseltzer]

... I'll give brief reprot at today's AC meeting

15:51:00 [shigeya]

shigeya has joined #websec

15:52:26 [wseltzer]

wseltzer: the CG should publish Final Specification to lock-in patent commitments

15:52:36 [wseltzer]

... and then go through evaluation with ecosystem

15:52:54 [wseltzer]

drogers: so by December, be ready to go to AC, if that's the conclusion

15:53:48 [wseltzer]

Topic: Wrap-up

15:53:56 [wseltzer]

vg: security jam session Wednesday

15:54:23 [wseltzer]

... status update on W3C work, collect potential new security needs

15:54:43 [wseltzer]

... and I'll give update in AC meeting

15:57:30 [wseltzer]

wseltzer: Thanks Virginie, and also David, Sebastien, Aurelien for working on the CG report

15:57:47 [wseltzer]

schuki: you can also do presentation to IETF SAAG

15:59:08 [wseltzer]

rrsagent, draft minutes

15:59:08 [RRSAgent]

I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html wseltzer

15:59:38 [wseltzer]

Topic: Biometric Authentication (return)

16:04:28 [wseltzer]

JeffH: consider the FIDO Alliance's work as a different way to do biometric verification

16:04:39 [wseltzer]

... it's bad for privacy to keep a public database of biometrics

16:04:59 [wseltzer]

bhill2: recent paper showing that 3 photographs were enough to break biompetric proof of liveness

16:05:20 [wseltzer]

Sebastien: and yet many countries are using biometrisc for ID verification

16:06:38 [wseltzer]

bhill2: one you start shipping biometrics over the wire, you're opening up new attacks

16:07:47 [wseltzer]

s/one/once/

16:08:30 [wseltzer]

marta: more border crossings now using automated gates

16:09:26 [wseltzer]

bhill2: still scale difference from the possibility of a data breach, biometrics aren't secret even if people would like to treat them as secret

16:09:57 [wseltzer]

... not every problem is a good idea to solve

16:11:33 [wseltzer]

bhill2: I'm not saying the problems aren't legitimate; rather, as security experts, we have the responsibility to make sure we're solving them in a good way

16:11:40 [wseltzer]

... not creating privacy/security nuclear waste

16:12:21 [wseltzer]

dsinger: if someone wants to claim "I'm the person whose ID was verified," we might want to find a better way to address

16:12:33 [wseltzer]

kepeng: I agree that the solution raises some privacy issues

16:12:55 [wseltzer]

... password and verification codes also have some flaws

16:13:08 [wseltzer]

... this one is not perfect, but it works in China

16:13:24 [wseltzer]

Ryan: this one is a flaw that we already know is trivially exploitable

16:13:45 [wseltzer]

marta: and if biometric data is stolen, you can't change it

16:14:01 [wseltzer]

JeffH: it's not a secret; we all are shairng our biometric data right here

16:14:15 [wseltzer]

... we need to figure out how to use it in a secure fashion

16:14:27 [wseltzer]

bhill2: we have it because everyone wants to share photos

16:14:38 [wseltzer]

... and on the other side, theres the OPM data breach

16:15:11 [wseltzer]

dsinger: further, photos have data about more than one person; we don't have good handle on the privacy and security issues that raises

16:16:20 [wseltzer]

bruno: linking biometric to "real" identity, what does that mean?

16:17:38 [wseltzer]

... I think this is important work

16:17:58 [Sebastien]

Sebastien has joined #websec

16:18:08 [wseltzer]

Ketan: Why doesn't FIDO do this?

16:18:30 [Sebastien]

(face spoofing: https://www.youtube.com/watch?v=ohmajJTcpNk#t=206)

16:18:31 [wseltzer]

JeffH: it's out of scope. We self-assert all the time; for the vast majority of transactions, that's sufficient

16:19:06 [wseltzer]

Bruno: bank is acting as identity provider

16:20:30 [wseltzer]

JeffH: Kantara initiative has done work on identity proofing

16:21:01 [wseltzer]

dsinger: about singular identity; bank is only confirming that the user of the credit card is the person to whom they issued it

16:21:07 [wseltzer]

... I don't have a singular identity

16:21:25 [wseltzer]

hadleybeeman: that's more complicated when talking about money laundering regulation

16:21:40 [wseltzer]

drogers: preregistration fraud

16:22:02 [wseltzer]

... e.g., someone who lives in a village suddenly gets a passport and doesn't know it, and someone else is traveling on it

16:22:17 [wseltzer]

bhill2: what can we do in W3C? create interesting primitives and let others work with them

16:22:27 [wseltzer]

... e.g. attestable sensors on a device

16:23:18 [wseltzer]

... would let someone else build proof of liveness from two cameras

16:23:48 [wseltzer]

marta: can we standardize what should be forbidden?

16:24:05 [wseltzer]

... to tell people not to do it

16:24:15 [wseltzer]

mkwst: WG note or TAG Finding

16:24:54 [wseltzer]

hadleybeeman: TAG findings need to be based n architecture of the web

16:25:23 [wseltzer]

drogers: one of the strengths of FIDO is that the biometric remains on the device

16:25:50 [wseltzer]

... attestation, we know that the device is happy with the situation, not what the biometric scanned was.

16:26:27 [wseltzer]

bhill2: I'm a FB user, I lost my device, how do I log in? Solution isn't just "take a selfie and send it over the wire"

16:26:37 [wseltzer]

... it's a real use case

16:26:53 [wseltzer]

... putting together measures from attested sensors is a more interesting solution

16:27:26 [wseltzer]

... W3C makes voluntary reocmmentaitons, not certification. FIDO certifies, and can say "shalt not"

16:27:43 [wseltzer]

mkwst: data from attested sensors can be biometric too

16:28:14 [wseltzer]

bhill2: hypothetical attested camera wouldn

16:28:24 [wseltzer]

... wouldn't be ok in FIDO

16:29:36 [wseltzer]

JeffH: you get attestation of the device as a public-private key set up at manufacturing time; sign message with the private key, metadata service gives attributes aobut the authenticator

16:29:40 [wseltzer]

... if you care

16:29:57 [wseltzer]

mkwst: in many cases, you care about continuity, not identity

16:30:16 [wseltzer]

JeffH: WebAuthn (FIDO is only the certification)

16:30:38 [wseltzer]

... registration, create a new public-private key

16:30:45 [wseltzer]

... user verification is local, abstracted away

16:31:13 [wseltzer]

... WebAuthn relying parties don't see the means of local authenticaiton;but keys minted on a per relying party basis

16:31:24 [wseltzer]

vg: there's still work to do

16:31:38 [wseltzer]

... on the security and privacy considerations, and on what the Open Web platform needs

16:31:55 [wseltzer]

bhill2: I share the use case, we'd love to solve it correctly

16:32:19 [wseltzer]

vg: Wednesday's session will be bread

16:32:22 [wseltzer]

s/bread/broad/

16:32:36 [wseltzer]

[adjourned]

16:32:58 [wseltzer]

vg: look for follow-up in WebSec IG and HBSS CG

16:33:04 [wseltzer]

Ketan: follow-up?

16:33:16 [wseltzer]

vg: we'll have some debriefs on HBSS

16:33:22 [wseltzer]

s/[adjourned]//

16:33:30 [wseltzer]

[adjourned]

16:34:06 [wseltzer]

rrsagent, make minutes

16:34:06 [RRSAgent]

I have made the request to generate http://www.w3.org/2016/09/19-websec-minutes.html wseltzer

17:24:25 [kaorumaeda]

kaorumaeda has joined #websec

19:17:56 [bhill2]

bhill2 has joined #websec

19:18:58 [bhill2]

bhill2 has joined #websec

21:00:29 [kaorumaeda]

kaorumaeda has joined #websec

21:48:24 [bhill2]

bhill2 has joined #websec

21:50:09 [bhill2]

bhill2 has joined #websec

21:56:26 [keiji]

keiji has joined #websec

22:26:59 [keiji]

keiji has joined #websec