DRAFT
Hardware Security (HaSec) Working Group Charter
The mission of the Hardware Security Working Group, part of the Security Activity, is to define a set of Hardware-Based Web Security standard services providing Web Applications usage of secure services enabled by hardware modules (TEE, secure elements, and other secure enablers).
| End date | 31 December 2016 |
|---|---|
| Confidentiality | Proceedings are Public. |
| Initial Chairs |
|
| Initial Team Contacts (FTE %: 20) |
Rigo Wenning |
| Usual Meeting Schedule | Teleconferences: Teleconferences to be held as required.
Task Forces may have separate calls that will not overlap with
others. Face-to-face: Up to 3 per year as required |
Goals
The Hardware-Based Web Security Working Group will develop recommendation-track documents that define a standard to provide secure services for high security Web applications.
There are a number of use cases that this standard will enable, including but not limited to the ability to encrypt and to decrypt data using hardware based encryption modules, the ability to manage credential information for hardware based security modules, and the ability to access specific security sensitive services offered by hardware tokens. Such security sensitive services may include:
- Payments – transaction authorization
- Identity verification
Scope
The Working Group will collect relevant use cases the open web platform should address, identify technical gaps and determine use cases that the standard needs to support. The Working Group will use these to derive requirements and a possible architecture for interaction between user agent and hardware based modules. One or several recommendations will be developed, based on those requirements.
Specification features shall be derived from requirements driven by concrete use-cases. Success will be determined by the implementation of features as defined by the recommendations. Features that are not implemented due to time constraints can be put in a non-normative "roadmap" document for future work.
Example features in scope for use-cases include: attesting the presence of hardware module, enabling secure environment execution for Javascript, using specific services enabled in hardware module, hardware-based key usage, and cryptographic primitives.
The HaSec Working Group will produce specifications that target a wide deployment. To do so, the Group should adopt, refine and when needed, extend, existing practices and community-driven draft specifications. Specifications should integrate well with Web Applications, thus be developed in concert with Web Application developers and the Web Application Security and HTML Working Groups.
Success Criteria
If the Working Group successfully identifies at least one candidate protocol or API in this manner, it may suggest a charter for further work in this area.
The Group is successful if the following criteria are met:
- Participation via mailing list subscription and postings from people representing various stakeholder communities, including banks, payment industry, various legal and regulatory bodies with mandates that are related to authentication, authorization and secure transmission, hardware and software developers, mobile operator companies, browser vendors and developers of secure applications
- Discussion of requirements and use cases and elaboration of a NOTE on use cases and requirements for hardware based security on the Web
- Successfully engage and coordinate with Groups working on Web Applications and their components as well as with other Security Groups within W3C and beyond
- Engage a dialog with the governmental identity systems that require a higher level of security
Deliverables
Recommendation-Track Deliverables
The working group will deliver at least the following:
- Use-Case Document: This use-case document will define a finite set of use-cases for secure execution environments and hardware token, accessed by Web applications, and recommend/discuss how user agent and hardware module should interact, taking into account the SOP and access control aspects.
- Hardware-Based Web Security Standard Services: Commonly-used services such as cryptographic services, payment and legal identity based on hardware module should be made available to Web application developers via a set of standards to facilitate the operations detailed in the use case document.
A specification should make commonly-used cryptographic primitives using hardware-based security module available to Web application developers to facilitate the operations detailed in the use case document. This work should leverage on works already been discussed in the W3C Web Cryptography WG, WebApps WG, HTML WG, and IETF Web Security WG. The Specification on Hardware-Based Web Security Standard Services should take advantage of existing platform and operating-system cryptography libraries.
The specifications must contain a section detailing any known security implications for implementers, Web authors, and end users. The Hardware-Based Web Security WG will actively seek an open security review.
Other Deliverables
The Working group will deliver at least the following non-normative documents:
- Test suite for the Hardware-Based Web Security specification;
- Primer or Best Practice documents to support web developers when designing applications dealing with the Hardware-Based Web Security specification
Dependencies and Liaisons
Internal liaisons
- HTML Working Group
- Web Applications Working Group
- Web Crypto Working Group
External liaisons
There are a number of external groups working in areas related to the ones in scope for the HaSec WG. The Working Group should determine whom to communicate with and then maintain communication with them. The following groups are likely to be important:
- Fast Identity Online (FIDO)
- Trusted Computing Group (TCG)
- GlobalPlatform
- European Telecommunications Standards Institute (ETSI)
Participation
Participation is open to W3C Members and invited experts.
In order to make rapid progress, the group MAY form several Task Forces (TFs), each working on a separate topic. Group members are free to join any number of TFs.
Participants are reminded of the Good Standing requirements of the W3C Process.
Communication
This group primarily conducts its technical work on the public mailing list at public-webpayments-ig@w3.org (archive). See W3C mailing list and archive usage guidelines. There is also a member-only list to be used for administrative or member-confidential purposes at member-hasec-wg@w3.org (archive).
Information about the group (documents under review, face-to-face meetings, etc.) is available from the Web Hardware Security Working Group home page.
Decision Policy
The group will aim to proceed by consensus.
Where there is consensus among the representatives of W3C members in the group, it will be forwarded as a consensus position. Where the group does not reach agreement, the different positions (whether held by W3C members or other members of the group) will be considered together.
All technical resolutions made by a meeting of the group are provisional until two weeks after being published to the mailing list. An objection made on the mailing list within two weeks of publishing a decision has the same standing as if it were made at the meeting.
Patent Disclosures
The Hardware Security Working Group provides an opportunity to share perspectives on the topic addressed by this charter. W3C reminds Interest Group participants of their obligation to comply with patent disclosure obligations as set out in Section 6 of the W3C Patent Policy. While the Interest Group does not produce Recommendation-track documents, when Interest Group participants review Recommendation-track specifications from Working Groups, the patent disclosure obligations do apply.
For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.
About this Charter
This charter has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
WG Chair: Virginie Galindo (Gemalto) HaSec Team Contact: Rigo Wenning
Copyright© 2015 W3C ® (MIT , ERCIM , Keio, Beihang), All Rights Reserved.
Last update: $Id: 2015-hasec-charter.html,v 1.1 2015/07/08 18:42:49 rigo Exp $