Re: [jose] Charter Proposal: "Trusted Code" for the Web
Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 17 April 2015 13:58 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64F091B2CF2 for <jose@ietfa.amsl.com>; Fri, 17 Apr 2015 06:58:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_26=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubv08-KbYb-B for <jose@ietfa.amsl.com>; Fri, 17 Apr 2015 06:58:36 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 354BA1A8AAD for <jose@ietf.org>; Fri, 17 Apr 2015 06:58:36 -0700 (PDT)
Received: by wiun10 with SMTP id n10so21448102wiu.1 for <jose@ietf.org>; Fri, 17 Apr 2015 06:58:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=erjEqFz/BCRYEyfcHNhi8f9a93SAUVVHhBdo+jC6sNg=; b=v6KUH4oU4cJlINo7TwKtTx7E5JHzliEeTRg93e3SuoIDCnJsOPzkdCgG5/PqGzfT+T XfoGA1gNO+3+5aVh2TJIae1mgfUZslgxitvLZteq6YrcWysQDSqliGvV9E6X5LNk4iJt pfqlEJeJ4iXjARcFXQIxPKpGL9iyMtftMoLzJ6fHnJEgjTsY972YXROaYsQGZ97nDgda 8jFwd5PMmDpJggDj7gnqTTamiIa3WS8aWWAnZQ0u+YZqoUKPkY2Z4a9+jA9DaZxwhzF8 f8uXEc9Abn7L7CIRbQsN71WFQME1mg71cEu4BU7cA7gCxco0QUhSRSBf1GRxJqWKlnzJ 40fQ==
X-Received: by 10.194.94.164 with SMTP id dd4mr6417090wjb.56.1429279114763; Fri, 17 Apr 2015 06:58:34 -0700 (PDT)
Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id jh1sm2792598wid.9.2015.04.17.06.58.32 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Apr 2015 06:58:33 -0700 (PDT)
Message-ID: <55311181.3020509@gmail.com>
Date: Fri, 17 Apr 2015 15:58:25 +0200
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <550909EF.4040505@gmail.com> <550A6154.9040907@gmail.com> <069401d0626f$55cb1990$01614cb0$@augustcellars.com> <D7634D06-AD85-43D8-9057-3D1FF44098B8@ve7jtb.com> <550BB500.4070505@gmail.com> <550BCCA2.709@gmx.net> <CAF2hCba2JKKv9BLbW3-6eDzRQnfyedoTP=eyQCk4TPs4vGEkVw@mail.gmail.com> <CABzCy2A19QpqAVpOjOWtRAGQQa0juc7t+fzUt58f5LMzsH7cNQ@mail.gmail.com> <552CA77A.8090601@gmail.com> <610CED84-77AB-412B-BB08-8667370BFBBF@gmail.com> <5530A946.8040602@gmail.com> <CAHbuEH6t2B4rbv2WxPxa7BqKW3byoZRK7F+c2v9nGC621nPr3A@mail.gmail.com>
In-Reply-To: <CAHbuEH6t2B4rbv2WxPxa7BqKW3byoZRK7F+c2v9nGC621nPr3A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/3KlG_2L4VVPT2EjzRh9JA9D7iDo>
Cc: Jim Schaad <ietf@augustcellars.com>, Nat Sakimura <sakimura@gmail.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, Samuel Erdtman <samuel@erdtman.se>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Subject: Re: [jose] Charter Proposal: "Trusted Code" for the Web
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 13:58:39 -0000
On 2015-04-17 14:59, Kathleen Moriarty wrote: > Anders, > > On Fri, Apr 17, 2015 at 2:33 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > On 2015-04-14 15:17, Kathleen Moriarty wrote: > > Kathleen, > > This feature (the ability to communicate to the "native" layer from a Web-page), > is currently used by thousands of different applications including remote diagnostics > by major PC-vendors. > > The browser vendors took the decision to remove support for ActiveX and NPAPI > but never considered a replacement. > > I wouldn't try to mix this with any other "security project" > > SAMC and NEA are IETF working groups, not a little project off somewhere. > NEA is closed, but SACM is accepting proposals for end point assessment. > Your endpoint could be a web server. The work doesn't have to stay in SACM, but I think that's a better starting point. > If you have a proposed solution for this scoped to detection of untrusted code in web transactions, This may sound awfully strange but the proposed scheme doesn't detect untrusted code. It is simply a way to let a locally trusted sub-system talk with (and through), potentially malicious web-code while shielding the platform and user from various attacks. As you may know "Secure AND Convenient Web Payments" have effectively gone *backward* since we began using credit-cards on the Web some 20 years ago. If you do a search you will probably not find a single paper from any major vendors' R&D department dealing with this topic either. It is obviously "The stepchild of the Web" :-) > I'm just saying that it is a better fit than JOSE for that work (which I hope to close soon). That OK, I justed wanted to see if there where any folks out there that also could consider dealing with awkward and "forgotten" problems. > I'm fully aware of the problems with untrusted code, malware, etc. being downloaded to end users > through firewalls, etc. Current solutions are proxy firewalls that block access to domains, URLs, > and IPs that have been found to be problematic (threat discovered). > It would be nice to have something that worked end-to-end. The locally trusted applications and their associates in the other end deal with E2ES but in a completely application-specific manner. This may seem a bit short-sighted but the needs are quite different so it is not possible doing otherwise: A payment protocol shouldn't leak user data to the RP (merchant), while authentication is about establishing an authenticated user ID. Anyway, thanx for the comments! Anders > > See the use cases Samuel shared, especially the last one, but a few of the other ones have enough similarities to SACM for that to be a starting point. I'm specifically avoiding the webcrypto use cases, which may be of more interest to you. > > Kathleen > > because the Web is > pretty unique: Untrusted code is transiently downloaded into the client platform. > > Anders > > > > > Sent from my iPhone > > On Apr 14, 2015, at 1:36 AM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > On 2015-04-14 05:20, Nat Sakimura wrote: > I think this is an interesting idea. > One of the disappointment of webcrypto, if I am not mistaken, is that they confined themselves > too narrowly that it did not define the APIs that can leverage, for example, a secure element. > > > There are many ways of expressing why it didn't work out as anticipated. IMO, if existing > applications had been "decomposed", it had been more obvious that they work because they > don't expose sensitive cryptographic APIs to arbitrary Web code. I.e. there's a reason why > we after 20 years with secure payment cards still can't use them on the Web! > > I'm thinking about a system where locally "Trusted Applications" are "talking" with > untrusted Web pages: > https://cyberphone.github.io/openkeystore/resources/docs/web2native-bridge.pdf > A predecessor is already available in the Chrome browser. > > It turned out that the very same concept could probably also be applied to devices > connected with NFC/Bluetooth: > https://cyberphone.github.io/openkeystore/resources/docs/webnfc--web2device-bridge.pdf > > Anders > > > If a discussion here at IETF would stimulate the discussion there as well, it would benefit the community, IMHO. > > Nat > > 2015-04-11 19:03 GMT+09:00 Samuel Erdtman <samuel@erdtman.se <mailto:samuel@erdtman.se> <mailto:samuel@erdtman.se <mailto:samuel@erdtman.se>>>: > > Hi, > > I think this could be interesting, don´t know if a standards for this should be written under IETF or somewhere else, but I can share a few use cases we have at neXus where we need to use platform specific capabilities. And a bit on how we currently solve it. > > * Smart Card signatures > In e.g bank transactions signatures are desired. We develop a middleware with this support (has been used for the Swedish eID for many years), we have historically created plugins to the comunication between the browser and the middleware. But as NPAPI is going away we have now created a new architecture that relies on server component that makes it possible to open up a communication channel between the browser and the middleware. > > * RFID coding > This is kind of like printing, when creating cards for physical access systems (PACS) some data has to be coded in the card or read from it as it is printed (Mifare Desfire etc.), for this we have a SDK/application that runs locally but the card management system runs in the browser. The communication is currently done with a socket connection to localhost, it works well but has some clear drawbacks e.g. TLS. > > * Signature pad > * Fingerprint recording > * Document scanning > When doing identity management we collect data about the user when enrolling. Once again it is not possible to collect all this data from a browser i.e. we need something running locally, and we need to communicate with it. Currently we do a connection to localhost. > > * End point integrity > We have a client application that is loaded to validate that that platform (OS, antivirus etc.) is updated before allowing the user to connect to the corporate network. And when the user is logged out it helps the user to clean upp downloaded files so that sensitive data gets minimal exposure. (this solution relies on java applet and activeX) > > > This is similar to what NEA and SACM are working on, but their definition of end point is not scoped to just a browser or application. For this interested in this question, please take a look at SACM and proposed solutions can be reviewed there. They have an open call for proposals and recognize that different solutions will be needed depending on re platform being assessed. > > Best regards, > Kathleen > > All of these use cases would benefit form a standardised way of communicating from the web browser (JavaScript) with a locally installed application. > > Best Regards > Samuel Erdtman > > > > > On Fri, Mar 20, 2015 at 8:30 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>> wrote: > > I like the proposal Anders put forward. > Doing some work in the IETF in that area might not be a bad idea to > stimulate discussions. > > Ciao > Hannes > > > On 03/20/2015 06:49 AM, Anders Rundgren wrote: > > On 2015-03-19 19:15, John Bradley wrote: > >> It sounds like WebCrypto or something more related to it. > >> http://www.w3.org/2012/webcrypto/ > > > > I would rather characterize this as the opposite to WebCrypto since the > > referred schemes > > all are based on the idea that "The Web is not enough". > > > > That is, the Web needs (as proven any number of times), to be extended > > with its more > > powerful native/platform companion for a lot of reasons including access > > to platform- > > resident keys as well as breaking away from the crippling SOP notion. > > > > The W3C does not appear to be a suitable home for such an effort, they > > rather prefer > > continuing the so far pretty unsuccessful efforts DUPLICATING the native > > level into > > the Web [1], instead of recognizing the power of COMBINING these worlds. > > > > Cheers, > > Anders > > > > 1] https://lists.w3.org/Archives/Public/public-sysapps/2014Dec/0000.html > > > >> > >> > >>> On Mar 19, 2015, at 3:05 PM, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> <mailto:ietf@augustcellars.com <mailto:ietf@augustcellars.com>> > >>> <mailto:ietf@augustcellars.com <mailto:ietf@augustcellars.com> <mailto:ietf@augustcellars.com <mailto:ietf@augustcellars.com>>>> wrote: > >>> > >>> To me this sounds more like a W3C activity than an IETF activity. > >>> Jim > >>> *From:*jose [mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org> <mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>>]*On Behalf Of*Anders Rundgren > >>> *Sent:*Wednesday, March 18, 2015 10:41 PM > >>> *To:*jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>> <mailto:jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>>> > >>> *Subject:*[jose] Charter Proposal: "Trusted Code" for the Web > >>> Trusted Code for the Web > >>> > >>> > >>> Existing security-related applications like authentication, payments, > >>> etc. are all based on that a core-part is executed by statically > >>> installed software that is supposed to be TRUSTED. > >>> > >>> Since web-based applications are transiently downloaded, unsigned and > >>> come from any number of more or less unknown sources, such > >>> applications are by definition UNTRUSTED. > >>> > >>> To compensate for this, web-based security applications currently > >>> rely on a hodge-podge of non-standard methods [1] where trusted code > >>> resides (and executes) somewhere outside of the actual web application. > >>> > >>> However, because each browser-vendor have their own idea on what is > >>> secure and useful [2], interoperability has proven to be a major > >>> hassle. In addition, the ongoing quest for locking down browsers (in > >>> order to make them more secure), tends to break applications after > >>> browser updates. > >>> > >>> Although security applications are interesting, they haven't proved > >>> to be a driver. Fortunately it has turned out that the desired > >>> capability ("Trusted Code"), is also used by massively popular music > >>> streaming services, cloud-based storage systems, on-line gaming sites > >>> and open source collaboration networks. > >>> > >>> The goal for the proposed effort would be to define a vendor- and > >>> device-neutral solution for dealing with trusted code on the Web. > >>> > >>> > >>> *References > >>> * > >>> 1] An non-exhaustive list include: > >>> - Custom protocol handlers. Primarily used on Android and iOS. > >>> GitHub also uses it on Windows > >>> - Local web services on 127.0.0.1. Used by lots of services, from > >>> Spotify to digital signatures > >>> - Browser plugins like NPAPI/ActiveX. Used (for example) by millions > >>> of people in Korea for PKI support but is now being deprecated > >>> - Chrome native messaging. Fairly recent solution which enables > >>> Native <=> Web communication > >>> > >>> 2]https://code.google.com/p/chromium/issues/detail?id=378566 > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>> <mailto:jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>>> > >>> https://www.ietf.org/mailman/listinfo/jose > >> > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>> > > https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>> > https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > jose@ietf.org <mailto:jose@ietf.org> <mailto:jose@ietf.org <mailto:jose@ietf.org>> > https://www.ietf.org/mailman/listinfo/jose > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > _______________________________________________ > jose mailing list > jose@ietf.org <mailto:jose@ietf.org> > https://www.ietf.org/mailman/listinfo/jose > > > > > > -- > > Best regards, > Kathleen
- [jose] Charter Proposal: "Trusted Code" for the W… Anders Rundgren
- Re: [jose] Charter Proposal: "Trusted Code" for t… John Bradley
- Re: [jose] Charter Proposal: "Trusted Code" for t… Jim Schaad
- Re: [jose] Charter Proposal: "Trusted Code" for t… Anders Rundgren
- Re: [jose] Charter Proposal: "Trusted Code" for t… Hannes Tschofenig
- Re: [jose] Charter Proposal: "Trusted Code" for t… Samuel Erdtman
- Re: [jose] Charter Proposal: "Trusted Code" for t… Nat Sakimura
- Re: [jose] Charter Proposal: "Trusted Code" for t… Anders Rundgren
- Re: [jose] Charter Proposal: "Trusted Code" for t… Kathleen Moriarty
- Re: [jose] Charter Proposal: "Trusted Code" for t… Nat Sakimura
- Re: [jose] Charter Proposal: "Trusted Code" for t… Anders Rundgren
- Re: [jose] Charter Proposal: "Trusted Code" for t… Kathleen Moriarty
- Re: [jose] Charter Proposal: "Trusted Code" for t… Anders Rundgren
- [jose] [OT] Presentation about Apache CXF JOSE Im… Sergey Beryozkin