1. Proposal for the support of connected and proximity crypto HW in browsers Philip Hoyer – Director Strategic Innovation January 2015 Presentation Title Slide An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved.

2. DO NOT place slide content below this dotted line. All slide content should go below this dotted line. DO NOT use clip art. Slide Title Format Two lines max. Font: Arial Bold Size: 24 points Before/After ¶ Space: 0 Body Text Format Font: Arial Regular Size: 18 points Line Spacing for basic body style: 24 points NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount of text on the slide, e.g., reduce font size if there is a large amount of text. 0/83/155 sRGB Color Palette Values 0/45/86 248/152/29 0/113/97 97/17/106 139/141/9 211/18/69 255/255/255 176/183/188 176/203/234 Chart Accent Colors Chart Neutral Colors (For charts, use colors in order of appearance.) Title Color 0/83/155 Body Text Colors 0/20/55 2 An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved. Consensus of W3C crypto workshop  replace passwords as quick as possible  Allow web application in the browser to access an API that would allow the proof of possessions of keys that are also held on hardware devices  Giving direct access to the APDU / comms is a bad idea (like giving raw socket access to a web page). One of the main concern was privacy (being able to track people by tracking Ids or PIIs on the cards)  Browser extensions are going so there needs to be a solution to use existing credentials  The level of abstraction is still unclear but the web app should have access to a similar level than the current web crypto API (sign, encrypt, decrypt, etc)

3. DO NOT place slide content below this dotted line. All slide content should go below this dotted line. DO NOT use clip art. Slide Title Format Two lines max. Font: Arial Bold Size: 24 points Before/After ¶ Space: 0 Body Text Format Font: Arial Regular Size: 18 points Line Spacing for basic body style: 24 points NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount of text on the slide, e.g., reduce font size if there is a large amount of text. 0/83/155 sRGB Color Palette Values 0/45/86 248/152/29 0/113/97 97/17/106 139/141/9 211/18/69 255/255/255 176/183/188 176/203/234 Chart Accent Colors Chart Neutral Colors (For charts, use colors in order of appearance.) Title Color 0/83/155 Body Text Colors 0/20/55 3 An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved. HID proposal  Requirements: –Very important to be able to support the millions of centrally issued IDs capable of being used for multiple origins / GlobalPlatform APDU based –Important to support SOP based HW tokens – FIDO (also APDU based on low layer) –Support for connected (SC, SIM, eSE, smart MicroSD, TEE) security tokens and tokens connected via NFC / BLE –No APDU channel based exposure to web app –Web app has access to discover and connect to tokens and communicate at high level API based on Webcrypto  Support for use cases beyond direct authentication (posession of key) –Sign, encrypt, potentially store and retrieve secure data, user approval (Out of band or approve / deny signing)

4. DO NOT place slide content below this dotted line. All slide content should go below this dotted line. DO NOT use clip art. Slide Title Format Two lines max. Font: Arial Bold Size: 24 points Before/After ¶ Space: 0 Body Text Format Font: Arial Regular Size: 18 points Line Spacing for basic body style: 24 points NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount of text on the slide, e.g., reduce font size if there is a large amount of text. 0/83/155 sRGB Color Palette Values 0/45/86 248/152/29 0/113/97 97/17/106 139/141/9 211/18/69 255/255/255 176/183/188 176/203/234 Chart Accent Colors Chart Neutral Colors (For charts, use colors in order of appearance.) Title Color 0/83/155 Body Text Colors 0/20/55 4 An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved. Proposal – HW token API: three layers  HW token API - Higher level API (uses Comm API) : –Discovery / Connection and listing of known Security tokens independent of transport (abstract connected vs NFC / BLE, etc as much as possible) –Retrieval of the security capabilities of known Security tokens –Connection API to the security devices at an abstraction level that would then map it to the existing W3C Crypto API Level (e.g. ability to retrieve a handle to a SubtleCrypto interface from a connected device handle)  Token API translation layer based on secure JS scripts run in browser sandbox retrieved from central trusted source by identifying the token / Application (using answer to reset / AIDs / FIDO attestation certificates …) –Potentially take as base: http://www.openscdp.org/http://www.openscdp.org/  Communication oriented API, to be able to communicate with the HW token device from the translation script –Connected tokens – USB, SIMAlliance (SIM, eSE, Smart MicroSD) –NFC / BLE

5. DO NOT place slide content below this dotted line. All slide content should go below this dotted line. DO NOT use clip art. Slide Title Format Two lines max. Font: Arial Bold Size: 24 points Before/After ¶ Space: 0 Body Text Format Font: Arial Regular Size: 18 points Line Spacing for basic body style: 24 points NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount of text on the slide, e.g., reduce font size if there is a large amount of text. 0/83/155 sRGB Color Palette Values 0/45/86 248/152/29 0/113/97 97/17/106 139/141/9 211/18/69 255/255/255 176/183/188 176/203/234 Chart Accent Colors Chart Neutral Colors (For charts, use colors in order of appearance.) Title Color 0/83/155 Body Text Colors 0/20/55 5 An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved. Architecture

6. DO NOT place slide content below this dotted line. All slide content should go below this dotted line. DO NOT use clip art. Slide Title Format Two lines max. Font: Arial Bold Size: 24 points Before/After ¶ Space: 0 Body Text Format Font: Arial Regular Size: 18 points Line Spacing for basic body style: 24 points NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount of text on the slide, e.g., reduce font size if there is a large amount of text. 0/83/155 sRGB Color Palette Values 0/45/86 248/152/29 0/113/97 97/17/106 139/141/9 211/18/69 255/255/255 176/183/188 176/203/234 Chart Accent Colors Chart Neutral Colors (For charts, use colors in order of appearance.) Title Color 0/83/155 Body Text Colors 0/20/55 6 An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved. Layer diagram

7. DO NOT place slide content below this dotted line. All slide content should go below this dotted line. DO NOT use clip art. Slide Title Format Two lines max. Font: Arial Bold Size: 24 points Before/After ¶ Space: 0 Body Text Format Font: Arial Regular Size: 18 points Line Spacing for basic body style: 24 points NOTE: Body, Bulleted, Table, and Graph text size may vary depending upon the amount of text on the slide, e.g., reduce font size if there is a large amount of text. 0/83/155 sRGB Color Palette Values 0/45/86 248/152/29 0/113/97 97/17/106 139/141/9 211/18/69 255/255/255 176/183/188 176/203/234 Chart Accent Colors Chart Neutral Colors (For charts, use colors in order of appearance.) Title Color 0/83/155 Body Text Colors 0/20/55 7 An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved. To be explored  Privacy –Can we restrict which web app has access to which keys / token identifiers so not to track users across origins –NOTE: some centrally issued cross origin eIDs already have privacy features (e.g. German eID card, HID Seos card, etc) –By scoping the access of the API to the token itself the browser could prompt the user “www.acme.com wants to use your “Smart Card” token (not ideal) –Do we propose a CORS like standard to be put on the tokens/ devices?

8. DO NOT place slide content below this dotted line. Photo content should go below this dotted line. DO NOT Change Image An ASSA ABLOY Group brand PROPRIETARY INFORMATION. © 2012 HID Global Corporation. All rights reserved. 8 0/83/155 sRGB Color Palette Values 0/45/86 248/152/29 0/113/97 97/17/106 139/141/9 211/18/69 255/255/255 176/183/188 176/203/234 Chart Accent Colors Chart Neutral Colors (For charts, use colors in order of appearance.) Title Color 0/83/155 Body Text Colors 0/20/55 Thank You Slide