See also: IRC log
virginie: Chair of Web Crypto
Group doing introductions, probably around 40-50 people in the group
Probably closer to 60 people in the group.
Still doing introductions, lots of people interested in security, etc.
virginie: Lots of people
interested in security, that's good to see. There is a security
activity in the W3C, led by Wendy Seltzer. It's done by several
WGs WebSec, WebCrypto, Web Security IG, open group, and
something new. Open item security topic in the TAG.
... What are the programs solved by current activities, Web App
Security, Web Crypto WG, XML Security.
... Web Crypto WG is delivering an API to build app security
model
... As a security company in Gemalto, we interviewed people to
inform us on what should be done in security. The most
important is to create a conversation on security.
<wseltzer> Wiki page
virginie: We need a picture on
the state of the security model. There is the idea of creating
a security community, if each of you are interested, we're off
to a good start.
... The question is which pieces of technology should we see
implemented in W3C, what are the use cases? problems,
questions?
virginia: Ok, open mic - who wants to talk about security.
divi: I live in China, I have a special perspective on this. I don't want to see more binary blobs in the browser. Especially when they're put there by a media company controlled by a government.
<mountie> +1 for no binary bolbs
TimBL: Two things... 1) The idea is to make the web more robust. We need to get people excited about when you link to something, you should take a certain amount of responsibility to help people to get context. If a client gets a TCP error, it should go back to the referrer and ask if they have a copy of it. This is a W3C site, we keep a copy of everything we link to. Or it could be that I
don't have a copy, but there is a P2P group, if you join the bittorrent tracker, sharing copies of data, you could join the P2P community.
TimBL: or if you don't overuse
the server too heavily, we can get it from a P2P source. There
are lots of ways the way in servers could respond.
... Is a server going down? Is a link going down? Is it by some
other authority?
<Zakim> dka, you wanted to suggest we need better UI around security and trust chains, especially in mobile browsers and what about chromeless mobile webapps?
dka: A few years ago, we had a
big improvement in the way that security evidences to the user,
particularly in the browser, you're presented with more visual
queues, it lets you know when you're secure.
... It lets you examine the trust chain of the certificates.
When somethings amiss, when somethings being broken, etc.
... With mobile we're starting over again... chromeless web
applications, it's hard to tell if they're secure.
... All bets are off, no way to tell if you're in a secure
sessions or not. Is there a role for W3C to play? To start or
prompt a discussion in the industry... what we should do w/
security UIs. What should we do?
mountie: Mountie from PayGate in Korea. I have discussed at the WebCrypto group. Some parts have a different philosophy, some parties are controlled by the provisioner. Some parties think the Web is controlled by the user, so they have the privilege and the right. By this different philosophy, we need some protection mechanisms to protect client-side security. If a client is compromised,
normally we think that there is no protection. We need more effort. When I see the Web Payments folks talk about Secure Frame, that's very similar to my idea. We should start to consider security when the client environment is compromised
dbaron: How does standardization
interact with research and security and the development of new
threats we were not aware of. One of the risks we have is that
we standardize something and new research comes along to
invalidate that.
... There is some amount of resistance to changing stuff that
is standardized already, even when we're at a point where all
the implementations are about to change.
Colon-visited=privacy??? - there were known attacks, we didn't
want to take a solution to the WG because we didn't think the
CSS WG culture would accept the fix, even though it's something
that all browsers were doing.
... We want to exercise some amount of care there, but we need
to exercise some amount of care in case we get something
wrong.
virginie: To clarify - are you saying that we need to work with new people and be ready to patch the solutions we have today?
dbaron: I think yes, we need to interact with more people here, we need to change things we've done when there are security issues that are found.
jeff: Security is hard, it's hard
for lots of reasons. There are a myriad of different use cases,
different attacks. It's wack-a-mole, security edition!
... Creating a secure web is protocols, best practices, we have
a massively insecure web right now. We don't feel it today,
because we're lucky.
... I would propose that we look at the domain that is scariest
for the Web. The scariest one is financial services. Everyone
does banking on the Web. Everyone puts their credit card on the
Web. A couple of well-placed security incidents and there could
be massive damages to the financial ecosystem. The financial
industry does try to fix this stuff, so it would be interesting
to choose one
use case, financial services on the web, make it really secure, then go from there.
<Zakim> m4nu, you wanted to ask about the cerficiate authority issue, to see if anyone is seriously working on it.
<Daniel_Austin> +1 @ JeffJ
m4nu: Asks question about the
Certificate Authority chain, spoofability, why we're not moving
toward those solution.
... Why are we doing Network Perspectives?
DanD: We need to make sure we have the information captured, we can't make things secure if people don't participate in helping. Make education a bigger priority in the user community with simple messages. Not 100 page documents on threats/countermeasures. Let's involve the users more.
fan: As far as content protection
is concerned, software security is important to us.
... We do software security before, we would like W3C we would
like to focus on Web Crypto, we want to talk more about Content
Protection and contribute more.
sangrae: I'd like a Security Interest Group on Certificate-based functionality. There are many apps that need certificate-based signatures. There is some work in that area, but not enough.
<Jirka> sangrae +1 on browser API for doing crypto operations
sangrae: Security protocol should be provided in the browser, such as SAMR? SAML? It needs to be in the browser, useful for many web apps.
mnot: I want to agree with Manu
that PKIX is a big problem, as we encourage more use of
encryption on the Web, it's going to incentivize some groups to
try and break SSL more.
... There are products that break SSL. There are solutions,
DNSSec, Keypinning, Network Perspectives, Sunlight, in all of
those discussions, I've been poking people, the pattern that
I've observed.. people that know about this are the browser
vendors. However, browser vendors think behind closed doors, I
understand why they do that. However, we need to have these
discussions in public more.
<fan> like to see obfuscation on security agenda
mnot: The browser vendors tend to say "We can't do that", but they can do that in groups and we've seen that happen in HTTP/2.0 work.
<Zakim> timbl, you wanted to ask about better UI for cert management as a subset maybe of dan's point.
<mountie> +1 "we need to have these discussions in public more"
timbl: There is a big social problem about employee/employer relationship wrt. man-in-the-middle attack. What world do we want? You need to ask that question. What sort of Web do we want?
<kodonog> +q
timbl: Certificates... I've
always been depressed by how little we use PKI. Certificate
management on the browser is pretty bad experience.
... When I'm asked to select a client certificate, I get a
fairly horrible experience in the browser.
... It shows me expired certificates, it's in a tiny area of
the screen, it's a bad experience. Just improve the interface
to do management.
... I commend the browser manufacturers wrt. self-signed
certificate warnings and adding them. The dialog doesn't make
it clear whether or not I'm trusting the certificate/signer.
"Trust Forever" is a big statement. So, we need to do a big
push for UI.
... I think we need to use more client certificates.
... For example, many of the security questions I'm asked on
websites are data that is found in Wikipedia.
... Secret questions need to move more to cryptography
mechanisms, specifically giving me a client-side cert..
Daniel_Austin: Dan Austin from
eBay and PayPal.
... We care quite a bit about security since we deal w/
payments.
... We're talking about wiring devices like airplane tvs, cars,
electricity grid, etc. We need to keep those devices in our
focus.
MoZ: Mohamed Zergaoui from
Innovimax
... I'm sad that XML Security is on hold. I'm a bit concerned
that this group is labeled Security instead of Trust. This has
more to do w/ Trust than Security. Security people tend to have
a extreme approach to implementations.
... Facebook had more than 800 million users before switching
to HTTPS. I don't think things like that can be handled by
standards. Part of the vendor, part of the time, Security as an
excuse to not implement features. MathML was in Chrome, then
out. They were still saying that MathML was a security issue...
what's the security issue? That's the problem w/ working behind
closed doors.
<wseltzer> later
MoZ: This is a mentality switch that we need to consider.
<DV> mnot: if we could get HTTP2 use encryption on by default (when possible)
wseltzer: I've been trying to
note down some of the things I'm hearing. It's great to go
around and get some of these suggestions into the room. We have
lots of people in the room, a lot of the security challenges
that we face are the issues between applications and parties.
As W3C can help convene to identify problems, we need to solve
those in ways that are consistent w/ the users.
... We need to take their security understanding from one
device to another. Can we build up some of those intuitions and
patterns for the general public?
rniwa: There are social hacks
that work as well. For example, the like button... cross origin
content. This is problematic because there are a lot of people
using them.
... For example, if CDNs get compromised, there are huge
security implications. Those affect tens of thousands of
websites.
mnot: The managed laptop/company
laptop issue is a problem.
... I don't use company laptops anymore, they get soebpoenaed.
We don't have to solve everything. My iOS device has no access
to the trust store on the device. I don't even know that it's
happening. We can make small improvements even if we don't get
the whole solution. We can solve this better at W3C rather than
the IETF.
<Daniel_Austin> +1 on user access to 'trusted enclaves' on devices
kodonog: I do want to go back to the security discussion. There is a preliminary draft out there. This is a conversation that has a lot of key players. We need help to get critical mass. There are a number of key parties that could help in this space. Let's have an open conversation.
btoews: Ben from Github. Sessions are pretty ubiquitous on the Web, typically done via a cookie. If you have a client certificate, we could tie the session to the user agent. You don't need to worry about MiTM, you don't need to worry about session being compromised. JavaScript API to do CSR would be nice. Some of which is being covered in WebCrypto.
timbl: What is CSR?
<kodonog> clarification on my comments... I was going back to the certificate discussion... and I was referencing the IAB Security program and the very preliminary draft... https://datatracker.ietf.org/doc/draft-tschofenig-iab-webpki-evolution/
btoews: CSR is certificate signing request.
<mnot> +1 for having access to TLS cert details in JS (if that's what I understood)
btoews: One certificate per domain by default.
<mete> +1 for JS access to TLS cert details
<mete> +1 for JS access to TLS cert details
Larry: The organizational issue is big. When you are designing some function, it's nice that you can rely on the rest of the stack working. You don't have to know much about them. Security exploits typically cross the boundaries.
<mountie> use Client Cert at OSI Application Layer.
Larry: The security
considerations that you don't have to think about because the
lower level protects you is good.
... When you ask for a safe/secure Internet, they're asking for
something higher in the protocol stack than W3C typically works
on. We are trying to build security for people that think the
Internet is made of cats.
CATS!
Larry: You have to understand too much to understand the issues. This is about trust, but we've really far away from understanding the usability problem w/ the Web. Let's not solve the problem for us, let's solve the problem for those that are not technically adept.
virginie: Removing my WebCrypto
hat, from a Gemalto perspective: Everything related to identity
is a use case that's improtant.
... We should put some effort into identity.
Mark: Just one more thing about the difference between different countries. For US, it's based on something you know. Elsewhere, it's based on something you have.
<dka> +1 to the role of a trusted component on the client side for high-value transactions...
<dka> (or at least multi-factor authentication)
<Zakim> m4nu, you wanted to talk about identity.
m4nu: So, we are working on identity stuff in Mozilla Persona and Web Payments, government identifiers, age verification, crypto-based... but we don't have enough participation now. We need more.
<timbl> US banks do use a cellphone SMS message - that is a client side thing i gues
<Daniel_Austin> THe FIDO Alliance is also addressing security, as well as Persona
wseltzer: This work will be wrapped up into building the roadmap for security.
<Daniel_Austin> (and identity!)
wseltzer: What can we do uniquely with the participants and expertise that we have.
Daniel_Austin: We need more hardware people. If you have a Samsung phone, they're going to be a part of the solution.
virginie: Summarizing: We want to
protect the client side, fix the certificate authority problem,
share knowledge w/ organizations, educate the users, we need to
focus on new usages like mobile, power, airlines, and new areas
like payment, social network environments, identity.
... That gives us some material to work on in the Web Security
IG. We have good input.
<dezell> We have few security experts at W3C because there is no security work.
<dezell> It's "chicken and egg"
virginie: Just to emphasize, the
Web Security IG is only as good as the participants. We need
the folks in this circle to join the work.
... Ok, we'll see all of you in the Web Security IG! :P
... We want to work on mobile security.
... We need to do more security reviews on specs.
... In terms of process, no one is taking care of that.
... Wendy and I can support you in any of your security related
questions/activities.
rigo: As Wendy said, we need an analysis on the Web Platform... where is it lax? The W3C is part of a research project called STREWS. We analyzed security threats, we're going to publish that security report to the IG list.
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/mechanisms/mechanisms, specifically giving me a client-side cert./ Succeeded: s/???/Innovimax/ Succeeded: s/Mozzie/Mohamed Zergaoui/ Succeeded: s/MathML was used/Security/ Succeeded: s/?aaaa?/Mark/ Succeeded: s/STROOS?/STREWS./ No ScribeNick specified. Guessing ScribeNick: m4nu Inferring Scribes: m4nu WARNING: No "Topic:" lines found. Present: Many WARNING: Fewer than 3 people found for Present list! Got date from IRC log name: 13 Nov 2013 Guessing minutes URL: http://www.w3.org/2013/11/13-security-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]