14:57:10 RRSAgent has joined #websec 14:57:10 logging to http://www.w3.org/2013/12/18-websec-irc 14:57:19 zakim, this will be WSIG 14:57:20 I do not see a conference matching that name scheduled within the next hour, wseltzer 15:03:37 zakim, this will be WSIG 15:03:37 ok, wseltzer; I see T&S_(WebSec)11:00AM scheduled to start in 57 minutes 15:05:08 wseltzer has changed the topic to: WebSec IG call today: http://www.w3.org/Security/wiki/IG 15:50:45 fan has joined #websec 15:55:18 Meeting: Web Security Interest Group 15:55:33 Date: 18 December 2013 15:57:00 Agenda: http://lists.w3.org/Archives/Public/public-web-security/2013Dec/0013.html 15:57:18 agenda+ Welcome and Introductions 15:57:28 hhalpin has joined #websec 15:57:40 Zakim, what's the code? 15:57:40 the conference code is 9744 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), hhalpin 15:57:48 agenda+ Security work at W3C 15:58:01 agenda+ WebSec IG 15:58:08 fjh has joined #websec 15:58:33 agenda+ Discussion: Web mobile security 15:58:36 T&S_(WebSec)11:00AM has now started 15:58:37 virginie has joined #websec 15:58:43 + +1.703.948.aaaa 15:58:52 agenda+ Discussion: New work items http://www.w3.org/Security/wiki/IG/new_work 15:58:55 +[IPcaller] 15:58:59 npdoty has joined #websec 15:59:07 agenda+ Discussion: Security reviews, EME 15:59:08 christine has joined #websec 15:59:48 agenda+ Upcoming workshops 16:00:00 agenda+ Work-modes and future IG organization 16:00:02 Zakim, code? 16:00:02 the conference code is 9744 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), npdoty 16:00:14 AndyF has joined #websec 16:00:25 +Wendy 16:00:40 +virginie 16:00:45 zakim, who is here? 16:00:45 On the phone I see +1.703.948.aaaa, [IPcaller], Wendy, virginie 16:00:47 On IRC I see AndyF, christine, npdoty, virginie, fjh, hhalpin, fan, RRSAgent, Zakim, wseltzer 16:00:50 +karen_oDonoghue 16:00:58 Andy is on the phone 16:01:03 Zakim, [IPcaller] is me 16:01:03 +christine; got it 16:01:11 zakim, aaaa is AndyF 16:01:12 +AndyF; got it 16:01:22 zakim, code? 16:01:22 the conference code is 9744 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), fjh 16:01:34 +npdoty 16:01:41 zakim, agenda? 16:01:41 I see 8 items remaining on the agenda: 16:01:43 1. Welcome and Introductions [from wseltzer] 16:01:43 2. Security work at W3C [from wseltzer] 16:01:43 3. WebSec IG [from wseltzer] 16:01:43 4. Discussion: Web mobile security [from wseltzer] 16:01:43 5. Discussion: New work items http://www.w3.org/Security/wiki/IG/new_work [from wseltzer] 16:01:43 6. Discussion: Security reviews, EME [from wseltzer] 16:01:44 7. Upcoming workshops [from wseltzer] 16:01:44 8. Work-modes and future IG organization [from wseltzer] 16:01:48 kodonog has joined #websec 16:02:12 +[IPcaller] 16:02:26 zakim, [IPcaller] is me 16:02:26 +fjh; got it 16:02:38 Present+ Frederick_Hirsch 16:02:50 zakim, who is here? 16:02:50 On the phone I see AndyF, christine, Wendy, virginie, karen_oDonoghue, npdoty, fjh 16:02:52 On IRC I see kodonog, AndyF, christine, npdoty, virginie, fjh, hhalpin, fan, RRSAgent, Zakim, wseltzer 16:03:46 +[IPcaller] 16:03:53 Zakim, IPcaller is hhalpin 16:03:53 +hhalpin; got it 16:04:25 scribenick: npdoty 16:04:44 +Art_Barstow 16:04:53 ArtB has joined #websec 16:05:06 zakim, who's here? 16:05:06 On the phone I see AndyF, christine, Wendy, virginie, karen_oDonoghue, npdoty, fjh, hhalpin, Art_Barstow 16:05:08 On IRC I see ArtB, kodonog, AndyF, christine, npdoty, virginie, fjh, hhalpin, fan, RRSAgent, Zakim, wseltzer 16:05:21 +??P33 16:05:42 zakim, ??p33 is manu 16:05:42 +manu; got it 16:06:04 rrsagent, generate minutes 16:06:04 I have made the request to generate http://www.w3.org/2013/12/18-websec-minutes.html fjh 16:06:11 zakim, who is here ? 16:06:11 On the phone I see AndyF, christine, Wendy, virginie, karen_oDonoghue, npdoty, fjh, hhalpin, Art_Barstow, manu 16:06:14 On IRC I see ArtB, kodonog, AndyF, christine, npdoty, virginie, fjh, hhalpin, fan, RRSAgent, Zakim, wseltzer 16:06:20 rrsagent, make logs public 16:06:44 manu has joined #websec 16:06:45 agenda? 16:06:46 Zakim, take up agendum 1 16:06:49 zakim, take up agendum 1 16:06:49 agendum 1. "Welcome and Introductions" taken up [from wseltzer] 16:06:49 agendum 1. "Welcome and Introductions" taken up [from wseltzer] 16:07:04 virginie: welcome to Web Security Interest Group 16:07:07 Chair: Virginie_Galindo 16:07:26 ... have a call as an opportunity for introductions, including a new co-chair and Wendy new for this role at W3C 16:07:32 -> http://lists.w3.org/Archives/Public/public-web-security/2013Dec/0013.htmls Agenda 16:07:48 ... Virginie Galindo of Gemalto 16:07:55 ... a quick role call of delegates 16:07:57 Agenda: http://lists.w3.org/Archives/Public/public-web-security/2013Dec/0013.html 16:08:01 zakim, who is here? 16:08:01 On the phone I see AndyF, christine, Wendy, virginie, karen_oDonoghue, npdoty, fjh, hhalpin, Art_Barstow, manu 16:08:03 On IRC I see manu, ArtB, kodonog, AndyF, christine, npdoty, virginie, fjh, hhalpin, fan, RRSAgent, Zakim, wseltzer 16:08:18 AndyF: from Verisign, new to the group and figuring out priorities 16:08:53 ArtB: Art Barstow, chair of a couple WGs, most interested in reviewing specifications of WGs 16:09:02 ... like to make sure Web Sec Interest Group a part of the review process 16:09:04 Christine Runnegar, Internet Society, here as W3C Privacy Interest Group (PING) co-chair 16:09:06 masinter has joined #websec 16:09:44 Frederick Hirsch, Nokia, chair of Device APIs (DAP) and XML Security WGs 16:10:08 fjh: interested in reviews, or any advice that can be given up front for design, interested in learning 16:11:05 hhalpin: W3C, Web Crypto, encrypted web tools important because hearing about tools/projects that can't use the web 16:11:23 kodonog: from ISOC, here from a general IETF perspective 16:11:31 + +1.408.332.aabb 16:11:33 Another good example is Cryptocat and the browser plug-ins 16:11:47 zakim, aabb is me 16:11:47 +masinter; got it 16:11:48 Karen O'Donoghue, Internet Society, web crypto, IETF JOSE WG, general IETF security perspective 16:12:24 npdoty has joined #websec 16:12:31 masinter: Larry Masinter, have worked in this area a long time 16:12:43 manu: Web Payments CG, want to make sure this group is aware of work happening elsewhere 16:13:15 wseltzer: as of earlier this month, Tech & Society domain lead 16:13:27 ... help figure out how W3C should work on privacy and security issues 16:13:38 ... work on strategy and assemble the resources to do that 16:13:58 ... resources limited, so working with the community is essential, as in this group 16:14:01 manu: I'm also working with the Secure Messaging work (JSON messages that are digitally signed and/or encrypted)... and HTTP Signatures (adding authentication and working w/ authorization in the HTTP protocol) 16:14:03 nvdbleek has joined #websec 16:14:09 ... thinking about the problems that we're facing and how to attack those 16:14:35 rrsagent, generate minutes 16:14:35 I have made the request to generate http://www.w3.org/2013/12/18-websec-minutes.html fjh 16:14:41 ... ways for users to ensure security of their communications (e.g. NSA) 16:14:51 ... no single company or research angle can solve the problem alone 16:14:58 -manu 16:15:02 +nvdbleek 16:15:11 ... Consortium is a good place to think about problems collectively and solve them collectively 16:15:22 zakim, mute me 16:15:22 nvdbleek should now be muted 16:15:38 ... using the Web for secure communications and authenticated transactions 16:15:52 ... sent a few messages to the list on new work we might take up 16:16:13 ... in response to increased attention to security, along with IETF & Internet hardening 16:16:34 ... ... since surveillance is interpreted as an attack on the Internet and the Web 16:16:52 ... enhancing existing work, have a role doing security reviews 16:17:05 ... how can we give good guidance to authors up front and reviewing specs as they're developed 16:17:11 ... and to the users of those specs as well as their authors 16:17:28 +??P33 16:17:36 zakim, ?P33 is manu 16:17:36 sorry, manu, I do not recognize a party named '?P33' 16:17:42 zakim, ??P33 is manu 16:17:42 +manu; got it 16:17:47 i think part of the agenda is to catelog the threats we're worried about, and establish some criteria for prioritization 16:17:48 web security IG wiki http://www.w3.org/Security/wiki/IG 16:17:51 virginie: organize an answer to wseltzer's questions 16:17:58 Present+ Virginie_Galindo, Art_Barstow, Christine_Runnegar, Frederick_Hirsch, Harry_Halpin, Karen_O'Donoghue, Larry_Masinter, Nick_Doty 16:17:58 Present+ Manu 16:18:09 ... very briefly look over the Interest Group and proposed work 16:18:27 Present+ Wendy_Seltzer 16:18:31 I mean, that may not be true 16:18:33 ... formal request from the Mobile Web Interest Group; can we have a report 16:18:36 You can zero-day native apps much easier 16:18:46 http://www.w3.org/Security/wiki/IG/W3C_security_roadmap 16:18:47 ... on whether web apps are less secure than native apps? 16:18:50 So I'd be against such blanket statements without lots of details. 16:19:33 ... a Web Security model, as proposed by David Rogers 16:19:40 That being said, I recommend people develop native apps for security purposes until a few critical problems on the Web are fixed. But the upgrade path for native apps is also sketchy. 16:19:59 ... one Interest Group task could be to gather such requests 16:20:07 ... another task is security review 16:20:21 ... we have a formal request from the HTML WG for security review of the EME spec 16:20:24 http://www.w3.org/Security/wiki/IG/new_work 16:20:57 ... proposed new work -- let's try to secure all the things -- which looks like a charter 16:21:24 ... security best practices, developing security on the client-side 16:21:40 ... for this call, see who is interested in what, and how to prioritize different topics 16:21:47 q? 16:22:03 q+ 16:22:04 q+ 16:22:10 q+ 16:22:17 ... open the mic for anyone to join the discussion 16:22:17 ack hhalpin 16:22:19 q+ 16:22:33 hhalpin: new work list seems to be missing HTTP Auth, currently being rebooted at IETF 16:22:45 ... a way to enter username/password in browser chrome 16:22:53 q+ to argue for spending some time on estasblishing a framework for future work before starting on any individual topic 16:22:54 ... insecure because the crypto is known to be broken 16:23:11 ... look at which new WGs need to be started 16:23:29 q+ 16:23:33 ... like to build a group that can do security reviews, might need help from IETF 16:23:38 ack manu 16:23:44 https://ietf.org/wg/websec/charter/ 16:23:46 We should work with them. 16:23:50 in terms of reviews 16:23:56 manu: having trouble tracking all the new security related specs that are popping up 16:24:28 ... jose, payments, fido alliance, browserid -- where all the specs are, their problems, the overlap 16:24:38 ... a lot of uncoordinated work being done in security today 16:24:50 ... figure out a way for all these technologies to fit together 16:24:56 FIDO alliance seems to be moving well, Mozilla Personae unforunately seems to have little to no update (despite being a great design), etc. 16:25:13 ... renewed interest because of NSA stuff going on, which is great, but need to coordinate 16:25:23 Yes, the duplication of effort between RDFa, microformats, and microdata was a waste of time IMHO 16:25:27 I'd like to avoid that in the future 16:25:31 ... general challenge: can we at least summarize everything that's going on? 16:25:50 wseltzer: I'm so busy that I'd do a bad job at it. 16:25:54 ... present back to these groups, so people know what is going on 16:26:12 ... every group believes they're working on something unique 16:26:20 q? 16:26:24 the main question is the nature of how we organize our own report/plan. Manu argued for documenting "whawt's going on now". THere's another perspective, which is "what needs to be done". And a third, which I argue for, is "what is THIS group's work plan" 16:26:25 ... needs someone from outside to help them see overlaps; a huge coordination issue 16:26:47 s/wseltzer:/wseltzer,/ 16:27:12 fjh: 1) agree with manu, but it's a huge task just to summarize all work, but just the activities that are going on 16:27:26 ... security at different layers, not just the Web level 16:27:33 ... perpass and other groups/lists at IETF 16:27:47 ... a lot going on with PKI and technologies 16:27:55 ... a wiki that people can link to what is going on 16:28:11 ... 2) don't confuse security with crypto, details of crypto mechanisms not the best place to start 16:28:32 ... 3) creating a Web architecture for security is very ambitious 16:28:46 ... ... just dealing with cookies alone is very ambitious given all the legacy implementations 16:28:57 ... the details are significant, hesitant to promise overreaching 16:29:29 virginie: documenting on the wiki sounds like a good idea; can you share what you have? 16:29:44 manu: ArtB and I have been expanding on "work that's going on" here - http://www.w3.org/Security/wiki/IG/W3C_spec_review 16:29:47 fjh: yes, and we all have different stuff 16:29:56 q? 16:29:58 q? 16:30:00 q- 16:30:02 ack christine 16:30:35 christine: very valuable input all around, fjh has been doing a great job with privacy in specs 16:30:45 ... have grand ambitions but be realistic in what we can achieve 16:30:57 ... had a conversation in the last Privacy Interest Group (PING) call 16:31:07 ... trying to coordinate privacy reviews with security reviews of specifications 16:31:39 ... considerations may reinforce each other, and combining reviews can increase our pool of expertise 16:32:02 ack masinter 16:32:02 masinter, you wanted to argue for spending some time on estasblishing a framework for future work before starting on any individual topic 16:32:03 ... raise that possibility as we go forward 16:32:32 masinter: heard agreement that we should do some planning, summarizing, cataloging 16:32:47 q+ 16:32:50 maybe cookies was too much of a privacy consideration, let's see how about unknown certificates for example as another example 16:32:51 ... before we engage in any specific task (like reviewing) we should do some planning 16:33:16 ... let's catalog what's going on (ongoing activities that are security related) 16:33:30 agree, we need to understand goals and requirements 16:33:31 ... another perspective, catalog what needs to get done 16:33:56 ... organized around a longer term perspective 16:34:15 ... and what is it that we as a group need to do 16:34:39 ... which might be initiating WGs at W3C, establishing liaisons with other groups, etc. 16:34:57 ... what does the Web Security Interest Group need to do to be most productive 16:35:05 ack AndyF 16:35:31 AndyF: really see this interest group, get threat modeling out there 16:35:36 ... a group of people to review that 16:35:53 ... a reach-out campaign, who else should be involved? 16:36:03 q+ 16:36:43 q+ 16:37:31 +BHill 16:37:36 bhill2 has joined #websec 16:37:50 do we have, on the call, the expertise to do a security review of HTML? 16:38:17 Present+ Brad_Hill, Andrew_Fregly 16:38:18 wseltzer: would like to work on that project and other specifics, even as we do mapping 16:38:37 ack wseltzer 16:38:47 (sorry to be late) 16:38:57 virginie: need to find the appropriate people (there are only so many of us), who to ask 16:39:08 ack manu 16:39:11 http://www.w3.org/Security/wiki/IG/W3C_spec_review#Candidates_for_Review 16:39:21 manu: Art and I have been hacking on the wiki while the call is going on 16:39:36 ... a number of spec candidates for review, what we know are going on out there 16:39:55 q+ to say that the best we can do is to establish a process for insuring security review of specs 16:39:59 ... when you're asking people to review specs, everyone already overcomitted 16:40:17 ... hard for us to spend a lot of time to do the things that we've just said are very important 16:40:25 ... no answer right now, just raising the concern 16:40:27 ack hhalpin 16:40:46 hhalpin: agree with manu on lack of resources; do think w3c should have someone fulltime 16:40:53 Present- Manu 16:41:03 Present+ Manu_Sporny 16:41:03 ... don't have that person yet, if a W3C Member wanted to send a W3C Fellow, that would be great 16:41:17 ... recommend we do security reviews jointly with IETF, given limited resources 16:41:21 rrsagent, generate minutes 16:41:21 I have made the request to generate http://www.w3.org/2013/12/18-websec-minutes.html fjh 16:41:23 ack masinter 16:41:23 masinter, you wanted to say that the best we can do is to establish a process for insuring security review of specs 16:41:26 In particular, with IETF WebSec WG 16:41:39 No, we must do security reviews in this group I think. 16:41:42 masinter: there's some agreement that we're not doing the security reviews in this group 16:41:56 q+ to propose some way forward. 16:41:58 ... and so the best we can do is a process for doing security reviews, perhaps a process that includes IETF 16:41:59 The IETF WebSec group is also not toooooo active 16:42:04 q? 16:42:11 q+ 16:42:12 q+ 16:42:17 ack manu 16:42:17 manu, you wanted to propose some way forward. 16:42:39 manu: the way we've had a decent number of security reviews has been by chance 16:42:41 q+ to suggest explicitly asking chair of IETF websec to this group 16:43:04 ... find the people to do the security reviews, ask people directly who have expertise 16:43:04 [to clarify, I was suggesting that we could use the IETF security considerations as a guide, http://tools.ietf.org/html/rfc3552 ] 16:43:19 i don't think this group even is the one to find the reviewers 16:43:30 q? 16:43:32 ... a lot less time if we can reach out to our social networks 16:43:36 q+ 16:43:39 ack hhalpin 16:44:09 hhalpin: push back, need neutral security reviews from people with background in the topic 16:44:26 ... the duty of this group and W3C to do reviews of specs with security implications 16:44:48 ... if we don't have all the resources on this telcon, work with IETF websec 16:45:02 ... shouldn't do mapping exercise if it takes away from security reviews, which I believe to be the primary purpose 16:45:05 ack wseltzer 16:45:11 q+ 16:45:41 wseltzer: hearing from many that we don't have sufficient expertise/time 16:45:47 updated http://www.w3.org/Security/wiki/IG/press_news with IETF Secauth and Perpass links 16:45:55 ... maybe we don't have everyone this call or that you all are too modest about your expertise 16:46:22 ... would like this group to make assertions as least as strong as IETF, that each spec has been reviewed against security considerations 16:46:41 ... better yet, have we minimized the security footprint of those changes? 16:46:53 ... looking for suggestions, here and offline, on how to get that work done 16:46:54 q+ 16:46:55 q? 16:47:16 perhaps we should review the charter of the group again? there's a big difference between "securing the web" and "adequately review security of W3C specs". The amount of work is proportional to different values 16:47:23 ... don't think it's a task we can ignore 16:47:28 ack masinter 16:47:28 masinter, you wanted to suggest explicitly asking chair of IETF websec to this group 16:47:41 masinter: maybe we should review the charter of the group again 16:47:51 q+ 16:47:57 ... difference between securing the web and adequately reviewing w3c specs 16:48:12 ... proportionate to how insecure the web is vs. the number of specs produced 16:48:23 +1 to Larry's statement about there being a difference between "Securing the Web" and "Doing adequate security review of specs" 16:48:26 http://www.w3.org/2011/07/security-ig-charter.html 16:48:27 +1 need to distinguish securing the web versus reviewing specs, different yet related to goals 16:48:36 s/to goals/goals/ 16:48:37 ... kind of expect the WG that produces the spec not to knowingly introduce security bugs 16:49:03 ... just doing adequate review, or focus on what needs to be done to secure the web 16:49:17 virginie: our charter is to give advice and review specifications 16:49:42 ... with wseltzer and abarth, identifying other areas 16:49:44 "Securing the Web" is a reach goal, of course, and never something we can completely achieve -- but surely we should try to improve the risk-balance of web security 16:50:00 ... main role is still to do review 16:50:18 ... do we have the expertise? related to recruiting participants 16:50:33 http://www.w3.org/2011/07/security-ig-charter.html 16:50:36 ... if the IG has been quiet, or roadmap is unclear, harder to gather participants 16:50:39 q? 16:50:46 ack virginie 16:50:46 ack virginie 16:50:47 ack bhill2 16:50:51 ack bhill 16:51:15 bhill2: for recruiting, there are people out there, but may need to think about structures for Invited Expert status 16:51:37 ... my first involvement with w3c was working for a security consulting company 16:52:03 ... and had an expiring IE status; hard to convince small company for Membership 16:52:11 to Virginie - wondering whether you could provide some email text introducing the revamped IG that we could send around to recruit experts? 16:52:15 q+ 16:52:23 ... smaller companies that are interested in contributing but not budgeting 16:52:25 ack fjh 16:52:41 to christine - i think it is a good idea :) 16:52:46 I don't see doing document reviews in the charter at http://www.w3.org/2011/07/security-ig-charter.html 16:52:52 fjh: nothing in the Process that requires privacy/security considerations 16:53:06 ... should have such a requirement (ask the Team to raise that) 16:53:19 ... in the PING group we've had some experience doing reviews 16:53:21 q+ to ask if we can walk through charter 16:53:40 ... it's a lot of work because it requires understanding what the spec does, at least for complicated specs 16:53:56 ... like inviting editors of the spec to explain 16:54:04 ... Process should call out security/privacy as needed 16:54:13 Thank you Frederick. Agree re reviews. 16:54:32 ... have an expectation that WGs do a first pass themselves 16:54:46 q? 16:54:50 ack AndyF 16:55:11 AndyF: still concerned about threat models and the larger picture of web security 16:55:14 q+ to look for task force leaders 16:55:23 +1 AndyF bringing us back to IG charter question of web security versus reviews 16:55:35 ... would that be for this group or some new joint effort with IETF? 16:55:42 ack hhalpin 16:56:25 hhalpin: to bhill, agree IGs shouldn't have that problem of expiration on volunteering IEs 16:56:35 ... can push on that rule internally if need be 16:56:51 ... at least in the short term can smooth out the IE issue 16:57:00 http://www.w3.org/2011/07/security-ig-charter.html 16:57:03 q+ 16:57:12 ack masinter 16:57:13 masinter, you wanted to ask if we can walk through charter 16:57:27 masinter: want to look at the charter, think a close reading will be helpful 16:57:49 ... can propose new work to W3C, we could write a proposal (about security considerations in the Process, eg) 16:58:21 ... nothing here about explicitly reviewing documents, except the focus on HTML5 and related APIs and technologies 16:58:29 ... other technologies wouldn't be in scope, or wouldn't be a focus 16:58:44 q? 16:58:49 ... others that are related to HTML5 / Web platform would be in scope 16:58:59 scribe: manu 16:59:13 scribenick: manu 16:59:35 masinter: Maybe we shouldn't tie the work to spec production, we need to sync up and have deadlines 'cause a spec is going to CR. 16:59:48 masinter: Or, are we looking at the process of development of the spec / underlying technology. 16:59:56 q+ to suggest we first list topics with leaders, then check if falling in the charter 16:59:57 have to drop for #dnt, nice listening to you all and I hope to be helpful where I can 17:00:03 -npdoty 17:00:35 wseltzer: Quick summary - heard lots of different pieces of interest. Especially in helping w/ the problem and searching for particular areas to engage. 17:00:58 I think the IG should selectively review to focus on problems that relate to overall web arch security , e.g. start with Promises and Service Workers, for example? 17:01:05 -Art_Barstow 17:01:12 not work reactively but seek areas that may offer rewards 17:01:14 -nvdbleek 17:01:26 wseltzer: We will share more analysis of that and follow up via email. I'd like to invite people to form task forces around work that they think need to be done. We don't need to centrally direct the work via this group. If you see something you're interested on working on, send out a call on the mailing list, invite people to join the calls and invite people. 17:01:37 wseltzer: We don't yet have regular phone calls scheduled, tell us if you want them. 17:01:52 q? 17:01:57 wseltzer: What do this group need to do to make the Web Security goals that you have succesful? 17:01:57 q- 17:02:25 fjh: I put this in the charter already, it may be a bad idea to say we're just going to review stuff. 17:02:43 fjh: I'd rather see us pick topic areas are important to Web Architecture and select material that relates to that issue. 17:02:51 fjh: That's a suggestion, don't know how workable it is. 17:02:59 ack virginie 17:02:59 virginie, you wanted to suggest we first list topics with leaders, then check if falling in the charter 17:03:03 zakim, close queue 17:03:03 ok, wseltzer, the speaker queue is closed 17:03:03 q- 17:03:16 virginie: Yes, let's see some topics and then we can see if we can fold it into the charter. 17:03:27 virginie: We have some specific requests, "please review X" 17:03:41 virginie: We have requests to draw a picture of the different security areas. 17:03:48 virginie: We should catalog different security areas. 17:04:07 virginie: There is a need to select some topics that are important to Web Architecture, I think that was the goal of the IG new work. 17:04:10 http://www.w3.org/Security/wiki/IG/new_work 17:04:28 virginie: This is the expression of what the W3C members expressed they would like W3C to work on. We need people ready to work. 17:04:31 will add offline security to new work wiki 17:04:53 virginie: I can commit some time for any of those tasks. What can be interesting is that ... can someone say they can allocate some time to this IG. 17:05:00 +1 17:05:03 +1 17:05:05