See also: IRC log
virginie: welcome to Web Security
Interest Group
... have a call as an opportunity for introductions, including
a new co-chair and Wendy new for this role at W3C
<wseltzer> Agenda
virginie: Virginie Galindo of
Gemalto
... a quick role call of delegates
<fjh> Agenda: http://lists.w3.org/Archives/Public/public-web-security/2013Dec/0013.html
AndyF: from Verisign, new to the group and figuring out priorities
ArtB: Art Barstow, chair of a
couple WGs, most interested in reviewing specifications of
WGs
... like to make sure Web Sec Interest Group a part of the
review process
<christine> Christine Runnegar, Internet Society, here as W3C Privacy Interest Group (PING) co-chair
<fjh> Frederick Hirsch, Nokia, chair of Device APIs (DAP) and XML Security WGs
fjh: interested in reviews, or any advice that can be given up front for design, interested in learning
hhalpin: W3C, Web Crypto, encrypted web tools important because hearing about tools/projects that can't use the web
kodonog: from ISOC, here from a general IETF perspective
<hhalpin> Another good example is Cryptocat and the browser plug-ins
<kodonog> Karen O'Donoghue, Internet Society, web crypto, IETF JOSE WG, general IETF security perspective
<fjh> masinter: Larry Masinter, have worked in this area a long time
manu: Web Payments CG, want to make sure this group is aware of work happening elsewhere
<manu> manu: I'm also working with the Secure Messaging work (JSON messages that are digitally signed and/or encrypted)... and HTTP Signatures (adding authentication and working w/ authorization in the HTTP protocol)
wseltzer: As of earlier this
month, Tech & Society domain lead
... help figure out how W3C should work on privacy and security
issues
... work on strategy and assemble the resources to do
that
... resources limited, so working with the community is
essential, as in this group
wseltzer: thinking about the
problems that we're facing and how to attack those
... ways for users to ensure security of their communications
(e.g. NSA)
... no single company or research angle can solve the problem
alone
... Consortium is a good place to think about problems
collectively and solve them collectively
... using the Web for secure communications and authenticated
transactions
... sent a few messages to the list on new work we might take
up
... in response to increased attention to security, along with
IETF & Internet hardening
... ... since surveillance is interpreted as an attack on the
Internet and the Web
... enhancing existing work, have a role doing security
reviews
... how can we give good guidance to authors up front and
reviewing specs as they're developed
... and to the users of those specs as well as their
authors
<masinter> i think part of the agenda is to catelog the threats we're worried about, and establish some criteria for prioritization
<virginie> web security IG wiki http://www.w3.org/Security/wiki/IG
virginie: organize an answer to
wseltzer's questions
... very briefly look over the Interest Group and proposed
work
<hhalpin> I mean, that may not be true
virginie: formal request from the Mobile Web Interest Group; can we have a report
<hhalpin> You can zero-day native apps much easier
<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap
virginie: on whether web apps are less secure than native apps?
<hhalpin> So I'd be against such blanket statements without lots of details.
virginie: a Web Security model, as proposed by David Rogers
<hhalpin> That being said, I recommend people develop native apps for security purposes until a few critical problems on the Web are fixed. But the upgrade path for native apps is also sketchy.
virginie: one Interest Group task
could be to gather such requests
... another task is security review
... we have a formal request from the HTML WG for security
review of the EME spec
<virginie> http://www.w3.org/Security/wiki/IG/new_work
virginie: proposed new work --
let's try to secure all the things -- which looks like a
charter
... security best practices, developing security on the
client-side
... for this call, see who is interested in what, and how to
prioritize different topics
... open the mic for anyone to join the discussion
hhalpin: new work list seems to
be missing HTTP Auth, currently being rebooted at IETF
... a way to enter username/password in browser chrome
... insecure because the crypto is known to be broken
... look at which new WGs need to be started
... like to build a group that can do security reviews, might
need help from IETF
<hhalpin> https://ietf.org/wg/websec/charter/
<hhalpin> We should work with them.
<hhalpin> in terms of reviews
manu: having trouble tracking all
the new security related specs that are popping up
... jose, payments, fido alliance, browserid -- where all the
specs are, their problems, the overlap
... a lot of uncoordinated work being done in security
today
... figure out a way for all these technologies to fit
together
<hhalpin> FIDO alliance seems to be moving well, Mozilla Personae unforunately seems to have little to no update (despite being a great design), etc.
manu: renewed interest because of NSA stuff going on, which is great, but need to coordinate
<hhalpin> Yes, the duplication of effort between RDFa, microformats, and microdata was a waste of time IMHO
<hhalpin> I'd like to avoid that in the future
manu: general challenge: can we at least summarize everything that's going on?
<manu> wseltzer, I'm so busy that I'd do a bad job at it.
manu: present back to these
groups, so people know what is going on
... every group believes they're working on something
unique
<masinter> the main question is the nature of how we organize our own report/plan. Manu argued for documenting "whawt's going on now". THere's another perspective, which is "what needs to be done". And a third, which I argue for, is "what is THIS group's work plan"
manu: needs someone from outside to help them see overlaps; a huge coordination issue
fjh: 1) agree with manu, but it's
a huge task just to summarize all work, but just the activities
that are going on
... security at different layers, not just the Web level
... perpass and other groups/lists at IETF
... a lot going on with PKI and technologies
... a wiki that people can link to what is going on
... 2) don't confuse security with crypto, details of crypto
mechanisms not the best place to start
... 3) creating a Web architecture for security is very
ambitious
... ... just dealing with cookies alone is very ambitious given
all the legacy implementations
... the details are significant, hesitant to promise
overreaching
virginie: documenting on the wiki sounds like a good idea; can you share what you have?
<manu> manu: ArtB and I have been expanding on "work that's going on" here - http://www.w3.org/Security/wiki/IG/W3C_spec_review
fjh: yes, and we all have different stuff
christine: very valuable input
all around, fjh has been doing a great job with privacy in
specs
... have grand ambitions but be realistic in what we can
achieve
... had a conversation in the last Privacy Interest Group
(PING) call
... trying to coordinate privacy reviews with security reviews
of specifications
... considerations may reinforce each other, and combining
reviews can increase our pool of expertise
<Zakim> masinter, you wanted to argue for spending some time on estasblishing a framework for future work before starting on any individual topic
christine: raise that possibility as we go forward
masinter: heard agreement that we should do some planning, summarizing, cataloging
<fjh> maybe cookies was too much of a privacy consideration, let's see how about unknown certificates for example as another example
masinter: before we engage in any
specific task (like reviewing) we should do some planning
... let's catalog what's going on (ongoing activities that are
security related)
<fjh> agree, we need to understand goals and requirements
masinter: another perspective,
catalog what needs to get done
... organized around a longer term perspective
... and what is it that we as a group need to do
... which might be initiating WGs at W3C, establishing liaisons
with other groups, etc.
... what does the Web Security Interest Group need to do to be
most productive
AndyF: really see this interest
group, get threat modeling out there
... a group of people to review that
... a reach-out campaign, who else should be involved?
<masinter> do we have, on the call, the expertise to do a security review of HTML?
wseltzer: would like to work on that project and other specifics, even as we do mapping
<bhill2> (sorry to be late)
virginie: need to find the appropriate people (there are only so many of us), who to ask
<manu> http://www.w3.org/Security/wiki/IG/W3C_spec_review#Candidates_for_Review
manu: Art and I have been hacking
on the wiki while the call is going on
... a number of spec candidates for review, what we know are
going on out there
... when you're asking people to review specs, everyone already
overcomitted
... hard for us to spend a lot of time to do the things that
we've just said are very important
... no answer right now, just raising the concern
hhalpin: agree with manu on lack
of resources; do think w3c should have someone fulltime
... don't have that person yet, if a W3C Member wanted to send
a W3C Fellow, that would be great
... recommend we do security reviews jointly with IETF, given
limited resources
<Zakim> masinter, you wanted to say that the best we can do is to establish a process for insuring security review of specs
<hhalpin> In particular, with IETF WebSec WG
<hhalpin> No, we must do security reviews in this group I think.
masinter: there's some agreement
that we're not doing the security reviews in this group
... and so the best we can do is a process for doing security
reviews, perhaps a process that includes IETF
<hhalpin> The IETF WebSec group is also not toooooo active
<Zakim> manu, you wanted to propose some way forward.
manu: the way we've had a decent
number of security reviews has been by chance
... find the people to do the security reviews, ask people
directly who have expertise
<wseltzer> [to clarify, I was suggesting that we could use the IETF security considerations as a guide, http://tools.ietf.org/html/rfc3552 ]
<masinter> i don't think this group even is the one to find the reviewers
manu: a lot less time if we can reach out to our social networks
hhalpin: push back, need neutral
security reviews from people with background in the topic
... the duty of this group and W3C to do reviews of specs with
security implications
... if we don't have all the resources on this telcon, work
with IETF websec
... shouldn't do mapping exercise if it takes away from
security reviews, which I believe to be the primary purpose
wseltzer: hearing from many that we don't have sufficient expertise/time
<fjh> updated http://www.w3.org/Security/wiki/IG/press_news with IETF Secauth and Perpass links
wseltzer: maybe we don't have
everyone this call or that you all are too modest about your
expertise
... would like this group to make assertions as least as strong
as IETF, that each spec has been reviewed against security
considerations
... better yet, have we minimized the security footprint of
those changes?
... looking for suggestions, here and offline, on how to get
that work done
<masinter> perhaps we should review the charter of the group again? there's a big difference between "securing the web" and "adequately review security of W3C specs". The amount of work is proportional to different values
wseltzer: don't think it's a task we can ignore
<Zakim> masinter, you wanted to suggest explicitly asking chair of IETF websec to this group
masinter: maybe we should review
the charter of the group again
... difference between securing the web and adequately
reviewing w3c specs
... proportionate to how insecure the web is vs. the number of
specs produced
<manu> +1 to Larry's statement about there being a difference between "Securing the Web" and "Doing adequate security review of specs"
<virginie> http://www.w3.org/2011/07/security-ig-charter.html
<fjh> +1 need to distinguish securing the web versus reviewing specs, different yet related goals
masinter: kind of expect the WG
that produces the spec not to knowingly introduce security
bugs
... just doing adequate review, or focus on what needs to be
done to secure the web
virginie: our charter is to give
advice and review specifications
... with wseltzer and abarth, identifying other areas
<wseltzer> "Securing the Web" is a reach goal, of course, and never something we can completely achieve -- but surely we should try to improve the risk-balance of web security
virginie: main role is still to
do review
... do we have the expertise? related to recruiting
participants
<masinter> http://www.w3.org/2011/07/security-ig-charter.html
virginie: if the IG has been quiet, or roadmap is unclear, harder to gather participants
bhill2: for recruiting, there are
people out there, but may need to think about structures for
Invited Expert status
... my first involvement with w3c was working for a security
consulting company
... and had an expiring IE status; hard to convince small
company for Membership
<christine> to Virginie - wondering whether you could provide some email text introducing the revamped IG that we could send around to recruit experts?
bhill2: smaller companies that are interested in contributing but not budgeting
<virginie> to christine - i think it is a good idea :)
<masinter> I don't see doing document reviews in the charter at http://www.w3.org/2011/07/security-ig-charter.html
fjh: nothing in the Process that
requires privacy/security considerations
... should have such a requirement (ask the Team to raise
that)
... in the PING group we've had some experience doing
reviews
... it's a lot of work because it requires understanding what
the spec does, at least for complicated specs
... like inviting editors of the spec to explain
... Process should call out security/privacy as needed
<christine> Thank you Frederick. Agree re reviews.
fjh: have an expectation that WGs do a first pass themselves
AndyF: still concerned about threat models and the larger picture of web security
<fjh> +1 AndyF bringing us back to IG charter question of web security versus reviews
AndyF: would that be for this group or some new joint effort with IETF?
hhalpin: to bhill, agree IGs
shouldn't have that problem of expiration on volunteering
IEs
... can push on that rule internally if need be
... at least in the short term can smooth out the IE issue
<masinter> http://www.w3.org/2011/07/security-ig-charter.html
<Zakim> masinter, you wanted to ask if we can walk through charter
masinter: want to look at the
charter, think a close reading will be helpful
... can propose new work to W3C, we could write a proposal
(about security considerations in the Process, eg)
... nothing here about explicitly reviewing documents, except
the focus on HTML5 and related APIs and technologies
... other technologies wouldn't be in scope, or wouldn't be a
focus
... others that are related to HTML5 / Web platform would be in
scope
<manu> scribe: manu
<scribe> scribenick: manu
masinter: Maybe we shouldn't tie
the work to spec production, we need to sync up and have
deadlines 'cause a spec is going to CR.
... Or, are we looking at the process of development of the
spec / underlying technology.
<npdoty> have to drop for #dnt, nice listening to you all and I hope to be helpful where I can
wseltzer: Quick summary - heard lots of different pieces of interest. Especially in helping w/ the problem and searching for particular areas to engage.
<fjh> I think the IG should selectively review to focus on problems that relate to overall web arch security , e.g. start with Promises and Service Workers, for example?
<fjh> not work reactively but seek areas that may offer rewards
wseltzer: We will share more
analysis of that and follow up via email. I'd like to invite
people to form task forces around work that they think need to
be done. We don't need to centrally direct the work via this
group. If you see something you're interested on working on,
send out a call on the mailing list, invite people to join the
calls and invite people.
... We don't yet have regular phone calls scheduled, tell us if
you want them.
... What do this group need to do to make the Web Security
goals that you have succesful?
fjh: I put this in the charter
already, it may be a bad idea to say we're just going to review
stuff.
... I'd rather see us pick topic areas are important to Web
Architecture and select material that relates to that
issue.
... That's a suggestion, don't know how workable it is.
<Zakim> virginie, you wanted to suggest we first list topics with leaders, then check if falling in the charter
virginie: Yes, let's see some
topics and then we can see if we can fold it into the
charter.
... We have some specific requests, "please review X"
... We have requests to draw a picture of the different
security areas.
... We should catalog different security areas.
... There is a need to select some topics that are important to
Web Architecture, I think that was the goal of the IG new
work.
<virginie> http://www.w3.org/Security/wiki/IG/new_work
virginie: This is the expression of what the W3C members expressed they would like W3C to work on. We need people ready to work.
<fjh> will add offline security to new work wiki
virginie: I can commit some time for any of those tasks. What can be interesting is that ... can someone say they can allocate some time to this IG.
<virginie> +1
<wseltzer> +1
<masinter> +1
manu: I can commit maybe 1-2 hours every few weeks.
<hhalpin> +1
<fjh> +1
<bhill2> +1
<kodonog> +1 w/ christine
<masinter> Benchmark IETF secdir
virginie: We have some people that are ready to do some work. Maybe we have a call in 1 month. In meantime, Wendy and myself will fill out the wiki that reflects the discussion that we just had.
<kodonog> can we have a discussion on the mailing list about the timing of the call
<kodonog> I have a standing call at this time (monthly)
virginie: In the meantime, fill the wiki with anything you're willing to work on.
<masinter> what is IETF secdir expert-hour-per-document ratio?
virginie: I'll communicate the follow-up over the mailing list.
masinter: If we are going to
review documents, how long does it take, can we get
commitment?
... That's an issue.
<christine> Thanks all
<fjh> thanks
virginie: Thanks for attendence, please spread the word about the existence of this group. We'll speak again in 1 month.
<wseltzer> Thanks!
<virginie> thanks to the scribes !