16:50:27 <RRSAgent> RRSAgent has joined #websec
16:50:27 <RRSAgent> logging to http://www.w3.org/2014/01/21-websec-irc
16:51:15 <Zakim> Zakim has joined #websec
16:51:32 <virginie> Zakim, what conference do you see ?
16:51:32 <Zakim> I don't understand your question, virginie.
16:51:44 <dom> dom has joined #websec
16:53:10 <dom> Zakim, this will be WSIG
16:53:10 <Zakim> I do not see a conference matching that name scheduled within the next hour, dom
16:53:34 <dom> Zakim, list conferences
16:53:34 <Zakim> I see XML_ET-TF()11:00AM, WAI_WCAG()11:00AM, Team_(eme)16:00Z, HTML_WG()11:00AM active
16:53:36 <Zakim> also scheduled at this time are VB_VBWG()10:00AM, RWC_WebEven()11:00AM, T&S_DNTC()12:00PM, RWC_PEWG()11:00AM, SW_HCLS()11:00AM, SEC_(PUSHAPIPAG)11:00AM
16:53:38 <wseltzer> zakim, this is WSIG
16:53:40 <Zakim> sorry, wseltzer, I do not see a conference named 'WSIG' in progress or scheduled at this time
16:53:49 <wseltzer> zakim, call for 15 at 1200?
16:53:49 <Zakim> I don't understand your question, wseltzer.
16:53:54 <wseltzer> zakim, space for 15 at 1200?
16:53:56 <Zakim> ok, wseltzer; conference Team_(websec)17:00Z scheduled with code 26634 (CONF4) at 12:00 for 60 minutes until 1800Z
16:54:09 <wseltzer> zakim, make this code WSIG
16:54:09 <Zakim> I don't understand 'make this code WSIG', wseltzer
16:54:30 <wseltzer> zakim, code?
16:54:30 <Zakim> the conference code is 26634 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), wseltzer
16:54:49 <wseltzer> virginie, I guess today's code will be 26634
16:55:00 <npdoty> npdoty has joined #websec
16:55:02 <virginie> ok, i'll send it on the mailing list
16:57:06 <kodonog> kodonog has joined #websec
16:57:24 <sftcd> sftcd has joined #websec
16:58:19 <Zakim> Team_(websec)17:00Z has now started
16:58:26 <Zakim> + +1.512.257.aaaa
16:58:36 <Zakim> +karen_oDonoghue
16:58:57 <fan> fan has joined #websec
16:59:09 <virginie> hi all, the conf call code is 26634#
17:00:10 <Zakim> + +3531896aabb
17:00:18 <Zakim> +Masinter
17:00:26 <Zakim> + +861381144aacc
17:00:37 <npdoty> Zakim, code?
17:00:37 <Zakim> the conference code is 26634 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), npdoty
17:01:01 <wseltzer> zakim, call wendy-mobile
17:01:01 <Zakim> ok, wseltzer; the call is being made
17:01:03 <Zakim> +Wendy
17:01:07 <dom> Zakim, call dom-home
17:01:07 <Zakim> ok, dom; the call is being made
17:01:09 <Zakim> +Dom
17:01:25 <dom> Zakim, mute me
17:01:25 <Zakim> Dom should now be muted
17:01:25 <virginie> zakim, who is on the phone ?
17:01:26 <Zakim> On the phone I see +1.512.257.aaaa, karen_oDonoghue, +3531896aabb, Masinter, +861381144aacc, Wendy, Dom (muted)
17:01:39 <wseltzer> zakim, aabb is sftcd
17:01:39 <Zakim> +sftcd; got it
17:01:47 <wseltzer> zakim, aaaa is virginie
17:01:47 <Zakim> +virginie; got it
17:01:51 <sftcd> thanks wendy
17:02:22 <virginie> agenda+ welcome
17:02:35 <virginie> agenda+ ietf liaison
17:02:42 <AndyF> AndyF has joined #websec
17:03:00 <virginie> agenda+ W3C TAG security discussions
17:03:33 <virginie> agenda+ IG priorities and task force leaders
17:03:51 <virginie> agenda+ AOB
17:04:11 <_JeffH> _JeffH has joined #websec
17:04:56 <virginie> zakim, who is on the phone ?
17:04:56 <Zakim> On the phone I see virginie, karen_oDonoghue, sftcd, Masinter, +861381144aacc, Wendy, Dom (muted)
17:04:58 <_JeffH> what is the code for the bridge?  i tried 9744# and am told it is invalid?
17:05:17 <wseltzer> _JeffH, 26634
17:05:20 <fan> aacc is fan
17:05:25 <wseltzer> zakim, aacc is fan
17:05:25 <Zakim> +fan; got it
17:05:30 <virginie> sorry for that the code is  26634#
17:05:32 <Zakim> +[IPcaller]
17:05:42 <_JeffH> ok, that worked thx
17:05:48 <_JeffH> ok, need to update wiki ?
17:05:50 <wseltzer> zakim, +[IPC is JeffH
17:05:50 <Zakim> sorry, wseltzer, I do not recognize a party named '+[IPC'
17:05:54 <wseltzer> zakim, +IPC is JeffH
17:05:54 <Zakim> sorry, wseltzer, I do not recognize a party named '+IPC'
17:06:04 <wseltzer> zakim, IPcaller is JeffH
17:06:04 <Zakim> +JeffH; got it
17:06:05 <_JeffH> I'm covering for BHill who had a conflict
17:06:25 <Zakim> -JeffH
17:06:29 <_JeffH> oops
17:06:38 <virginie> done
17:07:35 <Zakim> +[IPcaller]
17:07:41 <kodonog> I will today...
17:07:43 <wseltzer> zakim, IPcaller is JeffH
17:07:43 <Zakim> +JeffH; got it
17:07:56 <Zakim> + +1.425.214.aadd
17:07:57 <virginie> zakim, who is on the phone ?
17:07:58 <Zakim> On the phone I see virginie, karen_oDonoghue, sftcd, Masinter, fan, Wendy, Dom (muted), JeffH, +1.425.214.aadd
17:08:50 <kodonog> scribenick kodonog
17:09:09 <Zakim> +terri
17:09:19 <dom> s/scribenick kodonog/scribenick: kodonog/
17:09:24 <kodonog> Introductions
17:09:46 <_JeffH> i don't see masinter in the irc ?
17:10:00 <dom> Zakim, unmute me
17:10:00 <Zakim> Dom should no longer be muted
17:10:05 <_JeffH> oh it's "larry"
17:10:29 <dom> Zakim, mute me
17:10:29 <Zakim> Dom should now be muted
17:10:36 <kodonog> Virginie, Karen O'Donoghue, Stephen Farrell, Larry Masinter, Dom, Wendy Seltzer, Jeff Hodges
17:11:20 <terri> terri has joined #websec
17:11:26 <virginie> agenda?
17:11:50 <kodonog> Terri (Intel), Nick Doty
17:11:57 <_JeffH> someone is scribing ?
17:12:50 <wseltzer> zakim, who is here?
17:12:50 <Zakim> On the phone I see virginie, karen_oDonoghue, sftcd, Masinter, fan, Wendy, Dom (muted), JeffH, +1.425.214.aadd, terri
17:12:52 <kodonog> Hannes Tschonfeig
17:12:53 <Zakim> On IRC I see terri, _JeffH, AndyF, fan, sftcd, kodonog, npdoty, dom, Zakim, RRSAgent, virginie, Larry, wseltzer
17:12:55 <wseltzer> zakim, aadd is Hannes
17:12:55 <Zakim> +Hannes; got it
17:13:07 <kodonog> Virginie address the plan for the meeting.
17:13:35 <_JeffH> which is coord between IETF, esp security, with overlapping areas in W3C
17:13:52 <kodonog> First agenda item, Stephen Farrell, IETF work and STRINT workshop
17:14:16 <kodonog> want an active liaison and conserve resources
17:14:45 <kodonog> W3C is interested in IETF security review process as we are considering doing the same
17:15:01 <_JeffH> where "we" == ietf   ?
17:15:13 <kodonog> Stephen Farrell: folks on call already know a lot about the IETF
17:15:17 <wseltzer> we= W3C
17:15:25 <_JeffH> k
17:15:53 <kodonog> … main working groups relevant to the W3C, httpbis, httpauth,
17:16:33 <kodonog> . . . oauth
17:16:54 <kodonog> … in ops area also the wpkops wg
17:17:59 <Larry> UTA Using TLS in Applications
17:18:03 <kodonog> ,,, in the applications area relevant was include websec and uta (using tls in applications)
17:18:16 <Larry> websec?
17:18:27 <_JeffH> yes, websec in apps area is impt
17:18:49 <kodonog> STRINT workshop 28 Feb / 1 Mar before IETF 89 in London
17:19:00 <_JeffH> got 62 submissions (closed today)
17:19:20 <kodonog> idea is to continue the discussion started in Vancouver to address pervasive monitoring
17:19:32 <_JeffH> https://www.w3.org/2014/strint/
17:20:11 <kodonog> WGLC on IETF document definiting pervasive monitoring as an attack
17:20:25 <_JeffH> strint is aimed to figure out actual mitigations to pervasive monitoring
17:20:27 <kodonog> workshop CFP deadline has passed
17:21:05 <kodonog> regarding IETF security review, there are various directorates in the IETF including the Security Directorate
17:21:35 <kodonog> every document that is coming up for approval in the IESG gets some security review in the Security Directorate
17:21:39 <_JeffH> directorates are a means for collecting a review board, and parselling out specs for review
17:21:51 <_JeffH> have about 40 folks in Sec Dir
17:21:51 <kodonog> reviews allocated in a round robin basis, 80% hit rate
17:22:07 <kodonog> each reviewer tends to get one review every few months
17:22:07 <_JeffH> each reviewer gets a doc to review about every couple months
17:22:33 <kodonog> Security Area Director uses review during the IESG processing of the document
17:23:09 <kodonog> useful as an educational tool for people working in the IETF - get exposure to lots of other work in the IETF
17:23:43 <kodonog> facilitated by a tool with someone to help manage the tool, inputs reviews, allocates reviews, inputs results
17:24:12 <kodonog> Virginie: description indicates you have quite an infrastructure to support security reviews
17:25:02 <Larry> q+
17:25:05 <kodonog> Stephen: have regular liaison calls with Wendy and Mark Nottingham, issues could be raised to that forum, or send direct mail
17:25:15 <kodonog> Stephen: happy to help as we can
17:25:54 <kodonog> Larry: concerned about things that have fallen out of websec and not appeared in W3C (missed specific examples)
17:26:43 <kodonog> Stephen: mime sniffing was really an apps thing so you would be better off talking to them. Believe there wasn't a clear consensus and volunteers to support the work.
17:27:04 <kodonog> origin is an RFC
17:27:37 <kodonog> Virginie: W3C and IETF are currently well coordinated,
17:28:13 <_JeffH> https://tools.ietf.org/search/rfc6454  The Web Origin Concept
17:28:13 <kodonog> need to monitor output of the STRINT workshop to see if there is some W3C websec work to pursue
17:28:46 <kodonog> ? agenda
17:28:58 <Larry> what i remember reading was  that the Origin RFC is wrong and they are just abandoning it
17:29:04 <kodonog> (scribe has forgotten how to switch agenda items…)
17:29:10 <wseltzer> zakim, next agenda
17:29:10 <Zakim> agendum 1. "welcome" taken up [from virginie]
17:29:15 <wseltzer> zakim, drop agendum 1
17:29:15 <Zakim> agendum 1, welcome, dropped
17:29:17 <_JeffH> larry:  really?  that on whatwg list?
17:29:18 <wseltzer> zakim, next agenda
17:29:18 <Zakim> agendum 2. "ietf liaison" taken up [from virginie]
17:29:20 <sftcd> @larry - don't whatwg think *everything* is wrong?
17:29:26 <wseltzer> zakim, take up agendum 3
17:29:26 <Zakim> agendum 3. "W3C TAG security discussions" taken up [from virginie]
17:29:46 <Larry> i'll have to find this
17:30:01 <kodonog> W3C TAG security discussions - need to make some effort to build a community of experts
17:30:13 <sftcd> I did hear something about whatwg and SOP messing a few months ago
17:30:14 <kodonog> there are some security topics of interest but possibly not enough contributors
17:30:34 <kodonog> two things from the TAG discussions:
17:30:59 <kodonog> TAG members were not that excited by systematic reviews of W3C recommendations
17:31:13 <kodonog> possibly the implementation reports are sufficient to address this.
17:31:25 <kodonog> need to consider if we really need these reviews
17:31:51 <virginie> https://github.com/w3ctag/secure-the-web
17:32:26 <kodonog> There is now a TAG effort to secure the web.
17:32:35 <kodonog> This may overlap with activity in the interest group
17:33:04 <kodonog> TAG concerned that there are a lack of security contributors in the W3C
17:33:12 <kodonog> need to recruit additional participants
17:33:40 <kodonog> Virginie will share her slides to the TAG on the wiki
17:34:01 <sftcd> just to note that PFS for TLS under HTTP is on the charter for the new UTA wg in the IETF
17:34:08 <kodonog> zakim, next agenda
17:34:08 <Zakim> I see a speaker queue remaining and respectfully decline to close this agendum, kodonog
17:34:19 <wseltzer> q?
17:34:28 <Larry> ack
17:34:30 <wseltzer> q- Larry
17:34:32 <Larry> ack
17:34:34 <Larry> q-
17:34:38 <kodonog> zakim, next agenda
17:34:38 <Zakim> agendum 2. "ietf liaison" taken up [from virginie]
17:34:39 <wseltzer> zakim, next agendum
17:34:39 <Zakim> agendum 2 was just opened, wseltzer
17:34:45 <wseltzer> zakim, take up agendum 4
17:34:45 <Zakim> agendum 4. "IG priorities and task force leaders" taken up [from virginie]
17:34:49 <wseltzer> zakim, drop agendum 2
17:34:49 <Zakim> agendum 2, ietf liaison, dropped
17:34:49 <sftcd> @larry: the general question of HTML5 not referencing RFCs is a good liaison topic for w3c/ieft calls , pete resnick is the right AD for that I think
17:34:59 <virginie> http://www.w3.org/Security/wiki/IG
17:35:11 <kodonog> review the wiki to discuss W3C work
17:35:55 <virginie> http://www.w3.org/Security/wiki/IG/W3C_spec_review
17:36:09 <Zakim> + +1.703.948.aaee
17:36:25 <virginie> http://www.w3.org/Security/wiki/IG/web_security_model
17:36:28 <kodonog> virginie has updated the page related to spec review
17:37:26 <virginie> http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis
17:38:10 <virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap
17:39:15 <kodonog> virginie is stepping through the current material on the wiki to help develop a work plan for the interest group
17:39:31 <virginie> http://www.w3.org/Security/wiki/IG/press_news
17:40:06 <kodonog> looking for people for the IG to contribute to the various topics
17:40:21 <dom> q+
17:40:23 <AndyF> ++
17:40:28 <dom> Zakim, unmute me
17:40:28 <Zakim> Dom should no longer be muted
17:40:44 <Larry> q+  to ask about 'cloud security' standards and if there's some liaison possibilities
17:40:46 <wseltzer> zakim, aaee may be AndyF
17:40:46 <Zakim> +AndyF?; got it
17:40:56 <_JeffH> sorry, I am overbooked and can't commit to anything new at this time, tho we can see, over the next several months, if we can have someone contribute (no promises tho)
17:41:07 <kodonog> Dom: for the mobile topic, would like to collaborate with security experts
17:41:12 <virginie> q?
17:41:16 <dom> ack me
17:41:59 <virginie> http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis
17:42:59 <kodonog> no one on the call from Nokia, perhaps we could contact them
17:43:12 <dom> Zakim, mute me
17:43:12 <Zakim> Dom should now be muted
17:44:07 <Larry> ack me
17:44:07 <Zakim> Larry, you wanted to ask about 'cloud security' standards and if there's some liaison possibilities
17:44:08 <kodonog> Larry: see a lot of activity related to cloud
17:44:09 <Larry> i'm done
17:44:34 <kodonog> there are possible liaisons to facilitate this work
17:44:45 <Larry> I'm trying to sort it out, so i'd rather not display my ignorance
17:44:46 <kodonog> Virginie: are you talking about the Cloud Security Alliance
17:44:59 <kodonog> they have issued some guidance that is quite vague
17:45:25 <Larry> operational procedures, etc.
17:45:46 <kodonog> bring back additional references or recommendations for cloud security work
17:45:59 <Larry> I can help with that
17:46:01 <kodonog> asks Larry to provide any additional references for analysis
17:46:10 <virginie> q?
17:47:50 <kodonog> beginning to announce the existence of the IG and the ability to do security reviews
17:48:06 <kodonog> need to recruit members in order to execute on these reviews
17:48:47 <Larry> all of the 'ongoing issues' in http://www.w3.org/Security/wiki/Main_Page#Ongoing_issues ...
17:48:51 <Larry> q+
17:49:27 <kodonog> Larry: Ongoing issues , documents are 2009 and 2010, nothing that has been published recently
17:50:00 <wseltzer> [that's an old wiki  -- we're working from http://www.w3.org/Security/wiki/IG ]
17:50:05 <Zakim> -Dom
17:50:20 <wseltzer> [thanks Larry, we'll work to clean up that "Main Page"]
17:50:46 <virginie> http://www.w3.org/Security/wiki/IG/web_security_model
17:51:04 <Larry> what about guidelines for W3C working groups about how to do security analysis of their specs?
17:51:05 <kodonog> Virginie: this is an older wiki and we are working to update the material on the new wiki
17:51:08 <sftcd> gotta drop off the call - thanks for listening and if we can help just shoot a mail to me stephen.farrell@cs.tcd.ie
17:51:18 <Zakim> -sftcd
17:51:37 <kodonog> next steps: each person think about a potential activity that they could lead
17:51:52 <virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap
17:51:58 <kodonog> understanding the web security model is important
17:52:35 <terri> +1 to monthly calls
17:53:03 <kodonog> proposing a monthly call for the websec IG
17:53:29 <wseltzer> q?
17:53:29 <kodonog> no consensus for a monthly call
17:53:35 <wseltzer> ack Larry
17:53:47 <kodonog> continue discussions over the mailing list and if interest increases schedule a clal
17:54:16 <_JeffH> ok thx bye now
17:54:20 <Zakim> -Masinter
17:54:24 <Larry> tx
17:54:27 <Zakim> -JeffH
17:54:38 <Zakim> -Wendy
17:54:39 <Zakim> -AndyF?
17:54:39 <Zakim> -Hannes
17:54:41 <Zakim> -virginie
17:54:41 <Zakim> -fan
17:54:50 <Zakim> -terri
17:57:48 <virginie> rrsagent,  create minutes
17:57:48 <RRSAgent> I have made the request to generate http://www.w3.org/2014/01/21-websec-minutes.html virginie
18:05:01 <Zakim> disconnecting the lone participant, karen_oDonoghue, in Team_(websec)17:00Z
18:05:03 <Zakim> Team_(websec)17:00Z has ended
18:05:03 <Zakim> Attendees were +1.512.257.aaaa, karen_oDonoghue, +3531896aabb, Masinter, +861381144aacc, Wendy, Dom, sftcd, virginie, fan, JeffH, +1.425.214.aadd, terri, Hannes, +1.703.948.aaee,
18:05:03 <Zakim> ... AndyF?
18:55:10 <terri> terri has joined #websec
19:26:35 <wseltzer> rrsagent, set logs public
19:26:41 <wseltzer> rrsagent, make minutes
19:26:41 <RRSAgent> I have made the request to generate http://www.w3.org/2014/01/21-websec-minutes.html wseltzer
19:26:55 <wseltzer> chair: Virginie
19:27:20 <wseltzer> Meeting: Web Security Interest Group
19:27:22 <wseltzer> rrsagent, make minutes
19:27:22 <RRSAgent> I have made the request to generate http://www.w3.org/2014/01/21-websec-minutes.html wseltzer
21:53:15 <terri> terri has joined #websec
22:26:35 <npdoty> npdoty has joined #websec
22:58:34 <npdoty> npdoty has joined #websec