W3C

- DRAFT -

Web Security Interest Group

21 Jan 2014

See also: IRC log

Attendees

Present
+1.512.257.aaaa, karen_oDonoghue, +3531896aabb, Masinter, +861381144aacc, Wendy, Dom, sftcd, virginie, fan, JeffH, +1.425.214.aadd, terri, Hannes, +1.703.948.aaee, AndyF?
Regrets
Chair
Virginie
Scribe
kodonog

Contents

<wseltzer> virginie, I guess today's code will be 26634

<virginie> ok, i'll send it on the mailing list

<virginie> hi all, the conf call code is 26634#

<sftcd> thanks wendy

<_JeffH> what is the code for the bridge? i tried 9744# and am told it is invalid?

<wseltzer> _JeffH, 26634

<fan> aacc is fan

<virginie> sorry for that the code is 26634#

<_JeffH> ok, that worked thx

<_JeffH> ok, need to update wiki ?

<_JeffH> I'm covering for BHill who had a conflict

<_JeffH> oops

<virginie> done

I will today...

<scribe> scribenick: kodonog

Introductions

<_JeffH> i don't see masinter in the irc ?

<_JeffH> oh it's "larry"

Virginie, Karen O'Donoghue, Stephen Farrell, Larry Masinter, Dom, Wendy Seltzer, Jeff Hodges

Terri (Intel), Nick Doty

<_JeffH> someone is scribing ?

Hannes Tschonfeig

Virginie address the plan for the meeting.

<_JeffH> which is coord between IETF, esp security, with overlapping areas in W3C

First agenda item, Stephen Farrell, IETF work and STRINT workshop

want an active liaison and conserve resources

W3C is interested in IETF security review process as we are considering doing the same

<_JeffH> where "we" == ietf ?

Stephen Farrell: folks on call already know a lot about the IETF

<wseltzer> we= W3C

<_JeffH> k

… main working groups relevant to the W3C, httpbis, httpauth,


. . . oauth

… in ops area also the wpkops wg

<Larry> UTA Using TLS in Applications

,,, in the applications area relevant was include websec and uta (using tls in applications)

<Larry> websec?

<_JeffH> yes, websec in apps area is impt

STRINT workshop 28 Feb / 1 Mar before IETF 89 in London

<_JeffH> got 62 submissions (closed today)

idea is to continue the discussion started in Vancouver to address pervasive monitoring

<_JeffH> https://www.w3.org/2014/strint/

WGLC on IETF document definiting pervasive monitoring as an attack

<_JeffH> strint is aimed to figure out actual mitigations to pervasive monitoring

workshop CFP deadline has passed

regarding IETF security review, there are various directorates in the IETF including the Security Directorate

every document that is coming up for approval in the IESG gets some security review in the Security Directorate

<_JeffH> directorates are a means for collecting a review board, and parselling out specs for review

<_JeffH> have about 40 folks in Sec Dir

reviews allocated in a round robin basis, 80% hit rate

each reviewer tends to get one review every few months

<_JeffH> each reviewer gets a doc to review about every couple months

Security Area Director uses review during the IESG processing of the document

useful as an educational tool for people working in the IETF - get exposure to lots of other work in the IETF

facilitated by a tool with someone to help manage the tool, inputs reviews, allocates reviews, inputs results

Virginie: description indicates you have quite an infrastructure to support security reviews

Stephen: have regular liaison calls with Wendy and Mark Nottingham, issues could be raised to that forum, or send direct mail
... happy to help as we can

Larry: concerned about things that have fallen out of websec and not appeared in W3C (missed specific examples)

Stephen: mime sniffing was really an apps thing so you would be better off talking to them. Believe there wasn't a clear consensus and volunteers to support the work.

origin is an RFC

Virginie: W3C and IETF are currently well coordinated,

<_JeffH> https://tools.ietf.org/search/rfc6454 The Web Origin Concept

need to monitor output of the STRINT workshop to see if there is some W3C websec work to pursue

? agenda

<Larry> what i remember reading was that the Origin RFC is wrong and they are just abandoning it

(scribe has forgotten how to switch agenda items…)

welcome

<_JeffH> larry: really? that on whatwg list?

ietf liaison

<sftcd> @larry - don't whatwg think *everything* is wrong?

W3C TAG security discussions

<Larry> i'll have to find this

W3C TAG security discussions - need to make some effort to build a community of experts

<sftcd> I did hear something about whatwg and SOP messing a few months ago

there are some security topics of interest but possibly not enough contributors

two things from the TAG discussions:

TAG members were not that excited by systematic reviews of W3C recommendations

possibly the implementation reports are sufficient to address this.

need to consider if we really need these reviews

<virginie> https://github.com/w3ctag/secure-the-web

There is now a TAG effort to secure the web.

This may overlap with activity in the interest group

TAG concerned that there are a lack of security contributors in the W3C

need to recruit additional participants

Virginie will share her slides to the TAG on the wiki

<sftcd> just to note that PFS for TLS under HTTP is on the charter for the new UTA wg in the IETF

<Larry> ack

<Larry> ack

ietf liaison

IG priorities and task force leaders

<sftcd> @larry: the general question of HTML5 not referencing RFCs is a good liaison topic for w3c/ieft calls , pete resnick is the right AD for that I think

<virginie> http://www.w3.org/Security/wiki/IG

review the wiki to discuss W3C work

<virginie> http://www.w3.org/Security/wiki/IG/W3C_spec_review

<virginie> http://www.w3.org/Security/wiki/IG/web_security_model

virginie has updated the page related to spec review

<virginie> http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis

<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap

virginie is stepping through the current material on the wiki to help develop a work plan for the interest group

<virginie> http://www.w3.org/Security/wiki/IG/press_news

looking for people for the IG to contribute to the various topics

<AndyF> ++

<_JeffH> sorry, I am overbooked and can't commit to anything new at this time, tho we can see, over the next several months, if we can have someone contribute (no promises tho)

Dom: for the mobile topic, would like to collaborate with security experts

<virginie> http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis

no one on the call from Nokia, perhaps we could contact them

<Zakim> Larry, you wanted to ask about 'cloud security' standards and if there's some liaison possibilities

Larry: see a lot of activity related to cloud

<Larry> i'm done

there are possible liaisons to facilitate this work

<Larry> I'm trying to sort it out, so i'd rather not display my ignorance

Virginie: are you talking about the Cloud Security Alliance

they have issued some guidance that is quite vague

<Larry> operational procedures, etc.

bring back additional references or recommendations for cloud security work

<Larry> I can help with that

asks Larry to provide any additional references for analysis

beginning to announce the existence of the IG and the ability to do security reviews

need to recruit members in order to execute on these reviews

<Larry> all of the 'ongoing issues' in http://www.w3.org/Security/wiki/Main_Page#Ongoing_issues ...

Larry: Ongoing issues , documents are 2009 and 2010, nothing that has been published recently

<wseltzer> [that's an old wiki -- we're working from http://www.w3.org/Security/wiki/IG ]

<wseltzer> [thanks Larry, we'll work to clean up that "Main Page"]

<virginie> http://www.w3.org/Security/wiki/IG/web_security_model

<Larry> what about guidelines for W3C working groups about how to do security analysis of their specs?

Virginie: this is an older wiki and we are working to update the material on the new wiki

<sftcd> gotta drop off the call - thanks for listening and if we can help just shoot a mail to me stephen.farrell@cs.tcd.ie

next steps: each person think about a potential activity that they could lead

<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap

understanding the web security model is important

<terri> +1 to monthly calls

proposing a monthly call for the websec IG

no consensus for a monthly call

continue discussions over the mailing list and if interest increases schedule a clal

<_JeffH> ok thx bye now

<Larry> tx

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014/01/21 19:27:57 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/scribenick kodonog/scribenick: kodonog/
Found ScribeNick: kodonog
Inferring Scribes: kodonog
Default Present: +1.512.257.aaaa, karen_oDonoghue, +3531896aabb, Masinter, +861381144aacc, Wendy, Dom, sftcd, virginie, fan, JeffH, +1.425.214.aadd, terri, Hannes, +1.703.948.aaee, AndyF?
Present: +1.512.257.aaaa karen_oDonoghue +3531896aabb Masinter +861381144aacc Wendy Dom sftcd virginie fan JeffH +1.425.214.aadd terri Hannes +1.703.948.aaee AndyF?
Got date from IRC log name: 21 Jan 2014
Guessing minutes URL: http://www.w3.org/2014/01/21-websec-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.
[End of scribe.perl diagnostic output]