IRC log of webappsec on 2014-03-12

Timestamps are in UTC.

14:32:09 [RRSAgent]
RRSAgent has joined #webappsec
14:32:09 [RRSAgent]
logging to
14:32:11 [trackbot]
RRSAgent, make logs world
14:32:11 [Zakim]
Zakim has joined #webappsec
14:32:13 [trackbot]
Zakim, this will be WASWG
14:32:13 [Zakim]
ok, trackbot; I see SEC_WASWG()11:00AM scheduled to start in 28 minutes
14:32:14 [trackbot]
Meeting: Web Application Security Working Group Teleconference
14:32:14 [trackbot]
Date: 12 March 2014
14:32:34 [freddyb]
oh right. timezones....
14:32:57 [wseltzer]
wseltzer has changed the topic to: Agenda 12 March:
14:33:21 [wseltzer]
-> Agenda
14:45:01 [glenn]
glenn has joined #webappsec
14:57:31 [gmaone]
gmaone has joined #webappsec
14:58:04 [neilm]
neilm has joined #webappsec
14:59:40 [Zakim]
SEC_WASWG()11:00AM has now started
14:59:42 [bhill2]
bhill2 has joined #webappsec
14:59:46 [Zakim]
14:59:47 [Zakim]
14:59:49 [Zakim]
14:59:51 [Zakim]
14:59:55 [bhill2]
bhill2 has changed the topic to:
15:00:06 [Zakim]
15:00:29 [jww]
jww has joined #webappsec
15:00:30 [gmaone]
Zakim, ??P5 is gmaone
15:00:30 [Zakim]
+gmaone; got it
15:00:43 [neilm]
Zakim, IPcaller is neilm
15:00:43 [Zakim]
+neilm; got it
15:00:47 [bhill2]
zakim, this is 92794
15:00:47 [Zakim]
bhill2, this was already SEC_WASWG()11:00AM
15:00:48 [Zakim]
ok, bhill2; that matches SEC_WASWG()11:00AM
15:00:57 [Zakim]
15:01:07 [Zakim]
+ +1.510.761.aaaa
15:01:13 [bhill2]
Meeting: WebAppSec Teleconference 12-Mar-2014
15:01:19 [bhill2]
Chairs: bhill2, ekr
15:01:23 [bhill2]
15:01:33 [Zakim]
15:01:43 [freddyb]
Zakim: ??P15 is freddyb
15:01:47 [Zakim]
15:01:59 [Zakim]
15:02:23 [Zakim]
15:02:36 [jww]
jww is the 510 #
15:02:56 [gmaone]
Zakim, ??P15 is freddyb
15:02:56 [Zakim]
+freddyb; got it
15:03:04 [bhill2]
zakim, [GVoice] has grobinson
15:03:04 [Zakim]
+grobinson; got it
15:03:19 [freddyb]
thanks gmaone :)
15:03:35 [grobinson]
grobinson has joined #webappsec
15:03:52 [grobinson]
Are these "scribe instructions" up to date?
15:04:13 [bhill2]
yes, pretty much
15:04:30 [bhill2]
I usually handle the start/end bits
15:04:36 [bhill2]
we just need transcription during the call
15:04:49 [bhill2]
zakim, who is making noise
15:04:49 [Zakim]
I don't understand 'who is making noise', bhill2
15:04:55 [Zakim]
+ +1.720.897.aabb
15:04:56 [bhill2]
zakim, who is making noise?
15:05:00 [Zakim]
15:05:03 [terri]
terri has joined #webappsec
15:05:07 [Zakim]
bhill2, listening for 10 seconds I heard sound from the following: neilm (18%), [GVoice] (94%), +1.720.897.aabb (4%)
15:05:11 [glenn]
zakim, aabb is me
15:05:11 [Zakim]
+glenn; got it
15:05:15 [Zakim]
15:05:16 [ekr]
ekr has joined #webappsec
15:06:01 [bhill2]
zakim, who is here?
15:06:01 [Zakim]
On the phone I see mkwst, neilm, gmaone, BHill, +1.510.761.aaaa, freddyb, [GVoice], glenn, ekr, terri
15:06:03 [Zakim]
[GVoice] has grobinson
15:06:03 [Zakim]
On IRC I see ekr, terri, grobinson, jww, bhill2, neilm, gmaone, glenn, Zakim, RRSAgent, freddyb, mkwst, timeless, tobie__, wseltzer, trackbot
15:06:29 [bhill2]
15:06:45 [bhill2]
TOPIC: Minutes Approval
15:06:47 [bhill2]
15:07:01 [jww]
zaim, +1.510.761.aaaa is jww
15:07:09 [jww]
zakim, +1.510.761.aaaa is jww
15:07:10 [Zakim]
+jww; got it
15:07:30 [bhill2]
RESOLVED: Minutes approved
15:07:39 [bhill2]
TOPIC: Agenda Bashing
15:08:11 [bhill2]
TOPIC: [integrity] What should we hash?
15:08:16 [bhill2]
15:09:25 [Zakim]
+ +1.831.246.aacc
15:10:43 [grobinson]
freddyb: hoping this is well-defined elsewhere; mark nottingham or boris zbarsky might have a solution
15:11:09 [grobinson]
abarth: need a good way to specify the body of the entity (wording)
15:11:25 [mkwst]
grobinson: that's me, not abarth. :)
15:11:30 [grobinson]
15:11:32 [bhill2]
15:11:35 [mkwst]
no worries!
15:11:48 [grobinson]
mkwst: let's let this play out on the list
15:11:51 [bhill2]
zakim, aacc is dveditz
15:11:51 [Zakim]
+dveditz; got it
15:12:02 [bhill2]
TOPIC: Call for Consensus: Subresource Integrity to FPWD.
15:12:07 [bhill2]
15:13:12 [grobinson]
mkwst: objections to FPWD?
15:13:52 [bhill2]
ACTION: bhill2 to open SRI issues in tracker from spec text
15:13:52 [trackbot]
Created ACTION-165 - Open sri issues in tracker from spec text [on Brad Hill - due 2014-03-19].
15:14:44 [grobinson]
dveditz: general concern, this could be used for tracking
15:15:00 [grobinson]
dveditz: may want to note it so it's there when someone else brings it up
15:15:13 [grobinson]
mkwst: we should add "privacy considerations"
15:15:25 [bhill2]
ACTION: mkwst to add an explicit "Privacy Considerations" section to SRI
15:15:25 [trackbot]
Error finding 'mkwst'. You can review and register nicknames at <>.
15:15:38 [mkwst]
mwest2, i think
15:15:53 [gopal]
gopal has joined #webappsec
15:15:53 [bhill2]
ACTION mwest2 to add an explicit "Privacy Considerations" section to SRI
15:15:53 [trackbot]
Created ACTION-166 - to add an explicit "privacy considerations" section to sri [on Mike West - due 2014-03-19].
15:17:43 [grobinson]
bhill2: motion to approve?
15:17:48 [bhill2]
dveditz moves to approve, ekr seconds
15:18:09 [grobinson]
no objections; resolve to publish FPWD
15:18:17 [bhill2]
RESOLVED: WG to publish Subresource Integrity as FPWD
15:18:24 [bhill2]
TOPIC: Meta tag verification
15:18:31 [bhill2]
15:19:35 [Zakim]
+ +1.781.262.aadd
15:20:06 [grobinson]
Thread digressed into question: can adding CSP policies weaken, or only strengthen?
15:21:57 [grobinson]
jww: clarify proposed meta-hash directive is optional
15:23:24 [grobinson]
bhill2: heuristic is to see if 2 people speak up in support of a proposal
15:24:38 [grobinson]
dveditz: not totally in favor, but interested. currently wants policy where meta policy is ignored if there is a header policy
15:24:52 [gopal]
gopal has joined #webappsec
15:24:54 [grobinson]
dveditz: proposes similar idea using a nonce from the header
15:25:26 [grobinson]
dveditz: prefer to see this discussed in 1.2
15:25:34 [grobinson]
jww: concurs
15:25:44 [bhill2]
TOPIC: Removal of the note about extensions
15:26:28 [grobinson]
bhill2: asks mkwst if the spec is updated to match agreement from last call
15:26:34 [grobinson]
mkwst: it is
15:26:38 [glenn]
15:27:16 [bhill2]
TOPIC: Remove paths from CSP?
15:27:21 [mkwst]
Language in the spec is "Note that user agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.", FYI.
15:27:30 [grobinson]
no objections to current language re: extensions
15:27:43 [grobinson]
bhill2: we can keep discussing this in last call if necessary
15:27:45 [bhill2]
15:27:56 [freddyb]
(I have to leave early today)
15:29:51 [grobinson]
mkwst: sums up current state. says he is behind on drafting language for the spec
15:30:35 [Zakim]
15:30:51 [Zakim]
- +1.781.262.aadd
15:30:59 [Zakim]
15:31:02 [Zakim]
15:31:04 [Zakim]
15:31:07 [bhill2]
zakim, list attendees
15:31:07 [Zakim]
As of this point the attendees have been mkwst, gmaone, neilm, BHill, freddyb, grobinson, +1.720.897.aabb, ekr, glenn, terri, jww, +1.831.246.aacc, dveditz, +1.781.262.aadd
15:31:10 [Zakim]
15:31:11 [Zakim]
15:31:14 [bhill2]
rrsagent, make minutes
15:31:14 [RRSAgent]
I have made the request to generate bhill2
15:31:18 [Zakim]
15:31:22 [bhill2]
rrsagent, set logs public-visible
15:31:29 [Zakim]
15:31:53 [Zakim]
15:36:49 [Zakim]
15:40:35 [bhill2]
bhill2 has left #webappsec
16:05:01 [Zakim]
disconnecting the lone participant, freddyb, in SEC_WASWG()11:00AM
16:05:03 [Zakim]
SEC_WASWG()11:00AM has ended
16:05:03 [Zakim]
Attendees were mkwst, gmaone, neilm, BHill, freddyb, grobinson, +1.720.897.aabb, ekr, glenn, terri, jww, +1.831.246.aacc, dveditz, +1.781.262.aadd
17:32:37 [ekr]
ekr has joined #webappsec
17:44:27 [Zakim]
Zakim has left #webappsec
18:27:12 [terri]
terri has joined #webappsec
18:42:46 [anssik]
anssik has joined #webappsec
18:47:04 [ekr]
ekr has joined #webappsec
19:03:47 [ekr]
ekr has joined #webappsec
19:31:50 [ekr]
ekr has joined #webappsec
19:59:41 [glenn]
glenn has joined #webappsec
20:37:32 [glenn]
glenn has joined #webappsec
21:35:49 [terri_]
terri_ has joined #webappsec
22:14:54 [ekr]
ekr has joined #webappsec