16:54:18 <RRSAgent> RRSAgent has joined #websec
16:54:18 <RRSAgent> logging to http://www.w3.org/2014/03/31-websec-irc
16:54:21 <trackbot> trackbot has joined #websec
16:54:24 <wseltzer> trackbot, prepare teleconf
16:54:24 <trackbot> Sorry, but no Tracker is associated with this channel.
16:54:46 <wseltzer> zakim, this will be 26634
16:54:46 <Zakim> I do not see a conference matching that name scheduled within the next hour, wseltzer
16:54:54 <virginie> agenda?
16:55:02 <virginie> agenda+ welcome
16:55:15 <wseltzer> zakim, this will be WEBSEC
16:55:15 <Zakim> I do not see a conference matching that name scheduled within the next hour, wseltzer
16:55:39 <virginie> agenda+ - Debrief of STRINT workshop
16:55:40 <wseltzer> zakim, this will be 26634
16:55:40 <Zakim> I do not see a conference matching that name scheduled within the next hour, wseltzer
16:56:39 <virginie> agenda+ Security review and guideline
16:56:57 <virginie> agenda+ Understanding security technology : focus on FIDO
16:57:12 <wseltzer> regrets+ wseltzer
16:57:30 <virginie> agenda+ New security features : status on the 'secure services workshop'
16:59:04 <wseltzer> zakim, space for 20 at 1300
16:59:04 <Zakim> I don't understand 'space for 20 at 1300', wseltzer
16:59:07 <wseltzer> zakim, space for 20 at 1300?
16:59:09 <Zakim> ok, wseltzer; conference Team_(websec)17:00Z scheduled with code 9744 (WSIG) at 13:00 for 60 minutes until 1800Z
16:59:29 <terri> terri has joined #websec
17:00:21 <wseltzer> wseltzer has changed the topic to: Web Security IG: Code 9744 (WSIG)
17:00:23 <christine> christine has joined #websec
17:00:37 <wseltzer> Chair: Virginie
17:00:47 <wseltzer> Meeting: Web Security Interest Group
17:00:48 <npdoty> npdoty has joined #websec
17:00:53 <Zakim> Team_(websec)17:00Z has now started
17:00:55 <mr_ber> mr_ber has joined #websec
17:00:56 <Zakim> + +1.503.712.aaaa
17:00:58 <Zakim> +BHill
17:01:05 <terri> aaaa is me
17:01:07 <christine> Hi. Would someone please send me the passcode for the conference bridge. I tried the code that Virigine provided but the bridge is telling me it is not valid.
17:01:07 <wseltzer> Date: March 31, 2014
17:01:12 <terri> Zakim, aaaa is me
17:01:13 <Zakim> +terri; got it
17:01:26 <wseltzer> The code is 9744 (WSIG)
17:01:47 <Zakim> +??P10
17:01:57 <Zakim> +Art_Barstow
17:02:05 <christine> Thanks
17:02:07 <wwu> wwu has joined #websec
17:02:23 <mr_ber> mr_ber has left #websec
17:02:41 <Zakim> +[IPcaller]
17:02:48 <Zakim> + +1.213.337.aabb
17:02:48 <christine> Zakim, IPcaller is me
17:02:50 <Zakim> +christine; got it
17:03:02 <Zakim> +npdoty
17:03:02 <ArtB> Present+ Art_Barstow
17:03:07 <npdoty> Zakim, mute me'
17:03:07 <Zakim> sorry, npdoty, I do not know which phone connection belongs to me'
17:03:10 <npdoty> Zakim, mute me
17:03:10 <Zakim> npdoty should now be muted
17:03:17 <alex_ber> alex_ber has joined #websec
17:03:40 <wseltzer> s/The code is 9744 (WSIG)//
17:04:17 <ArtB> RRSAgent, make minutes
17:04:17 <RRSAgent> I have made the request to generate http://www.w3.org/2014/03/31-websec-minutes.html ArtB
17:04:33 <ArtB> RRSAgent, make log Public
17:04:55 <virginie> agenda?
17:05:06 <virginie> zakim, who is on the phone ?
17:05:06 <Zakim> On the phone I see terri, BHill, ??P10, Art_Barstow, christine, +1.213.337.aabb, npdoty (muted)
17:05:21 <virginie> zakim, aabb is me
17:05:21 <Zakim> +virginie; got it
17:05:27 <virginie> zakim, who is on the phone ?
17:05:27 <Zakim> On the phone I see terri, BHill, ??P10, Art_Barstow, christine, virginie, npdoty (muted)
17:06:17 <Zakim> + +44.793.550.aacc
17:07:10 <npdoty> Zakim, aacc is hannes
17:07:10 <Zakim> +hannes; got it
17:07:21 <HannesTschofenig> HannesTschofenig has joined #websec
17:08:20 <npdoty> agenda to begin at 10 past the hour (3 minutes)
17:08:57 <virginie> note : while we wait the last participants, you can make sure you are aware of the Web Security IG wiki here : http://www.w3.org/Security/wiki/IG
17:09:52 <virginie> zakim, who is on the phone ?
17:09:52 <Zakim> On the phone I see terri, BHill, ??P10, Art_Barstow, christine, virginie, npdoty (muted), hannes
17:10:37 <npdoty> scribenick: npdoty
17:11:01 <npdoty> virginie: welcome; we don’t always meet regularly, but good to get together and share news
17:11:02 <virginie> agenda?
17:11:45 <npdoty> any other agenda items?
17:12:24 <npdoty> Zakim, take up agendum 2
17:12:24 <Zakim> agendum 2. "- Debrief of STRINT workshop" taken up [from virginie]
17:12:52 <npdoty> hannes, can you help us with the workshop debrief?
17:13:08 <virginie> strint : https://www.w3.org/2014/strint/
17:13:30 <npdoty> HannesTschofenig: just before the IETF London meeting
17:13:49 <npdoty> … talked about the communications security tools at our disposable, and why they don’t work that well
17:14:09 <npdoty> … in some cases, have fairly good standards, but problems during implementation/deployment
17:14:12 <Zakim> +[IPcaller]
17:14:40 <npdoty> … talked about policy: the boundary between legal regime and the technology, a difficult discussion because of a complicated topic
17:15:03 <npdoty> … potential policy problems ahead, should be aware of them
17:15:20 <npdoty> … discussed “opportunistic encryption” (correct terminology tbd)
17:15:42 <npdoty> … Steven Kent wrote up an I-D afterwards
17:15:53 <npdoty> … discussion on metadata and deployment aspects
17:16:08 <npdoty> … don’t have a good sense of fingerprinting and what is possible or mitigations possible
17:16:23 <npdoty> … reach out to researchers, who may volunteer to look at some of our protocols
17:16:38 <virginie> note : a post on opportunistic encryption by Mark Nothingham http://www.mnot.net/blog/2014/03/17/trying_out_tls_for_http_urls
17:16:53 <jeffh> jeffh has joined #websec
17:16:56 <npdoty> … debate about middleboxes, vendors see advantages in their services
17:17:08 <npdoty> … issues of intercepting communications, in order to prevent exfiltration, for example
17:17:32 <npdoty> … XMPP community is doing experiments with e2e security concepts
17:17:54 <npdoty> … breakout sessions for research questions (slides to be shared)
17:18:07 <npdoty> … currently working on the workshop report, to be released in the next week or so
17:18:15 <npdoty> … have to figure out what we can realistically accomplish in each area
17:18:40 <npdoty> virginie: minutes available, but look forward to the report/action plan
17:19:12 <npdoty> … may have some actions that end up in the W3C scope
17:19:18 <npdoty> … any questions for hannes?
17:19:37 <HannesTschofenig> Here is the link to the STRINT website that contains informatoin about the sessions: https://www.w3.org/2014/strint/agenda.html
17:20:04 <hillbrad> zakim, [IPcaller] is jeffh
17:20:04 <Zakim> +jeffh; got it
17:20:28 <npdoty> Zakim, take up agendum 3
17:20:28 <Zakim> agendum 3. "Security review and guideline" taken up [from virginie]
17:20:35 <jeffh> oh, ok thx brad
17:20:47 <npdoty> virginie: no current progress, no volunteers for reviewing
17:21:12 <jeffh> btw, if one joins the irc chat after calling in, doesn't see the metadata wrt their dialing in
17:21:12 <npdoty> ... if anyone would like to look over the WebCrypto spec, which is at Last Call, good time to make comments
17:21:12 <virginie> web crypto API is in last call here : https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
17:21:28 <HannesTschofenig> Btw, here is the document I mentioned about the threat taxonomy: http://tools.ietf.org/html/draft-barnes-pervasive-problem-00
17:21:58 <npdoty> virginie: also has been discussion about security review of the EME specification
17:22:16 <fjh> fjh has joined #websec
17:22:29 <npdoty> HannesTschofenig: IETF security directorate reviews all the documents before published, and encourages earlier reviews
17:22:36 <npdoty> ... a lot of reviews because there are so many documents
17:23:04 <npdoty> ... the most critical part is that there is a governance model: someone makes sure that reviews happen
17:23:38 <npdoty> ... specification authors have incentive to actually address the comments, because of documents that require a certain level of security
17:23:44 <Zakim> +[IPcaller]
17:23:48 <fjh> zakim, ipcaller is me
17:23:48 <Zakim> +fjh; got it
17:23:53 <npdoty> ... based on pervasive monitoring, working on another document
17:24:06 <npdoty> ... IESG enforces these requirements
17:24:07 <fjh> rrsagent, generate minutes
17:24:07 <RRSAgent> I have made the request to generate http://www.w3.org/2014/03/31-websec-minutes.html fjh
17:24:35 <npdoty> virginie: farrell explained the IETF Security Area during our last meeting; would like W3C to be in a similar situation
17:24:46 <npdoty> q+
17:24:55 <npdoty> ... at the moment, it's true that there's no requirement
17:25:00 <npdoty> ack npdoty
17:25:26 <HannesTschofenig> Here is the link to the document from Steven Kent: http://tools.ietf.org/html/draft-kent-pervasive-encryption-00
17:26:22 <npdoty> npdoty: better if we have resources/expertise already when we introduce such a requirement
17:26:36 <npdoty> ... like the empty security considerations sections when that req was first introduced
17:26:47 <npdoty> HannesTschofenig: more about the lack of knowledge and guidance
17:27:28 <npdoty> ... a chicken-and-egg problem, people may not dedicate the resources if they're not sure the output of their work
17:27:54 <npdoty> [npdoty, not scribe]: absolutely; I'm hoping we can do better on providing the knowledge and guidance
17:28:25 <npdoty> virginie: Privacy Interest Group have been working on providing guidance on privacy
17:28:50 <npdoty> ... have been thinking about simple guidelines, list of basic things, when designing an API, that can be given to chairs and editors
17:29:01 <npdoty> ... think about the bad scenarios
17:29:15 <npdoty> ... indicate a note in your API where permissions may be necessary, etc.
17:29:26 <npdoty> ... very simple rules that will eventually be elaborated
17:29:40 <jeffh> see also:  http://wiki.tools.ietf.org/html/rfc6973  Privacy Considerations for Internet Protocols
17:29:50 <npdoty> ... share the basic reflex of someone who works in security
17:30:02 <npdoty> ... something we could conduct with the Privacy Interest Group, in contact with the chairs
17:30:29 <npdoty> ... start a wiki page with a simple list; security guidelines for chairs and editors
17:30:52 <npdoty> HannesTschofenig: makes sense. have we written this down yet?
17:31:10 <npdoty> virginie: can start with pointers to the IETF documents; haven't shared anything written yet
17:31:26 <npdoty> ... start a wiki page after this call, send link
17:31:32 <christine> q+
17:31:35 <npdoty> ... see how collectively we can advise chairs / editors
17:31:59 <npdoty> ... one idea: try to identify one Security Champion in every Working Group
17:32:18 <npdoty> ... someone with an interest and skills in security, already in the Working Group, feels responsibility but without obligation
17:32:20 <npdoty> ack christine
17:33:01 <npdoty> christine: very common for there to be a Security Considerations section in W3C specs; some groups have done a very good job in documentation and mitigation
17:33:10 <Zakim> -??P10
17:33:20 <virginie> +1
17:33:21 <npdoty> ... as part of this exercise, good to look at what's already out there
17:33:29 <jeffh> https://tools.ietf.org/html/rfc3552    Guidelines for Writing RFC Text on Security Considerations
17:33:33 <Zakim> +??P7
17:34:18 <npdoty> Zakim, take up agendum 4
17:34:18 <Zakim> agendum 4. "Understanding security technology : focus on FIDO" taken up [from virginie]
17:34:28 <Zakim> -Art_Barstow
17:34:34 <ArtB> ArtB has left #websec
17:35:29 <hillbrad> http://fidoalliance.org/
17:35:35 <jeffh> npdoty: see also RFC6973 (pointed to above)
17:35:57 <npdoty> hillbrad: FIDO Alliance, a group of companies working on specifications, so we can have stronger alternatives to passwords to log in to websites
17:36:36 <npdoty> hillbrad: up to 100 companies now; there is a fee and IPR requirement, similar to W3C
17:37:08 <npdoty> ... goal is to create unencumbered specifications, to be turned over to standards organizations for long-term maintainance (like W3C, OASIS, IETF, etc.)
17:37:28 <npdoty> ... password breaches are so common
17:37:58 <npdoty> ... take advantage of the momentum against passwords simultaneously with proliferation of devices with good cryptographic technologies, key management
17:38:13 <npdoty> ... and a scenario for unlocking your local device
17:38:33 <npdoty> ... connect those together to build a replacement for username and password
17:38:47 <npdoty> ... less about durable identity, just authentication
17:39:15 <npdoty> ... stayed away with traditional identity assertions, want to target for the broadest possible Web use cases
17:39:28 <npdoty> ... and so want to have privacy guarantees about trackability
17:39:32 <hillbrad> http://fidoalliance.org/specifications
17:39:39 <npdoty> ... draft specifications are available for download
17:40:08 <npdoty> ... families: U2F; UAF
17:40:41 <npdoty> ... both public key, cryptographic challenge/response protocol: universal two-factor just makes passwords stronger
17:40:51 <npdoty> ... use simpler passwords, but with stronger securities
17:41:15 <npdoty> ... a very simple hardware device, prove your presence with a button
17:41:38 <npdoty> ... a Web site can see that you have a U2F-compatible browser/device
17:41:57 <npdoty> ... the device generates a brand new keypair for that origin/site, completes challenge/response -- site stores a key handle
17:42:27 <npdoty> ... the next time you come back to that site, you type in username/password, site sends the key handle back to you/your device
17:42:39 <npdoty> ... your device unwraps it with your presence, and can respond to it
17:42:49 <npdoty> ... at a different website, you get a different key
17:42:51 <fjh> q+
17:43:01 <hillbrad> ack fjh
17:43:04 <npdoty> q+
17:43:19 <npdoty> fjh: what if you lose your device?
17:43:50 <npdoty> hillbrad: if you lose your device, secrets are gone. devices are intended to be cheap
17:44:05 <npdoty> ... doesn't specify account recovery flows, which will vary dramatically by implementation
17:44:22 <npdoty> ... for some throwaway accounts, don't need account recovery at all
17:44:50 <npdoty> ... banks or social networks might have very different ways for recovery
17:45:00 <npdoty> ... revocation is also relying-party-specific
17:45:16 <npdoty> ... if somone finds your device lying on the street, they don't also know your username and password
17:45:47 <npdoty> ... though the relying party would have to delete all of them, not just yours
17:46:28 <npdoty> npdoty: how do you get a guarantee that it's a real second device, couldn't your browser just do it?
17:46:47 <npdoty> hillbrad: yes, you could build an extension that does it all
17:47:08 <npdoty> ... an attestation at the time that you create the key
17:47:10 <jeffh> wrt the question "can't all this be done in software?"  -- see, eg, https://hoba.ie/
17:47:24 <npdoty> ... from a certificate widely shared by device manufacturers
17:47:41 <npdoty> ... software-only would be a self-signed assertion, some sites may be willing to accept that as well
17:47:54 <npdoty> ... working on privacy-friendly ways to do better attestation
17:48:16 <npdoty> ... simple certificate shared across 100,000 devices, so it doesn't create a super cookie
17:48:59 <npdoty> hillbrad: UAF, expansion of modalities of authentication -- an experience completely without passwords
17:49:15 <npdoty> ... fingerprint sensor to unlock the phone, same ceremony when using a browser on the phone
17:49:42 <npdoty> ... assumption that there can be local storage of the key material for each web site
17:50:11 <npdoty> ... UAF is really about creating a framework of trust decisions of different modalities, without constraining those modalities
17:50:21 <npdoty> ... like if we invented a new type of authenticator tomorrow
17:50:30 <npdoty> ... without changing protocols
17:51:14 <npdoty> ... a set of metadata that describes the authenticator (manufacturer, keysizes, etc.), which can be matched against a certain policy
17:51:34 <npdoty> ... risk-based authentication models, or a blacklist/whitelist
17:51:58 <jeffh> https://en.wikipedia.org/wiki/Risk-based_authentication
17:52:10 <npdoty> ... metadata could be self-asserted (or asserted by FIDO something), attestation comes with the metadata
17:52:52 <npdoty> ... interesting part to bring to W3C will be the DOM APIs to discover, query authenticators
17:53:01 <npdoty> ... discuss at an upcoming workshop regarding Web Cryptography
17:53:49 <fjh> q+ to ask about anticipated time frame for this work, implementations
17:53:52 <npdoty> virginie: any particular specs that are most related to web world
17:53:53 <npdoty> q-
17:54:11 <hillbrad> http://fidoalliance.org/specs/fido-uaf-client-api-transport-v1.0-rd-20140209.pdf
17:54:33 <hillbrad> That one is the UAF javascript APIs and HTTP bindings.
17:54:34 <hillbrad> http://fidoalliance.org/specs/fido-u2f-javascript-api-v1.0-rd-20140209.pdf
17:54:35 <npdoty> alex_ber: very easy reading/browsing from FIDO
17:54:40 <hillbrad> That one is the U2F javascript APIs
17:55:17 <npdoty> virginie: definitely considering for WebCrypto WG
17:55:20 <npdoty> ack fjh
17:55:20 <Zakim> fjh, you wanted to ask about anticipated time frame for this work, implementations
17:55:36 <npdoty> fjh: what's the timeframe? how do you anticipate this playing out?
17:56:10 <npdoty> bradhill: FIDO would like to move drafts to implementation draft in the next year, to standards groups after that
17:56:26 <virginie> https://fidoalliance.org/adoption/fido-ready
17:56:38 <npdoty> ... some implementations are supporting this already
17:57:03 <npdoty> ... still working on interop/testing plan
17:57:34 <jeffh> http://www.plug-up.com/
17:59:10 <npdoty> Zakim, take up agendum 5
17:59:10 <Zakim> agendum 5. "New security features : status on the 'secure services workshop'" taken up [from virginie]
17:59:51 <npdoty> virginie: discussion of a workshop, within WebCrypto, regarding better integration of smartcards, for example
18:00:09 <npdoty> ... more use cases for accessing a secure container, or trusted execution environment
18:01:00 <npdoty> ... workshop for discussion of a lot of security-related topics, open to discussion
18:01:27 <npdoty> ... schedule not set yet
18:01:39 <npdoty> ... what are the new security features that we want to have in the Web platform?
18:02:07 <npdoty> ... virginie, hhalpin will keep this group informed
18:02:55 <npdoty> virginie will send minutes / takeaway.
18:03:17 <npdoty> virginie: schedule a call perhaps in 2 months; after STRINT report and Web Payments report are out
18:03:27 <npdoty> ... will send a scheduling email as need be
18:03:40 <hillbrad> thanks for organizing, virginie
18:03:43 <Zakim> -christine
18:03:52 <Zakim> -npdoty
18:03:53 <Zakim> -fjh
18:03:54 <Zakim> -hannes
18:03:55 <npdoty> Zakim, list attendees
18:03:56 <Zakim> As of this point the attendees have been +1.503.712.aaaa, BHill, terri, Art_Barstow, +1.213.337.aabb, christine, npdoty, virginie, +44.793.550.aacc, hannes, jeffh, fjh
18:03:56 <Zakim> -virginie
18:03:57 <fjh> fjh has left #websec
18:03:58 <Zakim> -??P7
18:03:59 <Zakim> -BHill
18:04:01 <npdoty> rrsagent, please draft the minutes
18:04:01 <RRSAgent> I have made the request to generate http://www.w3.org/2014/03/31-websec-minutes.html npdoty
18:04:01 <Zakim> -jeffh
18:04:03 <Zakim> -terri
18:04:03 <Zakim> Team_(websec)17:00Z has ended
18:04:03 <Zakim> Attendees were +1.503.712.aaaa, BHill, terri, Art_Barstow, +1.213.337.aabb, christine, npdoty, virginie, +44.793.550.aacc, hannes, jeffh, fjh
18:07:04 <hillbrad> hillbrad has left #websec
18:23:39 <terri> terri has joined #websec
20:07:52 <npdoty> npdoty has joined #websec
20:44:47 <terri_> terri_ has joined #websec