14:59:30 <RRSAgent> RRSAgent has joined #websec
14:59:30 <RRSAgent> logging to http://www.w3.org/2014/05/06-websec-irc
14:59:36 <wseltzer> Meeting: Web Security IG
14:59:41 <wseltzer> Chair: Virginie Galindo
14:59:50 <wseltzer> Date: 6 May 2014
15:00:23 <kodonog> kodonog has joined #websec
15:00:27 <wseltzer> Agenda: http://lists.w3.org/Archives/Public/public-web-security/2014May/0000.html
15:00:39 <wseltzer> wseltzer has changed the topic to: Web Security IG, 6 May: http://lists.w3.org/Archives/Public/public-web-security/2014May/0000.html
15:01:22 <wseltzer> zakim, code?
15:01:23 <Zakim> the conference code is 26634 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), wseltzer
15:01:26 <virginie> zakim, who is on the call ?
15:01:27 <Zakim> SEC_WSIG()11:00AM has not yet started, virginie
15:01:28 <Zakim> On IRC I see kodonog, RRSAgent, christine, Zakim, trackbot, virginie, terri_, fjh, Sanjeev, terri, wseltzer
15:01:50 <wseltzer> zakim, this is WSIG
15:01:51 <Zakim> ok, wseltzer; that matches SEC_WSIG()11:00AM
15:01:54 <antonio> antonio has joined #websec
15:01:58 <wseltzer> zakim, who is on the call?
15:01:58 <Zakim> On the phone I see +1.408.412.aabb, [IPcaller], [IPcaller.a], +33.4.42.36.aacc, BHill, karen_oDonoghue, WSeltzer, +1.613.287.aadd
15:02:09 <Zakim> +terri
15:02:12 <wseltzer> zakim, aacc is virginie
15:02:12 <Zakim> +virginie; got it
15:02:33 <christine> Zakim,
15:02:33 <Zakim> I don't understand '', christine
15:02:49 <christine> Zakim, [IPcaller] is me
15:02:49 <Zakim> +christine; got it
15:03:02 <antonio> 41 is switzerland
15:03:09 <wseltzer> zakim, aadd is Irdeto
15:03:09 <Zakim> +Irdeto; got it
15:03:17 <virginie> zakim, aacc is me
15:03:17 <Zakim> sorry, virginie, I do not recognize a party named 'aacc'
15:03:23 <wseltzer> zakim, Irdeto has Harold_Johnson
15:03:23 <Zakim> +Harold_Johnson; got it
15:03:29 <bhill2> bhill2 has joined #websec
15:03:33 <virginie> zakim, who is on the call ?
15:03:33 <Zakim> On the phone I see +1.408.412.aabb, christine, [IPcaller.a], virginie, BHill, karen_oDonoghue, WSeltzer, Irdeto, terri
15:03:35 <Zakim> Irdeto has Harold_Johnson
15:03:57 <Zakim> +[IPcaller]
15:04:01 <fjh> zakim, ipcaller is me
15:04:01 <Zakim> +fjh; got it
15:04:07 <fjh> Present+ Frederick_Hirsch
15:04:13 <wseltzer> zakim, aabb is Sanjiv
15:04:13 <Zakim> +Sanjiv; got it
15:04:28 <fjh> zakim, who is here?
15:04:30 <Zakim> On the phone I see Sanjiv, christine, [IPcaller.a], virginie, BHill, karen_oDonoghue, WSeltzer, Irdeto, terri, fjh
15:04:30 <Zakim> Irdeto has Harold_Johnson
15:04:30 <Zakim> On IRC I see bhill2, antonio, kodonog, RRSAgent, christine, Zakim, trackbot, virginie, terri_, fjh, Sanjeev, terri, wseltzer
15:04:58 <wseltzer> zakim, Ipcaller.a is antonio
15:04:58 <Zakim> +antonio; got it
15:05:19 <wseltzer> agenda+ Welcome
15:05:25 <virginie> http://lists.w3.org/Archives/Public/public-web-security/2014May/0000.html
15:05:28 <wseltzer> agenda+ OWASP presentation (by Antonio FONTES from OWASP)
15:05:36 <wseltzer> agenda+  SysApp WG security model (by Dave RAGGETT from W3C)
15:05:43 <wseltzer> agenda+  Report from W3C Web Payment Workshop, with a special focus on identity, security and privacy, and a little bit of STRINT
15:05:50 <wseltzer> agenda+ Status on next W3C Workshop related to secure token and secure services,
15:05:59 <wseltzer> agenda+ Action items for the IG
15:06:02 <wseltzer> agenda+ AOB
15:06:05 <wseltzer> agenda?
15:06:13 <wseltzer> zakim, take up agendum 1
15:06:13 <Zakim> agendum 1. "Welcome" taken up [from wseltzer]
15:06:28 <wseltzer> Virginie: Welcome, review agenda
15:06:55 <virginie> zakim, who is on the call ?
15:06:55 <Zakim> On the phone I see Sanjiv, christine, antonio, virginie, BHill, karen_oDonoghue, WSeltzer, Irdeto, terri, fjh
15:06:58 <Zakim> Irdeto has Harold_Johnson
15:08:07 <HJJJr> HJJJr has joined #websec
15:08:24 <wseltzer> zakim, next agendum
15:08:24 <Zakim> agendum 2. "OWASP presentation (by Antonio FONTES from OWASP)" taken up [from wseltzer]
15:09:09 <wseltzer> Virginie: Wanted to increase interaction between OWASP and W3C on Web security
15:09:28 <wseltzer> Antonio: I work in info sec, specializing in web app security
15:09:40 <wseltzer> ... involved in OWASP since 2008
15:09:44 <virginie> OWASP foundation website : https://www.owasp.org/index.php/Main_Page
15:09:50 <wseltzer> ... not official representative
15:10:10 <wseltzer> ... Open Web Application Security Project
15:10:29 <wseltzer> ... organized around foundation, mission to help management make informed decisions on web application security
15:10:43 <wseltzer> ... guidance, tools, info, frameworks, best practices, references
15:10:53 <wseltzer> ... to manage lifecycle of applications
15:12:34 <wseltzer> ... Documents, conferences,
15:12:48 <virginie> OWASP conferences https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference
15:13:08 <wseltzer> ... Chapters, more than 200 worldwide
15:13:21 <virginie> OWASP chapters https://www.owasp.org/index.php/OWASP_Chapter
15:14:29 <wseltzer> ... Chapters build connection to local level
15:14:32 <wseltzer> q?
15:14:59 <wseltzer> Virginie: How can we interact, work with you on deliverables?
15:15:11 <wseltzer> Antonio: Should talk about mailing lists
15:15:19 <wseltzer> ... have more than 36k members registered on lists
15:15:30 <wseltzer> ... to share info, get feedback
15:15:48 <wseltzer> OWASP mailing lists: https://lists.owasp.org/mailman/listinfo
15:16:25 <wseltzer> Antonio: mailing lists could be avenue for collaboration
15:16:38 <wseltzer> ... Documentation project sometimes reviews externally produced docs
15:16:47 <wseltzer> ... to provide guidance, suggestions
15:17:51 <wseltzer> ... Top 10 Web App Sec Security Risks
15:18:06 <wseltzer> ... Every year, collect factual data to identify risks
15:18:27 <wseltzer> ... used by orgs for reference, fast overview
15:18:38 <virginie> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
15:18:54 <wseltzer> ... Review against this top 10, at least
15:18:57 <wseltzer> ... ASVS
15:19:13 <wseltzer> ... Aims at standardizing entire verification set
15:19:16 <virginie> https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
15:19:36 <wseltzer> ... everything you should verify in a web app that asserts it's secure
15:20:03 <wseltzer> ... ZAP Proxy, a tool that helps testing of web apps
15:20:10 <virginie> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
15:20:15 <wseltzer> ... downloadable from OWASP
15:20:30 <wseltzer> ... @@API, library of secure code
15:20:39 <wseltzer> ... questions?
15:20:43 <wseltzer> q?
15:21:01 <antonio> the library is the ESAPI
15:21:07 <antonio> Entreprise Security API
15:21:13 <fjh> q+
15:22:35 <virginie> ESAPI (The OWASP Enterprise Security API)  https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
15:23:12 <wseltzer> wseltzer: @@
15:23:14 <dsr> dsr has joined #websec
15:23:22 <wseltzer> q?
15:23:46 <wseltzer> Virginie: Great to hear of the number of people involved in OWASP activities
15:24:00 <wseltzer> fjh: Do you have info on usage of verifications
15:24:31 <wseltzer> ... @@
15:24:55 <wseltzer> antonio: we are trying get better usage information
15:25:03 <wseltzer> ... we know governments are using ASVS
15:25:13 <wseltzer> ... as standard for internal development
15:25:47 <wseltzer> ... We have seen Top 10 integrated in almost all security reference
15:26:25 <Zakim> +Dsr
15:26:33 <fjh> second question was whether you are seeing anything related to Target breach, which has had big business impact, any new work based on this
15:26:46 <wseltzer> ... We have no large standards-level reference to ASVS
15:28:07 <fjh> thanks, that all makes sense regarding asvs
15:28:22 <wseltzer> ... hard to get reference to 140 controls
15:29:10 <HJJJr> HJJJr has joined #websec
15:29:18 <wseltzer> fjh: Did Target breach have repercussions?
15:30:24 <wseltzer> Antonio: Yes. Any breach that gets lots of media attention calls attention to security
15:30:51 <wseltzer> ... but we don't often get details about the vulnerability, whereas we did in Target.
15:31:44 <fjh> yes, target will be a great use case for justification for need of security analysis etc
15:31:59 <wseltzer> virgine: We'll see how to collaborate in follow-up
15:32:09 <fjh> thanks Antonio for excellent summary
15:32:41 <wseltzer> zakim, next agendum
15:32:41 <Zakim> I see a speaker queue remaining and respectfully decline to close this agendum, wseltzer
15:32:47 <wseltzer> ack fjh
15:32:49 <wseltzer> zakim, next agendum
15:32:49 <Zakim> agendum 3. "SysApp WG security model (by Dave RAGGETT from W3C)" taken up [from wseltzer]
15:32:52 <dsr> http://www.w3.org/2012/sysapps/
15:33:10 <wseltzer> Virgine: Thanks Dave Raggett for joining to discuss SysApps
15:33:29 <wseltzer> dsr: SysApps is looking at giving web developers rich access to device capabilities
15:33:40 <wseltzer> ... requiring greater levels of trust than normal APIs
15:33:47 <dsr> http://www.w3.org/2012/09/sysapps-wg-charter.html
15:34:23 <wseltzer> ... started with 2 phases of work, may re-charter
15:34:37 <wseltzer> ... Rich capabilities, example Sony's work on access to raw sockets
15:34:48 <wseltzer> ... That's not something you'd want to give to arbitrary web app
15:35:00 <wseltzer> ... 2 classes of apps. Packaged install, hosted app on website
15:35:10 <wseltzer> ... For both, thinking about manifest
15:35:23 <wseltzer> ... earlier w3c work on widgets not widely deployed
15:35:34 <wseltzer> ... JSON manifest started in SysApps, transferring to WebApps
15:35:44 <wseltzer> ... info about the app, e.g. full-scree
15:35:49 <wseltzer> s/scree/screen/
15:36:09 <wseltzer> ... App URI, allowing apps, whether hosted or packaged, to download resources in the same way
15:36:17 <wseltzer> ... Security and permissions
15:36:50 <wseltzer> ... open meeting re trust and permissions
15:36:58 <wseltzer> ... also rechartering
15:37:06 <virginie> doodle for participating http://doodle.com/6mequ2befp3ax592#table
15:37:18 <wseltzer> ... different approaches: Native apps, Android list permissions up-front
15:37:26 <wseltzer> ... iOS run-time request to user
15:37:32 <wseltzer> ... relates to EULAs
15:38:01 <wseltzer> ... How shoudl we do this on the Web?
15:38:11 <wseltzer> ... experence from Device APIs, Geoloc
15:38:29 <wseltzer> ... privacy
15:39:01 <wseltzer> ... privacy footprint
15:39:10 <wseltzer> ... do users understand questions they're being asked?
15:39:12 <fjh> s/shoudl/should/
15:39:53 <fjh> q+
15:40:24 <Zakim> -virginie
15:40:27 <wseltzer> terri: question on manifests and security
15:40:38 <wseltzer> dsr: work on manifests in webapps
15:40:50 <wseltzer> ... some companies would like to add permissions in manifest
15:41:01 <Zakim> +virginie
15:41:09 <wseltzer> ... if we want to allow devs to deal with manifests, need standard naming
15:42:12 <fjh> q?
15:42:26 <christine> q
15:42:33 <wseltzer> ack fjh
15:42:34 <christine> q+
15:42:54 <wseltzer> fjh: Is it correct to say security model needs work, using th workshop to progress?
15:43:08 <wseltzer> dsr: Yes, runtime security model discontinued
15:43:52 <fjh> q?
15:44:35 <wseltzer> ack christine
15:45:20 <wseltzer> christine: Please come talk to PING regarding privacy considerations
15:45:21 <terri_> q+
15:45:24 <wseltzer> dsr: thanks, will do
15:45:28 <wseltzer> ack terri
15:45:42 <wseltzer> terri: How does sysapps interact with CSP?
15:45:57 <wseltzer> dsr: more webapps than sysapps
15:46:12 <wseltzer> ... some discussion, still ongoing
15:46:27 <wseltzer> ... woudl be able to use CSP, based on same-origin model
15:46:40 <wseltzer> ... other things to do with trust
15:46:51 <wseltzer> ... how does that affect permisioning model
15:47:08 <wseltzer> ... browsers vary on how they remember "clicked yes"
15:47:17 <wseltzer> ... based on HTTPs
15:47:39 <wseltzer> virginie: thanks, we'll loook forward to hearing about the workshop
15:48:29 <wseltzer> zakim, next agendum
15:48:29 <Zakim> agendum 4. "Report from W3C Web Payment Workshop, with a special focus on identity, security and privacy, and a little bit of STRINT" taken up [from wseltzer]
15:48:45 <wseltzer> Virgine: reports from workshops
15:48:52 <virginie> Payment report http://www.w3.org/2013/10/payments/final_report.html
15:49:53 <wseltzer> virginie: discussion of privacy and security; several references to trusted user interface
15:50:33 <wseltzer> ... re payments, w3c is looking to charter new Interest Group
15:50:45 <virginie> STRINT report https://tools.ietf.org/html/draft-iab-strint-report-00
15:51:01 <virginie> What may fall in W3C http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0008.html
15:55:59 <wseltzer> zakim, next agendum
15:55:59 <Zakim> agendum 5. "Status on next W3C Workshop related to secure token and secure services," taken up [from wseltzer]
15:56:34 <wseltzer> Virginie: Worshop on secure tokens and hardware authentication
15:56:40 <wseltzer> ... Sept 10-11 in Mountain View
15:56:52 <wseltzer> ... has been approved by w3c, will share info soon
15:57:10 <wseltzer> ... working with FIDO Alliance, smartcard vendors
15:57:30 <wseltzer> ... how to integrate hw security for secure authentication
15:57:35 <wseltzer> zakim, next agendum
15:57:35 <Zakim> agendum 6. "Action items for the IG" taken up [from wseltzer]
15:57:56 <virginie> We have a recent proposal from Wendy to take web rtc as a possible  http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0006.html
15:58:30 <wseltzer> Virginie: actions; e.g. Wendy's thinking on webrtc and Web Security model
15:58:41 <wseltzer> ... end these calls with call for volunteers, info share
15:59:12 <Zakim> -Dsr
15:59:17 <virginie> https://www.w3.org/Security/wiki/IG
15:59:27 <wseltzer> ... e.g. volunteers for web security guidelines
15:59:31 <virginie> https://www.w3.org/Security/wiki/IG/W3C_spec_review
15:59:50 <virginie> https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines
16:00:35 <wseltzer> q?
16:01:07 <wseltzer> virginie: thanks, and keep in touch on the list
16:01:15 <Zakim> -BHill
16:01:15 <Zakim> -christine
16:01:15 <Zakim> -karen_oDonoghue
16:01:16 <Zakim> -fjh
16:01:16 <Zakim> -Irdeto
16:01:17 <wseltzer> [adjourned]
16:01:24 <Zakim> -virginie
16:01:28 <Zakim> -terri
16:01:30 <Zakim> -antonio
16:01:37 <Zakim> -WSeltzer
16:01:39 <wseltzer> rrsagent, make minutes
16:01:39 <RRSAgent> I have made the request to generate http://www.w3.org/2014/05/06-websec-minutes.html wseltzer
16:01:50 <antonio> thank you all
16:02:22 <virginie> thanks antonio, dave and all participants
16:05:24 <antonio> antonio has left #websec
16:06:37 <Zakim> disconnecting the lone participant, Sanjiv, in SEC_WSIG()11:00AM
16:06:39 <Zakim> SEC_WSIG()11:00AM has ended
16:06:39 <Zakim> Attendees were +1.613.287.aaaa, +1.408.412.aabb, +33.4.42.36.aacc, BHill, karen_oDonoghue, WSeltzer, +1.613.287.aadd, terri, virginie, christine, Harold_Johnson, fjh, Sanjiv,
16:06:39 <Zakim> ... antonio, Dsr
16:58:50 <wseltzer> rrsagent, make logs public
16:58:55 <wseltzer> rrsagent, make minutes
16:58:55 <RRSAgent> I have made the request to generate http://www.w3.org/2014/05/06-websec-minutes.html wseltzer
17:00:12 <wseltzer> s/wseltzer: @@/wseltzer: We look forward to discussing closer work with OWASP, including possible collaboration on reviews
17:00:21 <wseltzer> s/@@API/ESAPI/
17:00:54 <wseltzer> rrsagent, make minutes
17:00:54 <RRSAgent> I have made the request to generate http://www.w3.org/2014/05/06-websec-minutes.html wseltzer
18:07:00 <terri_> terri_ has joined #websec