<inserted> scribenick: wseltzer

Virginie: Co-chair of Web Security Interest Group

Introductions

Virginie: Thanks for joining us
... I had some slides, then the projector power died
... We revived the WebSec IG last year
... in response to security requests coming from W3C WGs
... Mission is to discuss security topics; not to produce recs.
... Build a community, discuss topics of interest, take actions.

<virginie> https://www.w3.org/Security/wiki/IG

Virginie: Requested to do security reviews, evaluate mobile security

<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap

Virginie: understand security model, build roadmap
... High expectations, but less ability to deliverable
... [noting points from http://www.w3.org/Security/wiki/IG/W3C_security_roadmap ]
... Information-sharing
... September was workshop season
... Permissions, WebCrypto vNext

<rigo> There is still Workshop season: http://www.w3.org/2014/privacyws/

<virginie> FYI : permission workshop report is here : http://www.w3.org/2014/07/permissions/

<hadleybeeman> wseltzer: It was not a formal workshop, more a meeting of the sysops working group — talking about ways to standardise asking for/granting/scoping permissions.

<hadleybeeman> ... Dave Raggett is planning to recap that in a session on Wednesday.

<hadleybeeman> ... For capabilities that go beyond the normal in a browser, where a user might want to control whether the web app has access to sensors or data in a secure storage —

<hadleybeeman> ...— it should be able to ask the user for permission. One time? Hybrid? How does the permission persist?

<hadleybeeman> ... Do we now have enough experience across capabilities and across browsers and devices to form some best practice/standard? And if so, who should do it?

<hadleybeeman> ...It will at least partly be here in Security because the user might be tricked into doing something the don't want, or the web app might not get the capabilities it needs if it doesn't ask accurately

<hadleybeeman> ...How do we balance usability, functionality, performance etc?

<fjh> W3C Workshop on Privacy and User–Centric Controls

-> http://www.w3.org/wiki/TPAC2014/SessionIdeas#Trust_and_Permissions_in_the_Open_Web_Platform DSR's session proposal for Wednesday's unconference: Trust and Permissions

<fjh> http://www.w3.org/2014/privacyws/

<fjh> workshop with deadline for position papers Friday, please let me know if interested

<fjh> 20-21 Nov, Berlin

Rigo: Stemming from work of DT and Mozilla on understandable user controls
... I presented research in Pisa: we need to care more about UI

Virginie: WebCrypto vNext workshop

http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/

scribe: What comes after WebCrypto gives crypto primitives to web developers
... Discussed authentication challenges, secure tokens, trusted execution environments, secure tokens -- how to use them on the Web
... input to rechartering of WebCrypto WG

http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/report.html

virginie: There's lots of interest in Security
... 70 people at webcrypto workshop
... so, how do we transform ideas into deliverables?

fjh: Focus and prioritization
... where should it lie?
... Is key management, hardware crypto, environment?

virginie: WebCrypto WG, after publication of v1, will work on new algorithms
... hw tokens, certificate management
... hardware-protected or strong software-protected keys
... Web Security IG hasn't been able to set priorities, because we're looking for contributors
... We're trying to do reviews, but not finding volunteers

<virginie> http://www.w3.org/Security/wiki/IG/W3C_spec_review

<Zakim> hadleybeeman, you wanted to ask about use cases

hadleybeeman: Wiki has a list of topics. Does the IG have a set of use cases?

virginie: We're trying to build a ccommunity of people willing to take on cases

rigo: STREWS has written a WebRTC security report

virginie: What shoudl the IG do?

fjh: Focus could help

Virginie: what are you in the room interested in doing?

christine: Some thoughts from the Privacy Interest Group's experience (PING)
... e.g. develop guidance that can readily be used by other groups
... one group can't review everything

<bhill2> is there anyone on irc who was dialed-in to 92794# Zakim and wants us to re-start the bridge?

<JeffH_> one small group

christine: one thing we've found helpful is to have iterative discussions with chairs or WG members of groups seeking guidance
... PING meets Friday, join us
... Guidance: Fingerprinting, privavcy considerations for web protocls, spa: spec privacy assessment
... Do we do security guidance at the same time as privacy? togehter?

virginie: we started an effort to write security consdieration guidance

<hadleybeeman> wseltzer: As technology and society domain lead now in W3C, we keep hearing from the public that Web Security is important. We need to improve it. But we need your help in focusing how we do that.

<karen_od> +q

<virginie> FYI : begining of a draft of a try of guideline for security recommandation section https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines

<hadleybeeman> ...We know this is an ecosystem problem. We think W3C is a good point to bring people together to solve web security, improve it.

<hadleybeeman> ...Should we put calls out to volunteers? Or do we need a more focused effort? A group that looks more like the TAG?

<hadleybeeman> ...Do we need you to ask your AC reps to ask W3C to prioritise this, put more resources onto it? Or less effort onto it?

Kevin_Hill: 1st call to action could be to develop the focus, MS has someone who would help

karen_od: TAG has started discussions. What's happened there?

virginie: some people think TAG + editors is enough to do security review; others think there needs to be an external review

bhill: a TAG or Security TAG sounds like a good idea
... a more formal organization, visibility, prestige, can give people accountability

<Zakim> hadleybeeman, you wanted to advocate a working group — with a lot of dependenices

hadleybeeman: I'd like us to focus on the things we can build
... that's why I'd say a WG
... we could easily talk for 10 years, without making something concrete

<rigo> scribenick: rigo

wseltzer: we are trying to get some focus and not just talking. WebAppSec is doing a lot of concrete specs for web application

<hadleybeeman> wseltzer: That is where we're trying to get some focus, rather than just talking. We have Web Apps Sec WG producing concrete specs.

<scribe> scribenick: hadleybeeman

UNKNOWN_SPEAKER: Are there other pieces to add to this road map? Can we see other places where the road is insecure?

<scribe> scribenick: wseltzer

brutzman_: EXI has some specific concerns
... just posted to the mailing list, security considerations around canonicalization
... and digital signatures

rigo: European research scene has multiple roadmapping projects
... 6-8 months out
... how about security of linked data?

<brutzman_> ... for Efficient XML Interchange (EXI) https://www.w3.org/XML/Group/EXI/

rigo: we haven't talked about that at all

terri: It's been very hard for me to get time allocated without a roadmap

<rigo> also we haven't talked about Linked data security at all so far. And this is a pressing need.

terri: because it seemed too unstructures
... we need more structure in order to get volunteers.

<JeffH_> oberves that W3C historically hasn't prioritized security -- eg not requiring Recommendations to have (well-crafted) security considerations sections -- also web sec experts per se don't seem to inhabit w3c working groups (in general, there's exceptions of course), plus there isn't a security-oriented community a la IETF SAAG folk -- and so also w/o top-down security emphasis such as that that occurred in the IETF in the mid-to-late 1990's (eg: every RFC SHA[CUT]

<JeffH_> a sec cons section..." -- also there's OWASP where web sec folk seem to hang out -- is there some way to cross-fertilize between W3C and OWASP?

virginie: Takeaways, let's focus, work with PING
... test the idea of a security TAG

terri: had some conversations with OWASP

bhill: there are lots of potential people who aren't W3C members
... consultancies see they're already volunteering their people's time, why also pay membership?
... other ways to interact?

christine: PING hopes to have a breakout Wednesday on privacy considerations for web protocols
... participate, because there are overlaps between privacy and security
... and PING is also meeitng Friday

virginie: Thanks WebAppSec for sharing your room

<christine> starting early - 8:30 am

virginie: We'll schedule another call soon

<virginie> thanks !

<Siva> Joining late...is the discussion still alive?

<JeffH_> test

This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/120 pages/a WebRTC security report/
Succeeded: i/Virginie: Co-chair of Web Security Interest Group/scribenick: wseltzer
Succeeded: s/siva, WebSec discussion finished. Draft minutes ^//
Found ScribeNick: wseltzer
Found ScribeNick: rigo
Found ScribeNick: hadleybeeman
Found ScribeNick: wseltzer
Inferring Scribes: wseltzer, rigo, hadleybeeman
Scribes: wseltzer, rigo, hadleybeeman
ScribeNicks: wseltzer, rigo, hadleybeeman

WARNING: No "Present: ... " found!
Possibly Present: DWalp Dan_ JeffH_ Kevin_Hill Kevin_Hill_ QIJINGWANG Rigo Siva bhill bhill2 brutzman_ christine ckerschb colin deian dveditz fjh hadleybeeman https inserted jin joined karen_od keiji_ melinda npdoty nvdbleek puhley scribenick tanvi terri virginie websec wei_james_ weijames wseltzer
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Got date from IRC log name: 27 Oct 2014
Guessing minutes URL: http://www.w3.org/2014/10/27-websec-minutes.html
People with action items: