16:47:06 RRSAgent has joined #privacy 16:47:06 logging to http://www.w3.org/2015/02/26-privacy-irc 16:47:08 RRSAgent, make logs 263 16:47:08 Zakim has joined #privacy 16:47:10 Zakim, this will be 16:47:10 I don't understand 'this will be', trackbot 16:47:11 Meeting: Privacy Interest Group Teleconference 16:47:11 Date: 26 February 2015 16:47:16 rrsagent, make logs public 16:47:18 Zakim, this will be PING 16:47:18 ok, npdoty; I see Team_(privacy)17:00Z scheduled to start in 13 minutes 16:47:19 chaals has joined #privacy 16:47:29 Zakim, clear agenda 16:47:29 agenda cleared 16:47:44 agenda+ Welcome and Introductions for new people 16:47:45 agenda+ Persona idea (Charles and David) 16:47:46 agenda+ WebRTC local IP address disclosure (Wendy) 16:47:50 agenda+ Header enrichment (Nick and Wendy) 16:47:50 agenda+ Status update re fingerprinting guidance (Nick) 16:47:51 agenda+ W3C TAG Finding - Securing the Web 16:47:52 agenda+ Privacy reviews and guidance 16:47:52 agenda+ AOB 16:50:17 tara has joined #privacy 16:52:25 Mike_O_Neill has joined #privacy 16:52:28 npdoty has joined #privacy 16:53:58 christine has joined #privacy 16:54:25 Team_(privacy)17:00Z has now started 16:54:32 +[IPcaller] 16:54:54 npdoty has changed the topic to: Privacy Interest Group, 26 February, https://lists.w3.org/Archives/Public/public-privacy/2015JanMar/0096.html 16:55:31 +npdoty 16:55:47 +??P15 16:55:55 Zakim, IPcaller is christine 16:55:55 +christine; got it 16:56:30 Zakim, ??p15 is tara 16:56:30 +tara; got it 16:57:21 +[IPcaller] 16:57:38 -[IPcaller] 16:57:45 Zakim, agenda? 16:57:45 I see 8 items remaining on the agenda: 16:57:46 1. Welcome and Introductions for new people [from npdoty] 16:57:46 2. Persona idea (Charles and David) [from npdoty] 16:57:46 3. WebRTC local IP address disclosure (Wendy) [from npdoty] 16:57:46 4. Header enrichment (Nick and Wendy) [from npdoty] 16:57:46 5. Status update re fingerprinting guidance (Nick) [from npdoty] 16:57:47 6. W3C TAG Finding - Securing the Web [from npdoty] 16:57:47 7. Privacy reviews and guidance [from npdoty] 16:57:47 8. AOB [from npdoty] 16:58:39 Kepeng has joined #privacy 16:59:03 tara_ has joined #privacy 16:59:24 +[IPcaller] 16:59:24 tara_ has left #privacy 16:59:25 +Wendy 16:59:49 +??P10 16:59:56 tara_ has joined #privacy 17:00:01 zakim, [IPc is Kepeng 17:00:01 +Kepeng; got it 17:00:14 +Katie_Haritos-Shea 17:00:49 +Charles 17:00:51 +karen_oDonoghue 17:01:03 zakim, [IPCaller] is me 17:01:03 sorry, Mike_O_Neill, I do not recognize a party named '[IPCaller]' 17:01:24 zakim, ??p10 is Mike_O_Neill 17:01:24 +Mike_O_Neill; got it 17:01:26 kodonog has joined #privacy 17:01:36 zakim, who is herre? 17:01:36 I don't understand your question, wseltzer. 17:01:39 zakim, who is here? 17:01:39 On the phone I see christine, npdoty, tara, Kepeng, Wendy, Mike_O_Neill, Katie_Haritos-Shea, Charles, karen_oDonoghue 17:01:41 On IRC I see kodonog, tara_, Kepeng, christine, npdoty, Mike_O_Neill, tara, chaals, Zakim, RRSAgent, fjh, TallTed, terri, wseltzer, mkwst, hadleybeeman, trackbot 17:01:43 +[Apple] 17:01:46 dsinger has joined #privacy 17:01:57 zakimn, who is here? 17:01:58 zakim, Apple is dsinger 17:01:58 +dsinger; got it 17:02:06 zakim, [apple] has dsinger 17:02:06 sorry, dsinger, I do not recognize a party named '[apple]' 17:02:17 zakim, who is here? 17:02:18 On the phone I see christine, npdoty, tara, Kepeng, Wendy, Mike_O_Neill, Katie_Haritos-Shea, Charles, karen_oDonoghue, dsinger 17:02:19 On IRC I see dsinger, kodonog, tara_, Kepeng, christine, npdoty, Mike_O_Neill, tara, chaals, Zakim, RRSAgent, fjh, TallTed, terri, wseltzer, mkwst, hadleybeeman, trackbot 17:02:24 + +1.202.407.aaaa 17:02:40 zakim, aaaa is JoeHall 17:02:40 +JoeHall; got it 17:02:56 Zakim, take up agendum 1 17:02:57 agendum 1. "Welcome and Introductions for new people" taken up [from npdoty] 17:03:09 zakim, code? 17:03:09 the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), hadleybeeman 17:03:12 christine: any first-timers to the call? please introduce yourself 17:03:13 I am pretty rare. David Singer, Apple. 17:03:24 JoeHallCDT has joined #privacy 17:03:27 ok! 17:03:32 Kepeng Li from Alibaba 17:03:33 missed that last one, sorry 17:03:38 scribenick: JoeHallCDT 17:03:50 +[IPcaller] 17:04:01 zakim, [ip is me 17:04:01 +chaals; got it 17:04:04 +HadleyBeeman 17:04:14 Kepeng: has interests about privacy interests, not particularly familiar with PING 17:04:28 srice has joined #privacy 17:04:31 +terri 17:04:49 zakim, who is here? 17:04:49 On the phone I see christine, npdoty, tara, Kepeng, Wendy, Mike_O_Neill, Katie_Haritos-Shea, Charles, karen_oDonoghue, dsinger, JoeHall, chaals, HadleyBeeman, terri 17:04:52 zakim, who is here? 17:04:54 On IRC I see srice, JoeHallCDT, dsinger, kodonog, tara_, Kepeng, christine, npdoty, Mike_O_Neill, tara, chaals, Zakim, RRSAgent, fjh, TallTed, terri, wseltzer, mkwst, hadleybeeman, 17:04:54 ... trackbot 17:04:54 On the phone I see christine, npdoty, tara, Kepeng, Wendy, Mike_O_Neill, Katie_Haritos-Shea, Charles, karen_oDonoghue, dsinger, JoeHall, chaals, HadleyBeeman, terri 17:04:57 On IRC I see srice, JoeHallCDT, dsinger, kodonog, tara_, Kepeng, christine, npdoty, Mike_O_Neill, tara, chaals, Zakim, RRSAgent, fjh, TallTed, terri, wseltzer, mkwst, hadleybeeman, 17:04:57 ... trackbot 17:04:59 +[IPcaller] 17:05:01 zakim, ipcaller is me 17:05:01 +fjh; got it 17:05:07 Hadleybee joining as one of the chairs of xxxx working group, just lurking 17:05:08 Simon Rice - Information Commissioner's Office (UK) - https://ico.org.uk 17:05:14 Ryladog has joined #privacy 17:05:16 christine: anyone on the phone who is not on IRC? 17:05:16 s/xxxx/Data on the Web/ 17:05:25 Zakim, take up agendum 2 17:05:25 agendum 2. "Persona idea (Charles and David)" taken up [from npdoty] 17:05:34 christine: let's talk about personas! 17:06:09 dsigner: read a paper recently that 25% of people using privacy browsing mode thinks that this keeps them private from servers 17:06:29 … privacy browsing mode (PMD) actually starts a separate session on the local UA, and is then discarded 17:06:50 s/PMD/PBM/ 17:06:50 s/dsigner/dsinger/ 17:07:14 … can we tweak PBM such that it better separates different modes of use? 17:07:26 … privacy is not always about secrecy, sometimes it's about context 17:07:49 … e.g., if you meet your bank manager at a party, you don't discuss an overdraft you just worked through because you're at a party, not the bank! 17:08:10 … people want to do things that don't hinge on secrecy online but still have some distinct privacy 17:08:25 … proposal is to send a flag that says "at the moment, I'm using a particular persona" 17:08:50 … such that one persona will be kept logically separate on the server between various persona identifiers 17:08:59 … this is in some sense a rquest to the servers to respect context 17:09:31 … this is instead of treating the world as hostile toward you, requesting help for segretation from the servers 17:09:44 … persona header asks sthe servers to keep the records from dfifferent personas separated 17:10:05 +q 17:10:05 s/dfifferent/different/ 17:10:06 q? 17:10:23 s/segretation/segregation/ 17:10:36 q+ 17:10:37 Mike_O_Neill: I can see where in persona where you have different identities that you might want to switch between 17:11:04 … question: on privacy mode, you have a whole set of new cookies each time you go in there 17:11:15 … so how does the serach history get preserved 17:11:33 dsinger: sandbox is initialized from the current state, and any changes are discarded 17:11:34 because you were logged in to your search engine provider when you entered private browsing mode? 17:11:55 or you logged in after entering private browsing mode? 17:12:03 Mike_O_Neill: ff has a mode where the UA puts up a whole set of different cookies, etc. 17:12:20 q+ on complexity and buckets 17:12:32 … we don't have a session layer defined that allows for privacy with context 17:12:35 q+ to note that people aren't always inherently concerned with whether they are being tracked, but with what happens as a result of that tracking… 17:12:46 q+ on cookie jars and server interest in a signal (if we have time) 17:12:49 ack Mike_O_Neill 17:12:51 ack christine 17:12:53 ack mik 17:13:06 christine: are the profiels that you can set up in ff, are those similar to persona or different? 17:13:16 dsinger: don't know enough about ff profiles 17:13:32 ack ws 17:13:32 wseltzer, you wanted to comment on complexity and buckets 17:13:36 Mike_O_Neill: talk abaout having banks of cookies to switch between 17:14:04 wseltzer: something that we've been encountering frequently is the challenge of putting features in buckets that the user can understand and have control over 17:14:14 … persona seems like a very interesting concept here. 17:14:34 … what other things can we bundle here so that the choices are meaningful but that it's not too large? 17:14:51 dsinger: not sure… the idea is an enhancement of privacy browsing mode 17:14:52 when TAG has talked about standardizing private browsing modes, they've discussed the difference between client-side clearing and server-side clearing 17:15:13 … a follow-on would be some signal from the server acknowledging the separation 17:15:27 christine: very interested in the core idea here of preference expression 17:15:39 ack chaals 17:15:39 chaals, you wanted to note that people aren't always inherently concerned with whether they are being tracked, but with what happens as a result of that tracking… 17:15:47 chaals: in essense, you called out a bunch of complexity and features behind this 17:16:01 … most obvious one: to be able to manage different personas in a granular fashion 17:16:15 … in the Yandex browser you can change who you are in the browser 17:16:26 … can essentially change the user for the browser 17:16:40 … this is linked up to code on the server so that it follows the change in users 17:16:58 … the point about how this works with private modes is very interesting 17:17:13 … the current private mode is make me look anonymous and the same as everyone else 17:17:41 … if you offer the server a reason to respect your persona, quid pro quo is that you give them your data 17:17:50 … most people don't give a fig that they are being tracked 17:17:58 … what they care about is how that tracking information is used 17:18:15 +q 17:18:17 … for example, if a bank manager at a party and gets angry about your overdraft, that's problematic 17:18:33 … if the bank manager is just partying, there's no problem 17:18:47 -HadleyBeeman 17:19:02 … the idea is that you can have 2 personalities… and then maybe you can have 3 beause what if 2 isn't enough 17:19:20 … a clear use case is managing cookies (UA side identifiers) 17:19:26 “people” are becoming aware of consequences of information collection , 1 million in MA with Anthem breach for example 17:19:44 … on the other hand, if you show people how they are being tracked and what cookies are providing what information 17:19:57 … then people can say, I don't really want that much information emanated 17:20:14 … what people can't do easily, for example, is to find how much backend aggregators know about them 17:20:30 … but it's definitely true that aggregators can segregate arbitrary personae 17:20:30 +HadleyBeeman 17:21:06 … the 90,000 mile view is that you can actually find out what backend servers know about a persona 17:21:13 … and conceivably you could ask them to forget 17:21:31 … the quid pro quo is that instead of showing up totally anonymous, the server can know what they already know 17:21:44 … in order to function at all, it has to have a mode that is super simple 17:21:56 … and offer something to both users and servers 17:22:20 … for users, you didn't loose some of the useful information (state) and for servers that they don't get tons of anonymous visitors 17:22:38 ack me 17:22:38 npdoty, you wanted to comment on cookie jars and server interest in a signal (if we have time) 17:23:04 npdoty: wanted to talk about the technical aspects 17:23:11 … some browsers already have a persona concept 17:23:20 … typically implemented through separate cookie jars 17:23:41 … maybe that implements most of the use cases we're talking about? 17:24:25 … does it? If it does, than we have some exitence proofs. 17:24:41 … if it doesn't… if we need server mojo… we need to know what they'd want in this kind of a construct 17:24:54 … whether if it should be client or server side 17:25:01 … want to see interest from servers 17:25:14 dsinger: servers can still work out that it's probably you via UA, IP address, etc. 17:25:26 … they are unaware that you're trying to keep your history segregated 17:25:46 … you do want it to be at sometimes still you, with some of the state stored in cookies 17:25:51 [+1 that value for the servers is one of the critical pieces to the puzzle] 17:25:58 … don't think you can do this without servers being aware 17:26:06 … whole question of context is very important 17:26:31 [+1 for the point that servers *knowing* that they are being asked to keep this persona away from that persona is part of the useful bit] 17:26:31 … what the hell were you doing showing me an ad for an embarassing medical thing when my boss is in the office? 17:26:53 [and cleary explaining the limited purpose this is intended to serve, lets it do that minimal thing well.] 17:27:06 q+ 17:27:13 christine: when using Microsoft profiles, assumption is that my behavior in each profiles is segregated from sites I visit... 17:27:22 q+ to say that desegregating even anonymous users is pretty easy 17:27:22 q+ 17:27:26 … but hadn't thought about how those sessions are treated by the browser 17:27:35 q? 17:28:01 Mike_O_Neill: the point that david said about they know who you are anyway, not sure that's true 17:28:06 chaals, but do servers *want* that difference? while sites can re-connect you after you clear your cookies, if they do so when they notice cookies are cleared, is there some reason they won't if they see a Private Browsing Mode expression? 17:28:18 … many IP address contexts change, so not the best identifier 17:28:20 alas, DHCP and some NAT boxes try to maintain stable mappings… 17:28:22 [ based on fingerprinting, they know who you are to a high degree ] 17:28:38 … don't think it's the case that the vast majority of people aren't privacy nuts 17:28:47 … you don't know who's out there tracking you 17:29:00 …and relying on that to ‘anonymize’ you is, I think, weak. the trackers are working out how to track you despite NAT and DHCP. 17:29:10 q? 17:29:19 wseltzer, based on fingerprinting, it's possible for certain motivated servers to recognize you to a higher degree 17:29:27 ack Mike_O_Neill 17:29:33 … the reason that people have been relatively relaxed about it is that they don't know or understand what's going on 17:29:49 … agreeing with npdoty that this should be a client side 17:29:59 … don't think we have the infrastructure to do the server piece safely 17:30:19 dsinger: 1) currently in private browsing mode server is unaware of private browsing mode 17:30:31 … in terms of trust, if servers could signal "yes, we respect this" 17:30:54 … people may not agree if something is tracking, but if they lie to you, that's not acceptable to regulators 17:30:56 @wendy, yes we do need to wrap this up very soon 17:31:02 [so they're unlikely to want to say anything...] 17:31:08 zakim, please close queue 17:31:08 ok, wseltzer, the speaker queue is closed 17:31:09 … agree that one of the problems with privacy online is that data is being collected 17:31:09 q- 17:31:23 … but they don't understand either how it's being used, and it's being used out of context 17:31:31 indeed, we should ask if servers want to receive a signal and implement such a feature 17:31:46 ack chaals 17:31:46 chaals, you wanted to say that desegregating even anonymous users is pretty easy 17:32:05 chaals: a couple of things… based on fingerprinting of anonymous browsers and behavior, it is very easy to desegregate and identify users 17:32:08 fingerprinting takes a rountrip (XHR) 17:32:27 … pretty clear that data about them is being picked up about them 17:32:32 … everyone knows that happens 17:32:36 and we can block 3p XHR 17:32:39 dsinger, is the motivation "don't reflect this behavior back to me except when I'm using this persona"? 17:32:48 … still have 100s of millions of people using these services aware that they are giving away data 17:33:41 +q 17:33:43 npdoty, roughly, yes. “please keep the personas segregated so that they don’t have any effect on each other. Trivially, you could treat them as seprate people.” 17:33:52 dsinger, otherwise, I struggle to understand the implications for what the signal should indicate when you're logged in with a known account in multiple personas 17:33:58 … in this proposal, it's very much not about providing perfect privacy or security, but it does provide somehting that could give value to both sides of the equation 17:34:26 "don't have any effect" seems very difficult when we talk about being logged in (as in your search engine or buying gifts example) 17:34:39 npdoty, so for example, search or other activity records are segregated; adverts and interests are segregated; and so on 17:34:47 servers aren't going to stop recording credit card transactions :) 17:35:00 agenda? 17:35:27 Zakim, drop agendum 1 17:35:27 agendum 1, Welcome and Introductions for new people, dropped 17:35:32 christine: what would you like PING to do? don't have to answer now, let's discuss on email list 17:35:43 dsinger: exactly what we'd like to happen 17:36:05 alina has joined #privacy 17:36:30 I could drop agendum 5 17:36:32 christine: of our agenda items, does anyone wish to express a view as to what is most pressing? 17:36:38 I think 3 is important for now 17:36:57 webrtc 17:36:58 Zakim, drop agendum 5 17:36:58 agendum 5, Status update re fingerprinting guidance (Nick), dropped 17:37:08 Zakim, drop agendum 2 17:37:08 agendum 2, Persona idea (Charles and David), dropped 17:37:11 Zakim, take up agendum 3 17:37:11 agendum 3. "WebRTC local IP address disclosure (Wendy)" taken up [from npdoty] 17:37:13 christine: focusing on 3 and 6 17:37:20 … Don was unable to join the call 17:37:21 zakim, reopen queue 17:37:21 ok, wseltzer, the speaker queue is open 17:37:38 -> https://www.w3.org/wiki/Privacy/IPAddresses WebRTC 17:37:39 wseltzer: wiki page on privacy and webRTC 17:37:53 +q 17:37:59 … the WebRTC group has asked us for guidance on the sensitivity of local IP addresses 17:38:31 … reacting to news stories concerned about WebRTC exposing real IP address locally instead of how you appear to the internet (eg, VPN) 17:38:45 … because WebRTC is peer-to-peer, that IP address is necessary to communicate 17:38:51 … what user controls should exist? 17:39:04 … in what circumstances should WebRTC have access to those? 17:39:09 … when should it not? 17:39:27 … thought PING could help enumerate the concerns about local IP addresses 17:39:47 … local IP might differ from global IP if you're behind a NAT, VPN, using Tor 17:40:01 … users might have different expectations and needs of the privacy of that address 17:40:16 … suggests we simply add to the wiki about these concerns 17:40:19 q+ 17:40:38 christine: how much time do we have to do this? 17:40:51 wseltzer: like anything the sooner the better… not aware of specific deadlines 17:41:07 Please add to the wiki: https://www.w3.org/wiki/Privacy/IPAddresses 17:41:28 ack Mike_O_Neill 17:41:36 Mike_O_Neill: the issue here is that this happening 17:41:42 Yes, please volunteer to add to the wiki! 17:41:51 … basically, you execute a bit of JS on the page and that tells you the IP address 17:41:52 are there any other APIs that are giving access to local IP address? 17:41:57 … very simply way to do fingerprinting 17:42:11 … e.g., behind a NAT can segregate users 17:42:14 we discussed it in Network Service Discovery (though I'm not sure that's implemented). but are there any other features? 17:42:15 … think something should be done about it 17:42:27 … presume WebRTC is a TCP/IP level communication 17:42:32 I think it's DTLS 17:43:08 JoeHallCDT: How would an adversary use this? As Mike said, if you get a piece of JS to run 17:43:13 ... I'll add to the wiki 17:43:18 in current test implementations, is it gated by some user interaction? 17:43:22 no 17:43:24 I don't recall 17:43:49 wseltzer: one of the concerns in the reporting is that this was available even in cases where the user was not engage in WebRTC comms. 17:43:52 wow, good to know, thanks wseltzer 17:44:03 christine: please volunteer to add to the wiki 17:44:11 wseltzer, is there a deadline? 17:44:14 … if you're too shy, ask an extrovert like Christine or Tara 17:44:21 npdoty, I'll ask dom 17:44:31 agenda? 17:44:48 ok 17:44:48 christine: let's aim to add content to the wiki before our next call 17:44:49 sure 17:44:56 … share your views on the email list as well 17:45:13 … there was a request to cover agenda 6 and 7 17:45:19 … going to swap them 17:45:28 npdoty: on 7... 17:45:35 https://www.w3.org/wiki/Privacy/Privacy_Reviews 17:45:36 … this is the idea of doing privacy reviews 17:45:42 … we have done them when requested 17:45:48 … maybe we should keep track of a list 17:45:58 … npdoty has started one (above) 17:46:08 … what the doc is, status, and when they want that feedback 17:46:16 … it's a wiki! edit it 17:46:23 http://www.w3.org/TR/2015/WD-appmanifest-20150212/ 17:46:29 … prompted by the manifest for web applications draft is looking for wide review 17:46:39 … want feedback on privacy and security considerations 17:46:48 … in particular, things about navigation… 17:46:59 … a downloadable web app vs. web interaction 17:47:13 … if you're interested in installable web apps, you'll be interested 17:47:20 … want feedback by the end of next week 17:47:43 … need volunteers for 2 roles 17:47:50 npdoty: can you clarify both the roles? 17:48:30 shepherd makes sure a consolidated email actually gets sent by the deadline :) 17:48:36 christine: shepherd is the one that chases the people that have volunteered to provide comments and synthesize that feedback to the group that requested review 17:48:51 … anyone willing to be shepherd or comments 17:49:05 I have a staffer starting next week that will be doing w3c stuff, but this is too short a fuse, I suspect 17:49:22 … very important that PING provides privacy guidance to these groups 17:49:33 q? 17:49:35 q- 17:49:49 I'll also add Wendy's IP address thing to that list, with the hope that we find out the deadline 17:49:55 christine: next item 3, TAG finding on securing the web 17:49:59 Zakim, take up agendum 6 17:49:59 agendum 6. "W3C TAG Finding - Securing the Web" taken up [from npdoty] 17:50:11 … had hoped to get mnot here, but he lives in crazy place 17:50:17 http://www.w3.org/2001/tag/doc/web-https 17:50:21 … asked him to come to the PING-at-IETF side meeting 17:50:26 -> http://www.w3.org/2001/tag/doc/web-https TAG Finding on Securing the Web 17:50:37 q+ on how it differs from the IAB confidentiality statement 17:51:01 ?me thanks Nick 17:51:10 wseltzer: TAG finding is that sites should be secure for their users 17:51:18 … they make some notes about concerns about https 17:51:30 … but conclude ultimately that we should get there, using https 17:51:45 there is something of a to-do list in that document: http://www.w3.org/2001/tag/doc/web-https#building-a-secure-web-with-w3c-standards 17:52:02 christine: is there going to be any follow-on work from the TAG here? 17:52:23 wseltzer: in Web App Sec, we're doing work on features that require a privileged context (powerful features) 17:52:34 … you don't want a random injection into an insecure website 17:52:39 there has been some discussion in TAG on certificates and HTTPS, about HTTPS as a three-party protocol 17:52:49 … geoloc has sent us a ping about this kind of question 17:53:04 … what is a secure context and how does a feature figure out if it is indeed operating in a secure context 17:53:15 … TAG will help to identify these features for a secure context 17:53:29 … relevant to privacy as many of the features could reveal sensitive or personal information 17:53:45 christing: do want to follow this work and get involved 17:53:52 s/christing/christine/ 17:53:59 s/?me thanks Nick// 17:54:06 … follow up on the next call 17:54:13 … mnot will be there in Dallas at IETF 92 17:54:25 q? 17:54:26 q? 17:54:36 ack JoeHallCDT 17:54:36 JoeHallCDT, you wanted to comment on how it differs from the IAB confidentiality statement 17:54:58 JoeHallCDT: I'm showrunner for IAB Priv & Sec Program statement on confidentiality 17:55:04 ... a document ultimately published by the IAB 17:55:15 http://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/ 17:55:52 JoeHallCDT: the integrity piece: importance of people on-path being able to change code on its way to the user 17:56:04 +q 17:56:12 ... to the extent there are differences between the IAB and W3C TAG statements, what motivates those? 17:56:33 ... CDT (and many of you others) work at both IETF and W3C 17:57:03 s/being able/not being able/ 17:57:10 ... bringing on new staff to help, including with W3C work 17:57:26 ... can follow up about trust and resiliency work also done at IAB Priv & Sec Program 17:57:45 yes, I'll be there! 17:57:57 christine: we can talk about this nexus at IETF 17:58:03 ack Mike_O_Neill 17:58:22 Mike_O_Neill: don't know all the detail, but the problem with HTTPS seems to be scaling... 17:58:24 q+ on webappsec work 17:58:32 … lots of http urls out there, how to you convert 17:58:44 -npdoty 17:58:45 … mixed content breaks many UAs 17:59:10 I've certainly struggled with implementations because of mixed content restrictions 17:59:11 [incidentally, WebAppSec has a draft coming out today on "upgrade insecure requests": http://www.w3.org/TR/2015/WD-upgrade-insecure-requests-20150226/ ] 17:59:21