18:28:14 <RRSAgent> RRSAgent has joined #webappsec
18:28:14 <RRSAgent> logging to http://www.w3.org/2015/03/16-webappsec-irc
18:28:16 <trackbot> RRSAgent, make logs world
18:28:16 <Zakim> Zakim has joined #webappsec
18:28:17 <renoirb> renoirb has joined #webappsec
18:28:18 <trackbot> Zakim, this will be WASWG
18:28:18 <Zakim> ok, trackbot; I see SEC_WASWG()3:00PM scheduled to start in 32 minutes
18:28:19 <trackbot> Meeting: Web Application Security Working Group Teleconference
18:28:19 <trackbot> Date: 16 March 2015
18:32:28 <renoirb> renoirb has joined #webappsec
18:47:38 <renoirb> renoirb has joined #webappsec
18:56:11 <bhill2> bhill2 has joined #webappsec
18:58:26 <Zakim> SEC_WASWG()3:00PM has now started
18:58:33 <Zakim> +bhill2
19:00:51 <ekr> ekr has joined #webappsec
19:00:58 <ekr> Zakim is fighting with me
19:01:07 <bhill2> 92794
19:01:08 <Zakim> +[Microsoft]
19:01:09 <Zakim> + +1.434.941.aaaa
19:01:16 <Zakim> +[Mozilla]
19:01:22 <Zakim> + +1.503.712.aabb
19:01:26 <ekr> yeah, I ended up being hung up on
19:01:30 <bhill2> zakim, Mozilla has ekr, richard barnes
19:01:30 <Zakim> +ekr, richard, barnes; got it
19:01:30 <ekr> [Mozilla] has ekr
19:01:37 <terri> Zakim, aabb is me
19:01:37 <Zakim> +terri; got it
19:01:44 <bhill2> zakim, Microsoft has David Walp
19:01:44 <Zakim> +David, Walp; got it
19:01:54 <dwalp> dwalp has joined #webappsec
19:02:10 <bhill2> zakim, aaaa is richard barnes
19:02:10 <Zakim> I don't understand 'aaaa is richard barnes', bhill2
19:02:19 <bhill2> zakim, aaaa is rbarnes
19:02:19 <Zakim> +rbarnes; got it
19:02:44 <rbarnes> rbarnes has joined #webappsec
19:02:46 <rbarnes> o hai
19:03:02 <rbarnes> zakim, who's on the call?
19:03:02 <Zakim> On the phone I see bhill2, [Microsoft], rbarnes, [Mozilla], terri
19:03:03 <Zakim> [Mozilla] has ekr, richard, barnes
19:03:03 <Zakim> [Microsoft] has David, Walp
19:03:13 <Zakim> + +1.646.821.aacc
19:03:14 <Zakim> +[IPcaller]
19:03:23 <dveditz> Zakim, ipcaller is dveditz
19:03:23 <Zakim> +dveditz; got it
19:03:32 <deian> Zakim: aacc is deian
19:03:41 <ekr> zakim: who is here?
19:04:05 <rbarnes> zakim, who is on the line?
19:04:05 <Zakim> I don't understand your question, rbarnes.
19:04:13 <ekr> zakim, who is here?
19:04:13 <Zakim> On the phone I see bhill2, [Microsoft], rbarnes, [Mozilla], terri, +1.646.821.aacc, dveditz
19:04:14 <rbarnes> zakim, who is on the phone?
19:04:16 <Zakim> [Mozilla] has ekr, richard, barnes
19:04:16 <Zakim> [Microsoft] has David, Walp
19:04:16 <Zakim> On IRC I see rbarnes, dwalp, ekr, bhill2, renoirb, Zakim, RRSAgent, dveditz, freddyb, pde, terri, wseltzer, timeless, mkwst, Josh_Soref, deian, tobie, schuki, trackbot
19:04:16 <Zakim> On the phone I see bhill2, [Microsoft], rbarnes, [Mozilla], terri, +1.646.821.aacc, dveditz
19:04:16 <Zakim> [Mozilla] has ekr, richard, barnes
19:04:16 <Zakim> [Microsoft] has David, Walp
19:04:28 <wseltzer_> wseltzer_ has joined #webappsec
19:04:43 <bhill2> rrsagent, make minutes
19:04:43 <RRSAgent> I have made the request to generate http://www.w3.org/2015/03/16-webappsec-minutes.html bhill2
19:05:45 <Zakim> +mkwst
19:06:37 <deian> Zakim, aacc is deian
19:06:37 <Zakim> +deian; got it
19:06:43 <bhill2> scribenick bhill2
19:06:46 <deian> i can do it
19:08:09 <deian> charter revieerd by the advisor committee. it was approved by by the AC. there was formal objextion by mozilla. we're trying to resolve that today. one issue was on the decisions process that was resolved. the second portion was the deliverable for COWL and concern that it was not clear enough. the charter language was updated and we have prototype implementation
19:08:15 <deian> bhill2:^
19:08:43 <rbarnes> who is speaking?
19:08:51 <mkwst> ekr: question is about side-channels, not about whether you can write software if you pretend side-channels don't exist.
19:09:02 <mkwst> deian: not exposing any new covert channels.
19:09:09 <mkwst> deian: only adding flow-control to overt channels.
19:09:15 <mkwst> deian: still enforcing csp, etc.
19:09:27 <mkwst> deian: want to close overt channels.
19:09:37 <mkwst> deian: give developers control, not remove risk of side-channels.
19:09:50 <mkwst> ekr: reading the text, says "untrusted code", core of the problem.
19:10:06 <mkwst> ekr: "untrusted" => covert is in scope.
19:10:13 <mkwst> deian: sure. we can change that.
19:10:20 <mkwst> ekr: what you just said is fine, text doesn't reflect it.
19:11:46 <ekr> Deian had proposed "untrusted, but not malicious."
19:12:09 <ekr> That's probably not quite the language I would use, but I can live with it
19:12:44 <deian> bhill2: next up was epr. updated the text to address comments. no objection on this. consensus
19:12:49 <deian> ekr: thanks :)
19:13:43 <mkwst> bhill2: (moving to priviliged context)
19:13:54 <mkwst> bhill2: (read text of charter)
19:14:01 <mkwst> bhill2: meeting eith Mozilla and TAG.
19:14:10 <dveditz> s/eith/with/
19:14:23 <mkwst> bhill2: following that meeting, dropped normative requirements for the definition of "powerful features"
19:14:38 <mkwst> bhill2: work with TAG, provide advice, decisions are decisions for other WGs.
19:14:49 <mkwst> bhill2: TAG, as elected body is better placed to review those decisions.
19:14:55 <mkwst> bhill2: (in a wind tunnel)
19:15:19 <bhill2> zakim, who is making noise?
19:15:29 <Zakim> bhill2, listening for 10 seconds I heard sound from the following: bhill2 (46%), dveditz (6%)
19:15:34 <mkwst> bhill2: (not in a wind tunnel)
19:16:10 <mkwst> bhill2: met with TAG. advice is non-normative, encourages WGs to consider privacy impact of delivering certain features over plaintext.
19:16:21 <mkwst> bhill2: leaves decision in the hands of WG and ultimately TAG.
19:16:32 <mkwst> bhill2: joint-deliverable with TAG.
19:16:51 <mkwst> bhill2: spirit of the spec dictated by TAG, not crazy security folks like Mike. Who is crazy.
19:17:05 <mkwst> bhill2: anyone interested in addressing concerns to the group?
19:17:19 <mkwst> rbarnes: to clarify, the current concerns are:
19:17:52 <mkwst> rbarnes: the concern with charter language around "advisory".. in IETF, regardless of non-normativity, there's a tendency for those to be treated as gospel.
19:18:17 <mkwst> rbarnes: target we're going for is really to change the focus away from recommendations as to what should be in or out.
19:18:24 <mkwst> rbarnes: focus on examples where decisions have been made.
19:18:35 <mkwst> rbarnes: WebCrypto, getUserMedia.
19:18:43 <mkwst> rbarnes: had discussions, made decisions.
19:18:54 <mkwst> rbarnes: tradeoffs. compatibility, security.
19:19:11 <mkwst> rbarnes: rather than presuming to make decisions, better to discuss past discussions as examples.
19:19:33 <mkwst> rbarnes: at charter-level, recommend moving from 'non-normative advice' to examples we've learned from the in past.
19:19:53 <mkwst> ekr: rbarnes represents the concerns well.
19:20:13 <mkwst> ekr: been through one round of this style of analysis being used to force groups to do certain things.
19:20:26 <mkwst> ekr: our experience is that non-normative and normative language are similar.
19:20:40 <mkwst> ekr: 33 seconds from "this is non-normative" to "this is good advice, why not make it normative?"
19:20:54 <mkwst> mkwst: if it is good advice, why not make it normative?
19:21:00 <mkwst> ekr: to be frank, concern is that
19:21:22 <mkwst> ekr: as bhill2 suggested, meta-concern is that self-appointed group of security experts decided to dictate to the w3c.
19:21:35 <mkwst> ekr: means everyone has to pay attention to it.
19:22:01 <mkwst> ekr: i think it's bad advice.
19:22:07 <bhill2> mkwst: if it is good advice, why shouldn't people pay attention to it?
19:22:11 <mkwst> rbarnes: maturity of discussion issue here.
19:22:29 <mkwst> rbarnes: no consensus about the right box of advice, set of rules to cover large set of cases.
19:22:39 <mkwst> rbarnes: high confidence that we'd think the same things about specific examples.
19:22:47 <mkwst> rbarnes: subtle exercise to deal with future cases.
19:23:12 <mkwst> rbarnes: not at a point right now to wrangle about where we recommend use of priviliged contexts.
19:23:22 <mkwst> rbarnes: focus on defining priviliged contexts instead.
19:23:41 <mkwst> bhill2: should consider rules inside context of W3C.
19:23:52 <mkwst> bhill2: non-normative text isn't normative, per charter.
19:24:01 <mkwst> bhill2: explicitly reserved for WGs and review by TAG.
19:24:12 <mkwst> bhill2: charters voted on to define those scopes.
19:24:28 <mkwst> bhill2: not a handwave away. redefine charter. 18month window.
19:24:47 <mkwst> bhill2: unlimited debate? my reading of concensus is that this WG and the TAG both want that debate.
19:25:02 <mkwst> bhill2: should think about the security concerns. not endless, but should think about them.
19:25:09 <mkwst> bhill2: other WGs want that advice.
19:25:17 <mkwst> bhill2: ehard specifically from geolocation working group.
19:25:32 <mkwst> bhill2: reevaluating their choice, want advice, want that thought process.
19:25:50 <dwalp> dwalp has joined #webappsec
19:26:02 <mkwst> bjill2: process by which reviews happen, standing to make review, working groups or TAG.
19:26:10 <mkwst> bhill2: not in the same boat as IETF, no process without end.
19:26:24 <mkwst> rbarnes: i don't think that what you're proposing we develop is somethig i'd disagree with.
19:26:33 <mkwst> rbarnes: provide tools for others to make decisions.
19:26:47 <mkwst> rbarnes: see the word "recommendations", think "decision". in case XYZ, you should do A.
19:27:06 <mkwst> bhill2: a "recommendation" is what the W3C calls "specification".
19:27:20 <mkwst> rbarnes: "non-normative advice"?
19:27:30 <mkwst> bhill2: feel like we've met the sprit of the objection more than halfways.
19:27:38 <mkwst> s/halfways/halfway/
19:27:57 <mkwst> rbarnes: rephrase as soemthing like "provides notes, considerations, things to be taken into consideration"?
19:28:06 <mkwst> rbarnes: that phrasing would make me more comfortable.
19:28:12 <mkwst> rbarnes: happy to provide text.
19:28:23 <mkwst> bhill2: can you live with this text?
19:28:33 <mkwst> bhill2: waited 3 months. filed objection last day.
19:28:44 <mkwst> bhill2: refused to work on the list. didn't show up to the TAG call.
19:28:55 <mkwst> bhill2: gone through consensus process with community.
19:29:09 <mkwst> bhill2: hesitate to extend this process even longer if we're that close.
19:29:21 <mkwst> dveditz: this is just _charter_ text. spec text can be argued with.
19:29:38 <mkwst> ekr: didn't refuse to engage. david was on the TAG call.
19:29:50 <Zakim> +[Mozilla.a]
19:29:56 <mkwst> bhill2: specifically invited to join the mailing list. primary work mode.
19:30:27 <mkwst> bhill2: obligation to take changes back to stakeholders. would like to know if you can't live with this, given knowedge of the W3C's rules.
19:30:33 <mkwst> ekr: happy to engage on the mailing list.
19:30:42 <mkwst> ekr: acrimonious in the past, thought better to do it live.
19:30:48 <mkwst> ekr: wouldn't suicide.
19:30:54 <mkwst> ekr: also wouldn't withdraw formal objection.
19:31:08 <tanvi> tanvi has joined #webappsec
19:31:10 <mkwst> ekr: doesn't take long to circulate question on the list.
19:31:13 <tanvi> zakim, who is here?
19:31:13 <Zakim> On the phone I see bhill2, [Microsoft], rbarnes, [Mozilla], terri, deian, dveditz, mkwst, [Mozilla.a]
19:31:15 <Zakim> [Mozilla] has ekr, richard, barnes
19:31:15 <Zakim> [Microsoft] has David, Walp
19:31:15 <Zakim> On IRC I see tanvi, dwalp, wseltzer_, rbarnes, ekr, bhill2, renoirb, Zakim, RRSAgent, dveditz, freddyb, pde, terri, wseltzer, timeless, mkwst, Josh_Soref, deian, tobie, schuki,
19:31:15 <Zakim> ... trackbot
19:31:16 <mkwst> rbarnes: process?
19:31:27 <mkwst> rbarnes: pretty small, pretty specific change to the text.
19:31:33 <mkwst> rbarnes: can provide specific words.
19:31:37 <tanvi> zakim, [Mozilla.a] is tanvi
19:31:37 <Zakim> +tanvi; got it
19:31:41 <mkwst> rbarnes: whats the process implication of the text change?
19:32:02 <mkwst> bhill2: depends. engaged with the tag, went back to the list with that compromise position.
19:32:33 <mkwst> bhill2: specific desire on the part of the TAG and this group to provide advice. not normative or definitive, but should provide advice.
19:32:57 <mkwst> bhill2: this would meaningfully walk back the intent to encourage discussion and advice that's the standing consensus of a large number of stakeholders in this process.
19:33:10 <mkwst> bhill2: can't just change overnight without going back through and reengaging those stakeholders.
19:33:24 <mkwst> rbarnes: what would be the concrete action to resolve this change?
19:33:40 <mkwst> bhill2: not convinced that anyone but you and ekr want this change.
19:33:56 <mkwst> bhill2: not convinced resolving the objection would represent consensus.
19:34:07 <mkwst> ekr: pretty clear process for that case.
19:34:27 <mkwst> bhill2: are there other folks on this call who are in agreement with this change?
19:35:01 <mkwst> dveditz: unclear as to what words that have been spoken are those for this change.
19:35:18 <mkwst> rbarnes: non-normative advice -> examples and considerations(?) (help me here rbarnes)
19:35:25 <bhill2> https://w3c.github.io/webappsec/admin/webappsec-charter-2015.html
19:35:32 <mkwst> rbarnes: would mean revising doc, more for tone.
19:35:49 <bhill2> https://w3c.github.io/webappsec/specs/powerfulfeatures/
19:36:36 <bhill2> https://w3c.github.io/webappsec/specs/powerfulfeatures/#feature-requires-privilege
19:36:44 <bhill2> <- currently has no RFC2119 language at all
19:36:48 <bhill2> no SHOULD, no MUSt
19:38:07 <terri> I don't see an "algorithm" here: https://w3c.github.io/webappsec/specs/powerfulfeatures/#feature-requires-privilege
19:38:36 <bhill2> mkwst: there are broad categories, not an algorithm
19:39:00 <bhill2> ... in fact, most categories are defined with the help of examples
19:40:04 <bhill2> ekr: some of these examples are currently available in insecure contexts and will only be changed slowly if ever
19:40:30 <bhill2> mkwst: not sure why the particular words you want are more or less problematic than the other
19:40:42 <bhill2> ... the existing language does not give this group any power to dictate to any other group
19:40:58 <bhill2> ... explicitly delegates it to the TAG which does have the moral standing to give advice to other groups
19:41:38 <bhill2> rbarnes: in IESG today, any kind of "this thing should be that thing" makes it difficult to say "this thing should not be that thing"
19:42:25 <Zakim> +WSeltzer
19:43:45 <bhill2> mkwst: not convinced there is significant support for your position in this group or TAG
19:44:07 <bhill2> rbarnes: what is helpful is providing other groups with the tools to make better decisions.. they know their features better than we do
19:44:19 <bhill2> ... more productive to provide a toolset
19:44:34 <bhill2> mkwst: don't we need to give those groups a context to make their decisions in?
19:45:23 <bhill2> ... it is our role as members of WebAppSec and W3C to help groups understand the context in which they are working and the impact of the features they are creating that may not be visible if focused only on the feature itself
19:46:05 <bhill2> rbarnes: really important to have security considerations covered and input from security community into any given feature
19:46:29 <bhill2> ... if you look at documents in IETF, they don't see this is secure, this is not, they say these are the things to keep in mind when writing your security considerations section
19:47:44 <bhill2> rbarnes: not comfortable with language that says "the conclusion you should reach is..."
19:51:19 <wseltzer_> q+
19:52:17 <wseltzer_> q+ on timing
19:52:21 <bhill2> ack wseltzer_
19:52:21 <Zakim> wseltzer_, you wanted to comment on timing
19:53:30 <Zakim> -tanvi
19:54:34 <bhill2> plan for course of action:
19:54:59 <bhill2> EKR and RBarnes to draft a proposed change to public-webappsec and tag mailing list, seek expressions of support
19:55:45 <Zakim> -[Mozilla]
19:55:46 <bhill2> these will be considered in reviewing the charter with the Director for determining the shape of consensus
19:55:50 <Zakim> -deian
19:55:51 <Zakim> -dveditz
19:55:51 <Zakim> -[Microsoft]
19:55:52 <Zakim> -rbarnes
19:55:52 <Zakim> -WSeltzer
19:56:03 <Zakim> -bhill2
19:56:05 <Zakim> -terri
19:56:58 <Zakim> -mkwst
19:56:59 <Zakim> SEC_WASWG()3:00PM has ended
19:56:59 <Zakim> Attendees were bhill2, +1.434.941.aaaa, +1.503.712.aabb, ekr, richard, barnes, terri, David, Walp, rbarnes, +1.646.821.aacc, dveditz, mkwst, deian, [Mozilla], tanvi, WSeltzer
19:59:53 <bhill2_> bhill2_ has joined #webappsec
20:00:40 <bhill2_> rrsagent, make minutes
20:00:40 <RRSAgent> I have made the request to generate http://www.w3.org/2015/03/16-webappsec-minutes.html bhill2_
20:00:45 <bhill2_> rrsagent, set logs public-visible
20:10:22 <ekr> ekr has joined #webappsec
20:25:55 <tanvi> tanvi has joined #webappsec
20:35:07 <francois> francois has joined #webappsec
22:30:41 <ekr> ekr has joined #webappsec
23:38:51 <ekr> ekr has joined #webappsec