18:39:03 RRSAgent has joined #webappsec 18:39:03 logging to http://www.w3.org/2015/09/21-webappsec-irc 18:39:05 RRSAgent, make logs world 18:39:05 Zakim has joined #webappsec 18:39:07 Zakim, this will be WASWG 18:39:07 I do not see a conference matching that name scheduled within the next hour, trackbot 18:39:08 Meeting: Web Application Security Working Group Teleconference 18:39:08 Date: 21 September 2015 18:40:25 wseltzer has changed the topic to: 21 August: https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0136.html 18:40:29 Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0136.html 18:56:38 freddyb has joined #webappsec 18:56:59 deian has joined #webappsec 18:58:53 bhill2 has joined #webappsec 18:59:02 keiji has joined #webappsec 18:59:56 gmaone has joined #webappsec 18:59:59 +present bhill2 19:00:05 dwalp has joined #webappsec 19:00:14 +present mkwst 19:00:19 +present Jonathankingston 19:00:27 (Hope that does something... ;) ) 19:00:27 +present francois 19:00:36 haha 19:00:44 present+ bhill2 19:00:52 (I can't remember which side the plus goes on!) 19:01:17 present+ dveditz 19:01:55 If wseltzer is still around, I'm sure she can help. 19:02:23 https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=%2B%22present%2B%22+w3c&nfpr=1 << suggests after 19:02:39 present+ francois 19:02:40 +present gmaone 19:02:40 present+ Jonathankingston 19:02:47 Meeting: WebAppSec Teleconference, 21-September-2015 19:02:55 present+ gmaone 19:03:04 +present dwalp 19:03:12 Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0136.html 19:03:17 KristijanBurnik has joined #webappsec 19:03:29 Chairs: dveditz, bhill2 19:03:49 rbarnes has joined #webappsec 19:04:29 present+ mkwst 19:04:49 jww has joined #webappsec 19:04:58 TOPIC: minutes approval 19:05:04 TOPIC: Minutes Approval : 12:05-12:07 19:05:05 http://www.w3.org/2015/08/24-webappsec-minutes.html 19:05:06 present+ deian 19:05:06 http://www.w3.org/2015/08/24-webappsec-minutes.html 19:05:26 present+ KristijanBurnik 19:05:32 dveditz: minutes approved by unanimous consent 19:05:37 present+ jww 19:05:41 TOPIC: News: 19:06:18 present+ rbarnes 19:06:30 TPAC coming up 19:06:40 bhill2: hotels are filling up fast in Sapporo, book now 19:07:53 TOPIC: SRI status and issues: 19:08:05 present+ terri 19:08:26 freddyb: just use the phone :-( 19:08:27 francois: not much to report spec-wise 19:08:38 ... in final cleanup phases 19:08:45 ... expect to announce ready for CR soon 19:08:50 ... 2 implementations shipping 19:08:51 https://github.com/w3c/webappsec/milestones/SRI-v1-LC 19:09:16 ... tests are close to passing 19:10:39 I'm not sure if this has been checked in browsers yet: https://github.com/w3c/web-platform-tests/pull/2028 I think there are other fetch tests needed somewhat 19:10:47 ... failing closed vs. open when CORS attribute is missing is main open issue 19:10:54 ... what remains is a corner-case extension of that 19:11:09 ... not a big one 19:11:29 dveditz: target date for CR? 19:14:02 ah yes, JS libraries for example 19:14:39 here's a nice example: http://githubengineering.com/subresource-integrity/ 19:15:38 mkwst: should do what I did, send a note "we think we're done" to a number of lists and wait for no response 19:16:11 TOPIC: Credential Management 19:16:12 TOPIC: Credential Management 19:16:18 that is, something like https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0068.html 19:16:24 seems effective enough. *shrug* 19:16:26 https://w3c.github.io/webappsec/specs/credentialmanagement/ 19:16:26 https://github.com/w3c/webappsec/labels/credential 19:16:50 mkwst: some revision since last WD publication, mostly in response to input from Credentials CG and Web Payments IG 19:17:06 ... believe we've resolved the majority of conflicts and API is pretty stable and solid 19:17:29 ... Chrome has a reasonable impl of the API behind a flag, want to work on it more, especially UI 19:17:49 .. but does what we want with passwords, questions about federation are still more open 19:18:05 ... question at the moment is how to present federations both to websites/relying parties and the identity providers themselves. 19:18:22 ... currently a relying party mode, where RP declares which origins it supports federations from 19:18:38 ... another model is to declare support for e.g. "OpenIDConnect" 19:18:54 ... think we need an origin-based model, that is what many RPs are using today 19:18:57 +1 to using origins 19:19:08 ... need to give them the ability to specify their trust relationships in that way 19:19:21 ... but also important to support protocol-based declarations to support the long tail 19:19:44 ... should be able to do same synthesis logic as for origin based credentials 19:20:18 ... my proposal is to have a static method on the cred object to associate a protocol with the origin registering 19:20:41 ... so RP could declare support for a protocol and user agent could map that to origins at which user has that kind of relation 19:21:08 ... biggest remaining issue then is to figure exactly what we are doing with protocols 19:22:13 rbarnes: might be useful to port some identity provider proxy stuff from WebRTC, seems like spec may be moving sorta in that direction 19:22:26 ... have a personal todo to see if that makes sense 19:22:35 mkwst: do think IdP proxy is interesting and we should look into it 19:23:02 ... currently spec can treat passwords as an opaque form data object that is only accessible to the network not local script 19:23:34 ... a very light version of what IdP proxy provides, hope its enough, but interested in exploring what it could provide 19:23:57 rbarnes: would importing something like IdP proxy help unify these two cases: opaque password submission and entirely opaque credential for federation 19:24:15 mkwst: when we define data provided by federatedCredential, currently it is just a hint 19:24:58 ... next step, deeper integration in browser, requires protection of tokens where IdP proxy might be interesting way of doing that 19:25:25 ... anyway - close to what I consider a first cut is done 19:25:38 keiji has joined #webappsec 19:25:49 ... requesting feedback from 1Password 19:26:16 ... users of Android equivalent APIs are interested in using it on the web 19:27:12 dveditz: could browsers on Android use the backing store to support this API? 19:27:37 mkwst: would have to talk to android folks, but there is broad conceptual similarity 19:28:02 ... reasonable to move into "wide review" and advancing past WD in a few weeks, but needs more feedback from other browser vendors 19:28:14 It's odd because Ryan Sleevi wrote on blink-dev that blink no longer uses OSX keychain to store passwords or certificates 19:28:34 I was working on a chrome extension to mock the API nothing to show yet 19:28:58 dveditz: tanvi has been looking at this with moz password manager folks 19:29:07 bblfish: Chrome doesn't use keychain. sorry if my description was confusing. 19:29:22 tanvi has joined #webappsec 19:29:35 dwalp: aware and tracking, not much bandwidth to do more given other priorites 19:29:45 it used to. I am pretty sure I was able to switch between Safari and Chrome - ( and was really happy about that ) 19:30:03 (me and some folk at stanford were planning to take a look and evaluate this in the coming month) 19:30:27 bblfish: Apple removed all the advantage of the integration by locking things down to applications delivered via their app store. Due to sandboxing, Chrome won't be in their app store. 19:30:36 ah 19:30:43 sad 19:30:47 TOPIC: COWL status 19:31:25 deian: integrated all talked about changes, thanks for feedback 19:31:41 ... think we have an version ready to announce and get feedback from developers + implementers on the APIs 19:31:51 https://w3c.github.io/webappsec/specs/cowl/ 19:31:54 ... a few issues of particular interest, maybe now or maybe after we announce the draft 19:33:08 ... need to look at going back into CSP spec for message-src and navigation-src 19:33:18 ... want to ask this group about covert channels 19:33:30 ... seems a bit nasty to have to go modify leakage through things like height + width 19:33:39 ... could tighten it down in future versions 19:33:47 ... curious what people think about this? 19:34:11 mkwst: establishing reasonable behavior for overt channels is interesting enough 19:34:19 ... but document covert channels and come back to those 19:34:35 ... there will probably be a lot of them, doesn't seem to be an explicit goal to stop this 19:34:53 ... do the easy covert channels, but don't make that the focus 19:35:10 deian: ok, will add a section on existing covert channels we may lock down later 19:35:39 deian: also, questions about top-level navigation 19:36:07 ... once you unlabel a unique label, you can only talk to the sender of that message 19:36:25 ... currently spec allows you to navigate the page away in a top-level context 19:36:29 ... this would leak 19:37:17 ... worried about unlabeling without checking, and then user has to use address bar to move away 19:37:55 ... maybe have a default url that can be navigated to... 19:38:36 mkwst: I do think punting is reasonable, it is expected for a FPWD that there are issues and things will change. moving to list or github issue is probably best way to resolve that 19:38:51 bblfish: I think deian has patches for Firefox, but you'd have to build it yourself. don't think it works as an add-on 19:39:09 deian: so then maybe we should ship this as FPWD 19:39:14 bhill2: +1 19:39:28 deian: re: browser to play with, there is a firefox build but doesn't implement this API 19:39:36 ... on cowl.ws 19:39:49 cool 19:39:51 ... but maybe working with JS polyfill is best first 19:41:49 TOPIC: splitting out specs into their own repositories in GitHub 19:42:17 mkwst: has been suggested by a number of people, pretty much everyone seems interested except Joel 19:42:36 ... posted an example of what that might look like 19:42:59 q+ 19:43:07 ack bhill2 19:43:08 q+ 19:43:21 https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0071.html 19:43:59 ack dveditz 19:44:03 ack bhill2 19:44:05 ack bhill 19:44:24 bhill2: main benefit here is to get updates to TR pushed automatically 19:44:33 dveditz: what happens to issues? 19:45:05 mkwst: github has an api to port issues 19:45:51 ... worst case, keep existing issues where they are and start using new repos for new issues 19:47:36 dveditz: anyone object to announcing decision on the list to be effective in one week? 19:47:46 19:48:09 dveditz: one of the chairs to post such an announcement to the list 19:48:31 TOPIC: secure contexts 19:48:49 mkwst: this spec is done, read it and give feedback please, expect to issue a call to move to CR within a week or two 19:49:46 dveditz: next call is Oct 5 19:49:48 +1 19:49:50 Thanks all 19:49:52 +1, thanks 19:49:54 wave 19:49:56 rrsagent, make minutes 19:49:56 I have made the request to generate http://www.w3.org/2015/09/21-webappsec-minutes.html bhill2 19:50:09 rrsagent, ste logs world 19:50:09 I'm logging. I don't understand 'ste logs world', bhill2. Try /msg RRSAgent help 19:50:17 rrsagent, set logs world 20:10:47 bhill2 has joined #webappsec 21:30:58 bhill2 has joined #webappsec 21:31:33 bhill2 has joined #webappsec 22:20:12 bhill2 has joined #webappsec 22:21:07 bhill2 has joined #webappsec 22:30:16 bhill2 has joined #webappsec 23:03:36 keiji has joined #webappsec 23:24:46 bhill2_ has joined #webappsec 23:25:25 gmaone_ has joined #webappsec 23:25:51 bhill2 has joined #webappsec