10:05:37 RRSAgent has joined #websec 10:05:37 logging to http://www.w3.org/2016/09/21-websec-irc 10:06:24 jwehrman has joined #websec 10:07:02 RobTrace has joined #websec 10:07:42 nadalin_ has joined #websec 10:08:17 KLM has joined #websec 10:08:33 Meeting: Security Jam 10:08:37 Yoshiro has joined #websec 10:08:41 teddink has joined #websec 10:09:02 kinjim has joined #websec 10:09:05 weiler has joined #websec 10:09:12 frodek has joined #websec 10:09:30 Virginie: an update on the state of security work at W3C, with room for questions and ideas 10:09:36 mikepie has joined #websec 10:09:47 keiji has joined #websec 10:09:48 QingAn has joined #websec 10:10:04 brunoj has joined #websec 10:10:52 fwagner has joined #websec 10:11:37 Virginie: I work for a security company, have been working for 4 years to bring greater visibility to security at W3C 10:11:45 ... very important topic 10:12:05 ... W3C Groups: WebAppSec, WebCrypto, WebAuthn 10:12:13 jib has joined #websec 10:12:48 ... also WebSec IG, Hardware Based Secure Services CG 10:13:01 schunter has joined #websec 10:13:17 https://www.w3.org/Security/ 10:16:54 https://www.w3.org/2011/webappsec/ 10:17:32 CSP, Secure Contexts, Subresource Integrity, Mixed Content, etc. 10:17:34 shigeya has joined #websec 10:17:48 WebCrypto: Aims to move to PR in the next few weeks 10:18:13 Virginie: WebSec IG is a discussion group 10:18:29 ... we've decided to reshape the group 10:18:56 ... place to discuss (incubate) new topics; share information and analysis on web vulnerabilities 10:21:10 wseltzer: We will be taking ideas for incubation to CGs or IG, before bringing them to Rec track 10:21:42 Virginie: Hardwarew Based Secure Services https://www.w3.org/community/hb-secure-services/ 10:22:06 ... hardware for secure credential storage, crypto operations. how do you bridge those to the web 10:23:36 ... 2 subjects, secure credential storage + verification of where the credentials are stored 10:23:47 ... secure transaction confirmation 10:24:38 -> https://rawgit.com/w3c/websec/gh-pages/hbss.html Report Hardware Based Secure Services features 10:24:41 Karima has joined #websec 10:25:33 Kepeng: Real Person-linking biometric authentication 10:26:27 ... some feedback when I presented to WebSec: some parts covered in WebAuthn 10:27:16 Virginie: We've been asking, how does accessibility interface with security? How do we make security features fully accessible 10:27:36 nadalin_: has any blockchain or claims work come up? 10:29:18 Virginie: blockchain CG 10:29:23 ... asked about key recovery 10:29:31 ... Also, Web Payments 10:30:09 bhill2 has joined #websec 10:30:18 AdrianHB: Web Payments has 2 parts: Payment Request, Payment App (3d party processing) 10:30:35 ... Payment App will be based on service worker, has to return 10:31:03 ... expect there will be service workers using WebAuthn for authentication 10:31:30 ... could use Hardware Sec when more mature 10:32:44 AdrianHB: it's up to the payment app to decide what to use 10:34:02 Virginie: we're working to support other groups -- Security reviews, questionnaire 10:34:17 hwlee has joined #websec 10:34:37 https://w3ctag.github.io/security-questionnaire/ 10:35:07 https://www.w3.org/TR/security-privacy-questionnaire/ 10:36:09 Virginie: who wants to do spec reviews? 10:36:19 q+ 10:38:08 q- 10:38:42 wseltzer: All spec transitions require security considerations, so if you want a new feature, you need to help us get it reviewed 10:39:15 kepeng: In IETF, author needs to get reviews 10:40:42 schunter: will it be required in all charters? 10:40:53 wseltzer: yes, and it's the WG's responsibility to get reviews 10:41:08 Frank: what about overlap between privacy and security questionnaires? 10:42:08 AdrianHB: in Payments, we had members of the group do reviews, and it helped to improve the specs 10:42:38 ... Mozilla and Yandes reviewers 10:43:21 Kepeng: PING created some guidelines, such as fingerprinting guidance. Should WebSec do so? 10:43:34 Frank: and some kind of categorization like critical / uncritical would help to decide how intensive the review should be 10:44:29 AdrianHB: Security guidelines would be valuable from W3C at a spec design level. e.g. questions about where security boundaries are 10:44:42 ... origins, paths, cookies, 10:45:03 ... guidance to app developers, not just spec developers 10:45:22 ... e.g. "if these are your requirements, you need to use origin boundaries" 10:46:04 ... guidance or harder push-back against non-origin boundaries 10:46:24 dveditz: and WebAppSec is defining suborigins 10:46:57 ... service worker isn't using the path as a security boundary, but for code separation 10:47:15 AdrianHB: as a developer, I might think the scope is the secuirty boundary 10:47:24 ... help get shared understanding of the design decisions 10:48:07 wseltzer: Good feedback for Ralph in A&T function 10:48:55 weiler has joined #websec 10:49:27 Virginie: I didn't hear new features here, but more support for spec authors and web developers 10:49:59 drogers: do we have responsible disclosure at W3C site? 10:50:24 ... on the standards 10:50:35 ... 3GPP is working on 10:51:05 AdrianHB: for Hardware Security, blockchain payments require ability to use stored private key to sign transactions 10:51:51 ... and using the details relevant to the specific blockchain 10:51:53 frodek has joined #websec 10:53:59 rrsagent, make minutes 10:53:59 I have made the request to generate http://www.w3.org/2016/09/21-websec-minutes.html wseltzer 10:54:04 rrsagent, make logs public 10:54:06 rrsagent, make minutes 10:54:06 I have made the request to generate http://www.w3.org/2016/09/21-websec-minutes.html wseltzer 11:32:18 bhill2 has joined #websec 11:41:02 keiji has joined #websec 11:57:10 shigeya has joined #websec 11:59:15 weiler has joined #websec 12:01:47 bhill2 has joined #websec 12:08:56 Karima has joined #websec 12:12:55 schunter has joined #websec 12:16:53 fwagner has joined #websec 12:19:17 frodek has joined #websec 12:19:53 frodek has left #websec 12:54:34 keiji has joined #websec 13:02:48 fwagner has joined #websec 13:03:09 schunter has joined #websec 13:04:41 Karima has joined #websec 13:13:02 keiji has joined #websec 13:16:43 bhill2 has joined #websec 13:27:13 schunter has joined #websec 14:29:08 Karima has joined #websec 14:38:51 Karima has joined #websec 14:45:19 Karima has joined #websec 14:58:04 Karima has joined #websec 15:26:23 bhill2 has joined #websec 15:35:29 schunter has joined #websec 15:41:26 Karima has joined #websec 15:45:00 chaals has joined #websec 15:48:37 Karima has joined #websec 16:08:15 Karima has joined #websec 16:52:05 schunter has joined #websec 16:56:54 bhill2 has joined #websec 17:22:26 Karima has joined #websec 18:21:57 keiji has joined #websec 18:49:20 keiji has joined #websec 20:01:04 bhill2 has joined #websec 20:37:20 Karima has joined #websec 20:38:10 Karima has joined #websec 20:56:31 schunter has joined #websec 20:57:15 schunter has left #websec 21:43:09 bhill2_ has joined #websec 22:01:17 bhill2 has joined #websec 22:19:53 bhill2_ has joined #websec 22:21:46 bhill2 has joined #websec 22:22:24 bhill2 has joined #websec 22:23:22 bhill2_ has joined #websec