W3C

- DRAFT -

Security Jam

21 Sep 2016

See also: IRC log

Attendees

Present
Regrets
Chair
SV_MEETING_CHAIR
Scribe
wseltzer

Contents


Virginie: an update on the state of security work at W3C, with room for questions and ideas
... I work for a security company, have been working for 4 years to bring greater visibility to security at W3C
... very important topic
... W3C Groups: WebAppSec, WebCrypto, WebAuthn
... also WebSec IG, Hardware Based Secure Services CG

https://www.w3.org/Security/

https://www.w3.org/2011/webappsec/

CSP, Secure Contexts, Subresource Integrity, Mixed Content, etc.

WebCrypto: Aims to move to PR in the next few weeks

Virginie: WebSec IG is a discussion group
... we've decided to reshape the group
... place to discuss (incubate) new topics; share information and analysis on web vulnerabilities

wseltzer: We will be taking ideas for incubation to CGs or IG, before bringing them to Rec track

Virginie: Hardwarew Based Secure Services https://www.w3.org/community/hb-secure-services/
... hardware for secure credential storage, crypto operations. how do you bridge those to the web
... 2 subjects, secure credential storage + verification of where the credentials are stored
... secure transaction confirmation

-> https://rawgit.com/w3c/websec/gh-pages/hbss.html Report Hardware Based Secure Services features

Kepeng: Real Person-linking biometric authentication
... some feedback when I presented to WebSec: some parts covered in WebAuthn

Virginie: We've been asking, how does accessibility interface with security? How do we make security features fully accessible

nadalin_: has any blockchain or claims work come up?

Virginie: blockchain CG
... asked about key recovery
... Also, Web Payments

AdrianHB: Web Payments has 2 parts: Payment Request, Payment App (3d party processing)
... Payment App will be based on service worker, has to return
... expect there will be service workers using WebAuthn for authentication
... could use Hardware Sec when more mature
... it's up to the payment app to decide what to use

Virginie: we're working to support other groups -- Security reviews, questionnaire

https://w3ctag.github.io/security-questionnaire/

https://www.w3.org/TR/security-privacy-questionnaire/

Virginie: who wants to do spec reviews?

wseltzer: All spec transitions require security considerations, so if you want a new feature, you need to help us get it reviewed

kepeng: In IETF, author needs to get reviews

schunter: will it be required in all charters?

wseltzer: yes, and it's the WG's responsibility to get reviews

Frank: what about overlap between privacy and security questionnaires?

AdrianHB: in Payments, we had members of the group do reviews, and it helped to improve the specs
... Mozilla and Yandes reviewers

Kepeng: PING created some guidelines, such as fingerprinting guidance. Should WebSec do so?

<fwagner> Frank: and some kind of categorization like critical / uncritical would help to decide how intensive the review should be

AdrianHB: Security guidelines would be valuable from W3C at a spec design level. e.g. questions about where security boundaries are
... origins, paths, cookies,
... guidance to app developers, not just spec developers
... e.g. "if these are your requirements, you need to use origin boundaries"
... guidance or harder push-back against non-origin boundaries

dveditz: and WebAppSec is defining suborigins
... service worker isn't using the path as a security boundary, but for code separation

AdrianHB: as a developer, I might think the scope is the secuirty boundary
... help get shared understanding of the design decisions

wseltzer: Good feedback for Ralph in A&T function

Virginie: I didn't hear new features here, but more support for spec authors and web developers

drogers: do we have responsible disclosure at W3C site?
... on the standards
... 3GPP is working on

AdrianHB: for Hardware Security, blockchain payments require ability to use stored private key to sign transactions
... and using the details relevant to the specific blockchain

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/09/21 10:54:41 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer

WARNING: No "Topic:" lines found.


WARNING: No "Present: ... " found!
Possibly Present: AdrianHB Frank KLM Karima QingAn RobTrace Virginie WebCrypto Yoshiro bhill2 brunoj drogers dveditz frodek fwagner https hwlee jib jwehrman keiji kepeng kinjim mikepie nadalin_ schunter shigeya teddink weiler wseltzer
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy


WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 21 Sep 2016
Guessing minutes URL: http://www.w3.org/2016/09/21-websec-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report


[End of scribe.perl diagnostic output]