See also: IRC log
Virginie: an update on the state
of security work at W3C, with room for questions and
ideas
... I work for a security company, have been working for 4
years to bring greater visibility to security at W3C
... very important topic
... W3C Groups: WebAppSec, WebCrypto, WebAuthn
... also WebSec IG, Hardware Based Secure Services CG
https://www.w3.org/2011/webappsec/
CSP, Secure Contexts, Subresource Integrity, Mixed Content, etc.
WebCrypto: Aims to move to PR in the next few weeks
Virginie: WebSec IG is a
discussion group
... we've decided to reshape the group
... place to discuss (incubate) new topics; share information
and analysis on web vulnerabilities
wseltzer: We will be taking ideas for incubation to CGs or IG, before bringing them to Rec track
Virginie: Hardwarew Based Secure
Services https://www.w3.org/community/hb-secure-services/
... hardware for secure credential storage, crypto operations.
how do you bridge those to the web
... 2 subjects, secure credential storage + verification of
where the credentials are stored
... secure transaction confirmation
-> https://rawgit.com/w3c/websec/gh-pages/hbss.html Report Hardware Based Secure Services features
Kepeng: Real Person-linking
biometric authentication
... some feedback when I presented to WebSec: some parts
covered in WebAuthn
Virginie: We've been asking, how does accessibility interface with security? How do we make security features fully accessible
nadalin_: has any blockchain or claims work come up?
Virginie: blockchain CG
... asked about key recovery
... Also, Web Payments
AdrianHB: Web Payments has 2
parts: Payment Request, Payment App (3d party processing)
... Payment App will be based on service worker, has to
return
... expect there will be service workers using WebAuthn for
authentication
... could use Hardware Sec when more mature
... it's up to the payment app to decide what to use
Virginie: we're working to support other groups -- Security reviews, questionnaire
https://w3ctag.github.io/security-questionnaire/
https://www.w3.org/TR/security-privacy-questionnaire/
Virginie: who wants to do spec reviews?
wseltzer: All spec transitions require security considerations, so if you want a new feature, you need to help us get it reviewed
kepeng: In IETF, author needs to get reviews
schunter: will it be required in all charters?
wseltzer: yes, and it's the WG's responsibility to get reviews
Frank: what about overlap between privacy and security questionnaires?
AdrianHB: in Payments, we had
members of the group do reviews, and it helped to improve the
specs
... Mozilla and Yandes reviewers
Kepeng: PING created some guidelines, such as fingerprinting guidance. Should WebSec do so?
<fwagner> Frank: and some kind of categorization like critical / uncritical would help to decide how intensive the review should be
AdrianHB: Security guidelines
would be valuable from W3C at a spec design level. e.g.
questions about where security boundaries are
... origins, paths, cookies,
... guidance to app developers, not just spec developers
... e.g. "if these are your requirements, you need to use
origin boundaries"
... guidance or harder push-back against non-origin
boundaries
dveditz: and WebAppSec is
defining suborigins
... service worker isn't using the path as a security boundary,
but for code separation
AdrianHB: as a developer, I might
think the scope is the secuirty boundary
... help get shared understanding of the design decisions
wseltzer: Good feedback for Ralph in A&T function
Virginie: I didn't hear new features here, but more support for spec authors and web developers
drogers: do we have responsible
disclosure at W3C site?
... on the standards
... 3GPP is working on
AdrianHB: for Hardware Security,
blockchain payments require ability to use stored private key
to sign transactions
... and using the details relevant to the specific
blockchain
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) No ScribeNick specified. Guessing ScribeNick: wseltzer Inferring Scribes: wseltzer WARNING: No "Topic:" lines found. WARNING: No "Present: ... " found! Possibly Present: AdrianHB Frank KLM Karima QingAn RobTrace Virginie WebCrypto Yoshiro bhill2 brunoj drogers dveditz frodek fwagner https hwlee jib jwehrman keiji kepeng kinjim mikepie nadalin_ schunter shigeya teddink weiler wseltzer You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 21 Sep 2016 Guessing minutes URL: http://www.w3.org/2016/09/21-websec-minutes.html People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]