| Security home

The work in the W3C Security Activity currently comprises two Working Groups, the Web Security Context Working Group and the XML Security Working Group.

The Web Security Context Working Group focuses on the challenges that arise when users encounter currently deployed security technology, such as TLS: While this technology achieves its goals on a technical level, attackers' strategies shift towards bypassing the security technology instead of breaking it. When users do not understand the security context in which they operate, then it becomes easy to deceive and defraud them. This Working Group is currently planning to see its main deliverable, the User Interface Guidelines, through to Recommendation, but will not engage in additional recommenation track work beyond this deliverable. The Working Group is currently operating at reduced Team effort (compared to the initial effort reserved to this Working Group). Initial (and informal) conversations are under way about forming an Interest Group that would provide a forum for the group's participants, and could also serve as a point of contact for specification review.

The XML Security Working Group started up in summer 2008, and has decided to publish an interim set of 1.1 specifications as it works towards producing a more radical change to XML Signature. The XML Signature 1.1 and XML Encryption 1.1 specifications clarify and enhance the previous specifications without introducing breaking changes, although they do introduce new algorithms. The recent published set of documents also include Algorithm Cross-Reference, Properties and Best Practices documents to enable adoption, Derived Keys to recognize a needed use case, and Use Cases and Transform Simplification documents to obtain early feedback to guide the development of 2.0. specifications.

Highlights Since the Previous Advisory Committee Meeting

The Web Security Context Working Group published a second Last Call Working Draft of its User Interface Guidelines document. Based on feed-back both in last-call comments and from implementers, the specification was cut down to specify best current practice in the space, as it has evolved over the last few years. Most experimental features have been dropped from this specification. By the time of the Advisory Committee Meeting, this last call will have concluded.

The XML Security Working Group published seven First Public Working Drafts on 26 February 2009, and solicits early community feed-back:

XML Signature 1.1

This Working Draft proposes changes to the set of mandatory to implement algorithms. There is currently no consensus on what that set should look like, and the Working Group is looking for early community feed-back. The issue is explained in more detail within the specification.

XML Encryption 1.1

As with XML Signature 1.1, this draft proposes changes to the set of mandatory to implement algorithms that have not currently found Working Group consensus. The Group is looking for early community feed-back.

XML Security Derived Keys

This specification defines markup for derived keys that can be used with both XML Signature and XML Encryption.

XML Signature Transform Simplification: Requirements and Design

This draft outlines requirements and design for a radical simplification of the Reference Processing model in XML Signature. The Working Group appreciates early feed-back on the viability of this approach for a future version of XML Signature.

XML Signature Properties

This draft defines a number of likely common signature properties. This work was motivated by the ongoing Widget Signature work in the Web Applications Working Group, and is expected to be used by that specification.

XML Security Use Cases and Requirements

This draft summarizes scenarios, design decisions, and requirements for the XML Signature and Canonical XML specifications, to guide ongoing W3C work to revise these specifications.

XML Security Algorithm Cross-Reference

This draft summarizes commonly used algorithm URIs used in the various XML Security specifications, and conformance requirements related to these algorithms. It is expected to serve as a cross-reference for specification writers and implementers.

In December 2008, the W3C Workshop on Security for Access to Device APIs from the Web -- organized in conjunction with the Mobile Web Initiative -- assembled implementers, specification writers and researchers to discuss the security implications of powerful APIs that become accessible to Web technologies. The Workshop report identifies concrete APIs and the definition of an exchange format for relevant security policies as high-priority work items that enjoy sufficient critical mass in the community. The Team has begun initial, informal conversations on scoping this kind of work.

Upcoming Activity Highlights

We hope to see the Web Security Context: User Interface Guidelines specification move ahead further on the Recommendation Track. Also, as sketched above, a revised activity structure is likely to emerge later this year. In this context, the Team welcomes member input into work items that merit particular attention.

Summary of Activity Structure

Group	Chair	Team Contact	Charter
Web Security Context Working Group (participants)	Mary Ellen Zurko	Thomas Roessler	Chartered until 31 December 2009
XML Security Working Group (participants)	Frederick Hirsch	Thomas Roessler	Chartered until 31 May 2010

---

This Activity Statement was prepared for the October 2008 W3C Advisory Committee Meeting (Members only) per section 5 of the W3C Process Document. Generated from group data.

Thomas Roessler, Security Activity Lead

Copyright © 2009 W3C^® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply. Your interactions with this site are in accordance with our public and Member privacy statements.

$Id: Activity.html,v 1.64 2009/06/04 14:41:31 sysbot Exp $