Difference between revisions of "IG/W3C security roadmap"

From Web Security
< IG
Jump to: navigation, search
(Created page with "== Documentation == * Basic developer documentation for security through webplatform.org (as has been discussed in webcrypto and webappsec) and clear documentation and understand…")
 
Line 1: Line 1:
== Documentation ==
+
'''In 2013 several discussions related to security happened in W3C area. Here are the major features that were mentioned by different contributors, that the Web Security IG recommends to develop.'''
* Basic developer documentation for security through webplatform.org (as has been discussed in webcrypto and webappsec) and clear documentation and understanding of the "web security model". [by David Rogers]
+
  
== Improve Web Security Model ==
+
== Security Enablers ==
* Clear user-controllable / configurable boundaries between the outside "web world" and the local device [by David Rogers]
+
The platforms hosting the open web platform is offering some security features that are not made available yet to the web developers or to the user. It may be worth bringing to the open web platform the following features :
* Security-in-mind API design to allow for graceful failure as a result of user denial of access to particular features (e.g. device APIs / sysapps) [by David Rogers]
+
 
 +
- Using DANE (DNS-Based Authentication of Named Entities)
 +
Read [http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec article]
 +
 
 +
- Enabling usage of trusted elements
 +
Platform may embed some trusted elements offering functionality such as trusted storage, trusted execution... Those trusted elements can have different form such as embedded chip (TPM, embedded Secure Element), pluggable chip (SIM card, Smart Card, µSD), integrated Trusted Execution Environment.
 +
 
 +
== Security Indicators ==
 +
The user is sometimes gets lots when trying to audit and understand the security of the communication a web app is using. User interface and information made available to him varies largely from one browser to another. On the other hands, some sensitive services are now deployed over the web (communication via Web RTC, payment ...), for which the user should have more information. One possible feature to develop could be the standardization of the user interface in order to view or control the security level of the communication a web app is using.

Revision as of 09:33, 17 January 2014

In 2013 several discussions related to security happened in W3C area. Here are the major features that were mentioned by different contributors, that the Web Security IG recommends to develop.

Security Enablers

The platforms hosting the open web platform is offering some security features that are not made available yet to the web developers or to the user. It may be worth bringing to the open web platform the following features :

- Using DANE (DNS-Based Authentication of Named Entities) Read article

- Enabling usage of trusted elements Platform may embed some trusted elements offering functionality such as trusted storage, trusted execution... Those trusted elements can have different form such as embedded chip (TPM, embedded Secure Element), pluggable chip (SIM card, Smart Card, µSD), integrated Trusted Execution Environment.

Security Indicators

The user is sometimes gets lots when trying to audit and understand the security of the communication a web app is using. User interface and information made available to him varies largely from one browser to another. On the other hands, some sensitive services are now deployed over the web (communication via Web RTC, payment ...), for which the user should have more information. One possible feature to develop could be the standardization of the user interface in order to view or control the security level of the communication a web app is using.