Difference between revisions of "IG/web security model"

From Web Security
< IG
Jump to: navigation, search
(Understanding interaction with other technologies)
(Web Security model)
Line 18: Line 18:
 
- XML security set of specifications
 
- XML security set of specifications
  
- Web Crypto API draft and Web Crypto Key Discovery API draft
+
- Web Crypto API [https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html draft] and Web Crypto Key Discovery API [https://dvcs.w3.org/hg/webcrypto-keydiscovery/raw-file/tip/Overview.html draft]
  
 
- to be completed
 
- to be completed

Revision as of 15:03, 16 January 2014

Web Security model

The W3C Web Security Interest Group has not yet produced any documentation to detail the security model offered by the web. Nevertheless, some good references can be found on the following resources :

This deliverable reports on the broad web security assessment of STREWS. As part of this report, we provide a clear and understandable overview of the Web ecosystem, and discuss the vulnerability landscape, as well as of the underlying attacker models. In addition, we provide a catalog of best prac- tices with existing countermeasures and mitigation techniques, to guide European industrial players to improve step-by-step the trustworthiness of their IT infrastructures. The report concludes with interesting challenges for securing the Web platform, opportunities for future research and trends in improving web security.

  • The list of W3C specifications dealing with security features are the following ones

- CORS Proposed Recommendation

- CSP 1.0 Candidate Recommendation and CSP 1.1 draft

- User Interface Security Directives for Content Security Policy draft

- XML security set of specifications

- Web Crypto API draft and Web Crypto Key Discovery API draft

- to be completed

Understanding interaction with other technologies

W3C technologies do rely on the internet and interact with web security technologies defined by external standardization bodies. It is of high interest for the W3C Web Security Interest Group to maintain a reasonable knowledge of those technologies, and how they do overlap/interact/bind each other. The following list identifies the technology we should pay attention to :