Web Security Context
Working Group Charter

The mission of the Web Security Context Working Group is to specify a baseline set of security context information that should be accessible to Web users, and practices for the secure and usable presentation of this information, to enable users to come to a better understanding of the context that they are operating in when making trust decisions on the Web.

Join the Web Security Context Working Group!

End date 31 July 2010
Confidentiality See Confidentiality and Communication
Initial Chair Mary Ellen Zurko (IBM)
Initial Team Contact
(FTE %: 35)
Thomas Roessler
Usual Meeting Schedule Face-to-face meetings: 3-4 annually
Teleconferences: weekly

Background and Scope


The goal of this Working Group is to enable users to come to a better understanding of the context that they are operating in when making trust decisions on the Web; e.g., giving up passwords or other sensitive information to possibly malicious sites. This charter follows up on discussions from the W3C Workshop on Usability and Transparency of Web Authentication on leveraging metadata and improving the security of user interfaces and user agent behaviors.

Current Web user agents communicate only a small portion of available security context information to users in a way that is easily perceived and understood. Other context information that might be available to user agents and possibly helpful to users is either not presented, or presented in a way that is not understood by users, and hence useless or confusing. This information ranges from logotypes and company names and addresses that might be present in PKI certificates, to the user agent's memory of past activities.

Where the mechanisms that are used to communicate context information can be effectively spoofed by Web content, they also open the scene for attackers serving fake security indicators, and become useless.


  1. A Working Group Note that documents the use cases and scenarios that the group elects to address, and the assumptions that it will make. The Working Group will use this document to establish the scope of its Recommendation-track deliverables.
  2. A W3C Recommendation that specifies a minimal set of security context information to be made accessible to users, and best practices for the usable presentation of this information;
  3. a W3C Recommendation that specifies techniques that render the presentation of security context information more robust against spoofing attacks. The Group expects to establish two levels of conformance to these techniques: required and recommended. One example of a possible required technique are limitations to scripting capabilities; one example of a possible recommended technique are interactive ceremonies that can help establish a trusted path from the web user agent to the user. An example of an authoring technique that could be proposed as mandatory-to-implement would be the use of TLS when soliciting user credentials.

The group may elect to merge the recommendations.

In specifying a baseline of security context information, the group should focus on security context information that can be made available through existing protocols. This group is not chartered to develop new protocol-level security features.


This schedule represents an initial plan. Updated milestones will be available on the Working Group home page.

October 2006
Group starts; participants join.
14/15 November 2006
Initial face-to-face meeting, New York, USA.
January 2007
First public Working Drafts of Recommendations and Working Group Note
February 2007
Second face-to-face meeting
April 2007
Second public Working Drafts of Recommendations;
Last Call of Working Group Note.
June 2007
Third face-to-face meeting
July 2007
Third public Working Draft
Last Call of Recommendations
Q4 2007
Candidate Recommendations
Q4 2007
Proposed Recommendations
Q1 2008
Q2 2008
Contingency period.


The lists of both internal and external entities that are given in this section are tentative. The Working Group is expected to review and revise them as it works out the Use Cases, Scenarios, and Assumptions Working Group Note. Possible additional coordination relationships could, e.g., include groups both inside and outside W3C that work on the Mobile Web.

W3C Groups

The Web Security Context Working Group should coordinate its activities with other relevant W3C Working Groups, specifically:

User Agent Accessibility Guidelines Working Group
The User Agent Accessibility Guidelines explain to user agent developers how to make their products more accessible to people with disabilities and for increasing usability for all users.
The W3C Web API Working Group is chartered to develop standard APIs for client-side Web Application development. This includes work on an API specification for a client interface, commonly implemented as the Window object in modern browsers.
Web Application Formats
The mission of the W3C Web Application Formats Working Group is to develop specifications that enable improved client-side application development on the Web. This includes the development of languages for applications, especially user interfaces.
W3C Hypertext Coordination Group
The chair of this group will participate in the W3C Hypertext Coordination Group to liaise with currently chartered and emerging work on mark-up languages, style, and forms.

External Groups

The following is a tentative list of external bodies that the Working Group should collaborate with:

Internet Engineering Task Force
The IETF Public-Key Infrastructure Working Group (PKIX) profiles ITU PKI standards, and develops new standards about the use of X.509-based PKIs in the Internet. Additionally, the IETF community is, as of fall 2006, considering new work on enhancements in Web Authentication.
The OASIS Security Services Technical Committee is chartered to define and maintain a standard, XML-based framework for creating and exchanging security information between online partners. The OASIS Web Services Security (WSS) Technical Committee is chartered to deliver a technical foundation for implementing security functions such as integrity and confidentiality in messages implementing higher-level Web services applications. Where such applications are deployed in a user-facing manner, security usability issues analogous to those encountered in the traditional Web browsing environment are expected to arise.
Liberty Alliance
Liberty Alliance is developing an open standard for federated network identity that supports all current and emerging network devices.

Confidentiality and Communication

Information about the WSC Working Group is available from the Working Group home page. This group primarily conducts its work on the public mailing list public-wsc-wg@w3.org (archive). The group will use the Member-only mailing list member-wsc-wg@w3.org (archive) for communications with other W3C Member-only groups and for administrative purposes.

Patent Policy

This Working Group operates under the W3C Patent Policy (5 February 2004 Version). To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.

For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.

About this Charter

This charter has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.

This charter has been extended:

$Id: wsc-charter.html,v 1.45 2010/06/22 13:33:33 roessler Exp $