Web Security Context
Working Group Charter
The mission of the Web Security Context Working Group is
to specify a baseline set of security context information that should be
accessible to Web users, and practices for the secure and usable presentation
of this information, to enable users to come to a better understanding of the
context that they are operating in when making trust decisions on the Web.
Join
the Web Security Context Working Group!
End date |
31 July 2010 |
Confidentiality |
See Confidentiality and Communication |
Initial Chair |
Mary Ellen Zurko (IBM) |
Initial Team Contact
(FTE %: 35) |
Thomas Roessler |
Usual Meeting Schedule |
Face-to-face meetings: 3-4 annually
Teleconferences: weekly
|
Background and Scope
Background
The goal of this Working Group is to enable users to come to a better
understanding of the context that they are operating in when making trust
decisions on the Web; e.g., giving up passwords or other sensitive
information to possibly malicious sites. This charter follows up on
discussions from the W3C Workshop on
Usability and Transparency of Web Authentication on leveraging metadata
and improving the security of user interfaces and user agent behaviors.
Current Web user agents communicate only a small portion of available
security context information to users in a way that is easily perceived and
understood. Other context information that might be available to user agents
and possibly helpful to users is either not presented, or presented in a way
that is not understood by users, and hence useless or confusing. This
information ranges from logotypes and company names and addresses that might
be present in PKI certificates, to the user agent's memory of past
activities.
Where the mechanisms that are used to communicate context information can
be effectively spoofed by Web content, they also open the scene for attackers
serving fake security indicators, and become useless.
Deliverables
- A Working Group Note that documents the use cases and scenarios that
the group elects to address, and the assumptions that it will make. The
Working Group will use this document to establish the scope of its
Recommendation-track deliverables.
- A W3C Recommendation that specifies a minimal set of security context
information to be made accessible to users, and best practices for the
usable presentation of this information;
- a W3C Recommendation that specifies techniques that render the
presentation of security context information more robust against spoofing
attacks. The Group expects to establish two levels of conformance to
these techniques: required and recommended. One example of a possible
required technique are limitations to scripting capabilities; one example
of a possible recommended technique are interactive ceremonies that can
help establish a trusted path from the web user agent to the user. An
example of an authoring technique that could be proposed as
mandatory-to-implement would be the use of TLS when soliciting user
credentials.
The group may elect to merge the recommendations.
In specifying a baseline of security context information, the group should
focus on security context information that can be made available through
existing protocols. This group is not chartered to develop new protocol-level
security features.
Schedule
This schedule represents an initial plan. Updated milestones will be
available on the Working Group home
page.
- October 2006
- Group starts; participants join.
- 14/15 November 2006
- Initial face-to-face meeting, New York, USA.
- January 2007
- First public Working Drafts of Recommendations and Working Group
Note
- February 2007
- Second face-to-face meeting
- April 2007
- Second public Working Drafts of Recommendations;
Last Call of Working Group Note.
- June 2007
- Third face-to-face meeting
- July 2007
- Third public Working Draft
Last Call of Recommendations
- Q4 2007
- Candidate Recommendations
- Q4 2007
- Proposed Recommendations
- Q1 2008
- Recommendations
- Q2 2008
- Contingency period.
Dependencies
The lists of both internal and external entities that are given in this
section are tentative. The Working Group is expected to review and revise
them as it works out the Use Cases, Scenarios, and Assumptions Working Group
Note. Possible additional coordination relationships could, e.g., include
groups both inside and outside W3C that work on the Mobile Web.
W3C Groups
The Web Security Context Working Group should coordinate its activities
with other relevant W3C Working Groups, specifically:
- User Agent Accessibility Guidelines
Working Group
- The User Agent Accessibility Guidelines explain to user agent
developers how to make their products more accessible to people with
disabilities and for increasing usability for all users.
- Web
API
- The W3C Web API Working Group is chartered to develop standard APIs
for client-side Web Application development. This includes work on an
API specification for a client interface, commonly implemented as the
Window
object in modern browsers.
- Web Application Formats
- The mission of the W3C Web Application Formats Working Group is to
develop specifications that enable improved client-side application
development on the Web. This includes the development of languages for
applications, especially user interfaces.
- W3C Hypertext
Coordination Group
- The chair of this group will participate in the W3C Hypertext Coordination
Group to liaise with currently chartered and emerging work on
mark-up languages, style, and forms.
External Groups
The following is a tentative list of external bodies that the Working
Group should collaborate with:
- Internet Engineering Task
Force
- The IETF
Public-Key Infrastructure Working Group (PKIX) profiles ITU PKI
standards, and develops new standards about the use of X.509-based PKIs
in the Internet. Additionally, the IETF community is, as of fall 2006,
considering new work on enhancements in Web Authentication.
- OASIS
- The OASIS
Security Services Technical Committee is chartered to define and
maintain a standard, XML-based framework for creating and exchanging
security information between online partners. The OASIS
Web Services Security (WSS) Technical Committee is chartered to
deliver a technical foundation for implementing security functions such
as integrity and confidentiality in messages implementing higher-level
Web services applications. Where such applications are deployed in a
user-facing manner, security usability issues analogous to those
encountered in the traditional Web browsing environment are expected to
arise.
- Liberty
Alliance
- Liberty Alliance is developing an open standard for federated network
identity that supports all current and emerging network devices.
Confidentiality and Communication
Information about the WSC Working Group is available from the Working
Group home page. This group primarily conducts its work on the public mailing
list public-wsc-wg@w3.org (archive). The
group will use the Member-only mailing list member-wsc-wg@w3.org (archive) for
communications with other W3C Member-only groups and for administrative
purposes.
Patent Policy
This Working Group operates under the W3C Patent
Policy (5 February 2004 Version). To promote the widest adoption of Web
standards, W3C seeks to issue Recommendations that can be implemented,
according to this policy, on a Royalty-Free basis.
For more information about disclosure obligations for this group, please
see the W3C Patent Policy Implementation.
About this Charter
This charter has been created according to section 6.2
of the Process Document.
In the event of a conflict between this document or the provisions of any
charter and the W3C Process, the W3C Process shall take precedence.
This charter has been extended:
- On 22 June 2010, until 31 July 2010.
- On 22 December 2009, until 31 May 2010 (announcement)
- On 4 June 2009, until 31 December 2009 (announcement)
- On 7 July 2008, until 30 June 2009. (announcement)
$Id: wsc-charter.html,v 1.45 2010/06/22 13:33:33 roessler Exp $