00:00:28 <dveditz_> abarth: I can tell you a little how we deal with similar issues. compositor is able to do hit testing (3d graphics has multiple buffers, kind of like that, one "layer" is touch)
00:01:37 <dveditz_> bhill2: this will be something to melt my brain against
00:01:45 <dveditz_> abarth: I can link to some design documents
00:01:50 <dveditz_> bhill2: that would be helpful
00:01:53 <wseltzer> issue-53?
00:01:53 <trackbot> ISSUE-53 -- UI Security model for composited drawing models -- raised
00:01:53 <trackbot> http://www.w3.org/2011/webappsec/track/issues/53
00:02:16 <dveditz_> bhill2: 5:00 -- anyone have any fundamental rewrites they want to suggest in the next 30 seconds?
00:02:23 <dveditz_> [all] no!
00:03:05 <dveditz_> bhill2: are the issues just raised something that should block a new working draft? show of hands for moving to the next round
00:03:18 <bhill2> RESOLVED: advance current ED to WD for UI Security
00:03:18 <dveditz_> (consensus assent, no objections)
00:03:39 <dveditz_> bhill2: with that we'll call it a day, start tomorrow at 9:30
00:04:09 <dveditz_> tlr: one second... the UI-safety piece is exceeding the old charter?
00:04:32 <dveditz_> bhill2: no, it's explicitly part of the old chartter, andy insisted it was there as a condition of my being a chair of the WG
00:04:45 <dveditz_> bhill2: virginie wanted to update us on web crypto
00:04:57 <dveditz_> virginie: nothing specific, but just let everyone know the statue
00:05:08 <wseltzer> [WebCrypto: http://www.w3.org/2012/webcrypto/ ]
00:05:09 <dveditz_> virginie: working one main API, Web Crypto api.
00:05:31 <dveditz_> virginie: you can create a key, shape it iwht the right parameters and use that to sign things
00:06:02 <dveditz_> virginie: we are almost done in terms of functionality -- everything is drafted. w have some sensitive functions we would like to add
00:06:41 <dveditz_> virginie: so we are planning to go for Last Call in october. PWD in May
00:07:17 <dveditz_> virginie: most of you have delegates participating in the spec.also have another spec with same timeline, web crypto discovery api
00:07:45 <dveditz_> virginie: do you have pre-existing keys you want to use, led by Mark (?) from Netflix
00:07:57 <dveditz_> virginie: we also have a spec with use cases and requirements
00:08:09 <dveditz_> virginie: it would be great for yoiu guys to have a look at the spec
00:08:35 <dveditz_> virginie: another topic not in the WG because too much politics, tryin to describe the security model of the web
00:09:11 <dveditz_> virginie: crypto we need to define trust, never ending discussions on where the trust boundaries were. we're just supposed to deliver a tool
00:09:46 <dveditz_> virginie: hoping you can help define the web security model or we (both groups) can work together to define it
00:10:05 <dveditz_> virginie: how to integrate that into the W3C documentation effort
00:10:33 <dveditz_> bhill2: I pointed them at the paper abarth wrote with Devdatta
00:11:25 <dveditz_> drogersuk: there's a lot of good will toward doing this and there's a potential home in Web platform. need to reach out to OWASP out of courtesy
00:12:00 <dveditz_> abarth: glad the webcrypto group is taking security seriously
00:12:12 <dveditz_> drogersuk: lot of detractors as well, flaming on twitter etc
00:12:40 <dveditz_> bhill2: what is a principal, how does same-origin policy relate to server-side and client-side code
00:12:59 <dveditz_> bhill2: "crypto is useless because you can't defend against the site that delivered it to you"
00:13:22 <dveditz_> virginie: do we need to specify, "to be secure you need to use X.Y.Z technologies"
00:14:07 <dveditz_> virginie: in order to use the Web Crypto api as it is you have to have high crypto skills. detractors say web developers aren't so smart and it's a footgun (not her term)
00:14:52 <dveditz_> tanvi: are extensions using the same API as developers working on web sites, or are there multiple layers and extensions have access to a lower leve'?
00:15:02 <dveditz_> virginie: we did not make that distinction
00:17:11 <dveditz_> drogersuk: we tried to get into the high level api, but it became very complex -- different groups needed different things. didn't reach a proper conclusion on it
00:18:03 <dveditz_> virginie: we will document how to use the low level API correctly. High level is not existing, we hope people will write libraries to do higher level services
00:18:27 <dveditz_> drogersuk: that went alongisde the dev docs, describing how people were using these insecurely
00:19:23 <dveditz_> drogersuk: the level of documentation we're at is different from what most web developers need. needs to be friendlier, more explanations. developers are creating large amounts of insecurity by trying to work around the current web capabilities
00:20:06 <dveditz_> bhill2: chair discretion, we need to call a halt now. we have scheduled to talk about this tomorrow
00:20:11 <dveditz_> tlr: what time?
00:20:41 <dveditz_> bhill2: we have dimitri coming at 9:30, maybe can get to this at 10:30?
00:20:54 <dveditz_> tanvi: have we decided on tpac?
00:21:14 <dveditz_> bhill2: we need to send it to the list and see how people respond definitively
00:21:30 <dveditz_> exeunt
00:22:05 <wseltzer> s/dveditz_/dveditz/g
00:22:23 <wseltzer> trackbot, end meeting
00:22:23 <trackbot> Zakim, list attendees
00:22:23 <Zakim> As of this point the attendees have been +1.650.488.aaaa, mkwst_, bhill, abarth, drogersuk, wseltzer, Dan_Veditz, tlr, Neil_Matatall, Jeff_Hodges, puhley, Tanvi, +1.781.369.aabb,
00:22:27 <Zakim> ... +1.781.369.aacc, adrianb, David_Ross
00:22:31 <trackbot> RRSAgent, please draft minutes
00:22:31 <RRSAgent> I have made the request to generate http://www.w3.org/2013/04/26-webappsec-minutes.html trackbot
00:22:32 <trackbot> RRSAgent, bye
00:22:32 <RRSAgent> I see no action items
16:15:16 <RRSAgent> RRSAgent has joined #webappsec
16:15:16 <RRSAgent> logging to http://www.w3.org/2013/04/26-webappsec-irc
16:15:18 <trackbot> RRSAgent, make logs world
16:15:18 <Zakim> Zakim has joined #webappsec
16:15:20 <trackbot> Zakim, this will be
16:15:20 <Zakim> I don't understand 'this will be', trackbot
16:15:21 <trackbot> Meeting: Web Application Security Working Group Teleconference
16:15:21 <trackbot> Date: 26 April 2013
16:16:52 <dveditz> dveditz has joined #webappsec
16:17:25 <bhill2> Present+ bhill2
16:17:31 <wseltzer> zakim, this is 92794
16:17:31 <Zakim> ok, wseltzer; that matches SEC_WASWG(F2F)12:00PM
16:19:59 <Zakim> + +1.781.369.aaaa
16:20:31 <wseltzer> zakim, aaaa is gopal
16:20:31 <Zakim> +gopal; got it
16:22:02 <bhill2> gopal, anything you want to add to the agenda?
16:22:04 <bhill2> we can't hear you
16:23:31 <Zakim> -gopal
16:23:52 <Zakim> +gopal
16:30:52 <bhill2> Topic: Web Components isolation and confinement model
16:30:54 <bhill2> https://dvcs.w3.org/hg/webcomponents/raw-file/tip/explainer/index.html#isolation-confinement-and-encapsulation
16:39:19 <drogersuk> present+ David_Rogers
16:39:30 <puhley> puhley has joined #webappsec
16:40:02 <drogersuk> Discussion of component isolation, confinement and encapsulation
16:40:32 <wseltzer> zakim, Paypal has bhill2, drogersuk, virginie, tlr, wseltzer, jeffh, puhley
16:40:32 <Zakim> +bhill2, drogersuk, virginie, tlr, wseltzer, jeffh, puhley; got it
16:41:03 <wseltzer> zakim, Paypal also has Dimitri_Glazkov
16:41:03 <Zakim> +Dimitri_Glazkov; got it
16:41:34 <jeffh> jeffh has joined #webappsec
16:42:51 <jeffh> does someone have a link for the doc that's on the screen ?
16:43:19 <virginie> https://dvcs.w3.org/hg/webcomponents/raw-file/tip/explainer/index.html
16:43:26 <drogersuk_> drogersuk_ has joined #webappsec
16:43:38 <drogersuk_> scribenick:drogersuk
16:43:50 <drogersuk_> scribenick:drogersuk_
16:44:08 <drogersuk_> DG: you can have offset parents as a member of a node
16:44:30 <jeffh> dimitri Glazbov (sp?) is holding forth on Introduction to Web Components  (link above)
16:44:40 <jeffh> Dimitri Glazkov
16:44:42 <drogersuk_> ..because of the CSS object model.. I'm not sure what the security sensitivity of render time is
16:44:45 <drogersuk_> ..style will leak
16:44:58 <drogersuk_> ..information, whether it is useful or not is a question
16:45:20 <drogersuk_> ..there is a massive thing about inventory targeting
16:45:27 <jeffh> we're looking at section 9 Isolation, Confinement and Encapsulation
16:45:42 <abarth> abarth has joined #webappsec
16:46:05 <drogersuk_> ...when you are in shadow DOM.. it will feel like you moved, outside.. to the user, it won't seem like anything
16:46:17 <drogersuk_> ..(talking about hovering over +1 buttons etc.)
16:46:37 <drogersuk_> ..there have been other approaches proposed
16:47:07 <drogersuk_> ..things like date object are just built out of javascript, with some privileged apis
16:47:24 <Zakim> + +1.650.648.aabb
16:47:25 <drogersuk_> ..could let other people have access to those privileged apis, but not desirable idea
16:47:38 <drogersuk_> ..shadow DOM is not a scripting context.
16:47:44 <drogersuk_> ..all scripting is assumed the same
16:47:49 <abarth> Zakim: aabb is abarth
16:47:59 <abarth> Zakim, aabb is abarth
16:47:59 <Zakim> +abarth; got it
16:48:44 <drogersuk_> (DG shows diagram on whiteboard of how boundaries work)
16:49:16 <drogersuk_> Discussion about where keyboard presses are captured etc.
16:49:46 <drogersuk_> DG: there is no formal concept of how events are stopped at the shadow DOM boundary
16:49:51 <drogersuk_> ...it is wide open at the moment
16:50:16 <drogersuk_> ..the notion is we don't want to leak any references out of the shadow DOM
16:51:04 <drogersuk_> ..by default, all these things are traversable. You can reach into the shadow DOM
16:51:26 <drogersuk_> ..we don't want to stop them reaching into it, just not accidentally
16:51:43 <drogersuk_> DV: so we can't jail it off
16:52:00 <drogersuk_> DG: it is not a capability in the spec right now
16:52:17 <drogersuk_> ...all browsers use shadow DOM now for widgets
16:52:20 <jeffh> Shadow DOM: http://www.w3.org/TR/shadow-dom/
16:52:45 <drogersuk_> TLR: ..and it can still reach out of that shadow DOM too...?
16:52:49 <drogersuk_> DV: Yes
16:53:25 <drogersuk_> (discussion of what security model applies)
16:54:03 <drogersuk_> ..we're concerned about 3rd party javascript
16:54:16 <jeffh> DG:  "all i want to do is protect the hosting page from the 3d-party included code"
16:54:26 <drogersuk_> DG / AB: ..distrust in both directions
16:55:16 <drogersuk_> DG: I'm fine with a very limited comms model with each other, where there is a 'great wall' - events which are fired within don't reach anything
16:55:23 <drogersuk_> AB: events are the easier case
16:56:33 <drogersuk_> TLR asks if the model would create a security boundary between two trees, both of which have the same origin?
16:56:44 <drogersuk_> DG: I think we should contemplate different origins
16:56:58 <drogersuk_> TLR: we have places where we expect JS code to do origin checks
16:57:24 <drogersuk_> (iframe sandbox suggestion)
16:58:13 <drogersuk_> DG: turns out workers doesn't work across origins
16:59:38 <drogersuk_> DG: (whiteboards ideas about link ref) If it is cross-origin it will load in its own scripting reference
17:00:41 <drogersuk_> ..the element is somehow registered in the main document, if someone uses the 'like' tag (it is somehow cloned / cutdown in the main doc)
17:00:59 <drogersuk_> ..some element is created and has some shadow DOM tree that exists in the document
17:01:20 <drogersuk_> BH: sounds a lot like an iframe
17:01:35 <drogersuk_> DG: there are advantages, global state and interaction etc
17:01:43 <drogersuk_> BH: Global state is part of the problem...
17:02:02 <drogersuk_> DG: it's lifetime will have to match the lifetime of the document too
17:02:13 <drogersuk_> DG: most documents only have one like button
17:02:50 <drogersuk_> (last comment was DV
17:03:00 <drogersuk_> BH: lots of sites will have more than one like button
17:03:43 <drogersuk_> Pella: today facebook likes are using <script src="
17:04:34 <drogersuk_> ..if they want all the functionality they have now (when you clicked it etc..) they may want something similar to what they have now
17:05:05 <drogersuk_> TLR: The advertising guys are building things on top of post message
17:05:22 <drogersuk_> ..they use iframes
17:05:31 <drogersuk_> ..and some shared javascript
17:05:41 <drogersuk_> ..in order to optimise some of the overhead
17:05:54 <drogersuk_> ..some of this may be worth looking at from a CSP perspective too
17:06:07 <drogersuk_> DG: multiple origins sharing the same state?
17:06:13 <drogersuk_> TLR: at the time, same origin
17:06:31 <drogersuk_> BH: at a naive first look, this looks to me to be an advertising model
17:06:54 <drogersuk_> ..the caja guys didn't like this?
17:07:15 <drogersuk_> DG: they didn't reject it, they're interested in it because they want to encapsulate DOM somehow
17:08:52 <drogersuk_> ..I can go back to these guys and understand what is happening
17:09:02 <drogersuk_> ..they were trying to drop shadow DOM from the standard
17:09:21 <drogersuk_> BH: that's fine, I was just wondering if there were more details about why it was not workable
17:09:22 <tlr> relevant work:
17:09:23 <tlr> http://www.w3.org/community/custexpdata/
17:09:36 <tlr> http://www.iab.net/safeframe
17:09:38 <drogersuk_> DG: think it is just too early for them, they haven't really looked at this yet properly
17:09:55 <drogersuk_> JH: It's just a way of isolating sub-trees?
17:10:07 <drogersuk_> DG: Yes, encapsulating
17:10:46 <drogersuk_> ..the outer document just explains how they're embedded and where they are. It seems to me that there is a security boundary
17:10:58 <drogersuk_> ..I am going to try and talk to the caja people
17:11:09 <drogersuk_> ..and see what ideas they have. I just want you guys to think about this.
17:11:50 <drogersuk_> JH: so shadow DOM is a piece of solving the 'like' button problem, but there are requirements beyond this and those need to be defined
17:12:14 <drogersuk_> BH: directional aspects will have security implications, what can be read etc.
17:12:33 <drogersuk_> JH: there may be some formal isolation things that need to be fed back to the javascript world
17:14:35 <virginie> D Rgers again off, anyone else willing to scribe ?
17:15:44 <virginie> Dimitri : would it be a good thing to do to progress ?
17:15:56 <virginie> BH : we need use cases to better understand borders
17:16:13 <virginie> Dimitri : will come back with real examples based on +1
17:16:44 <virginie> Dan : who is wokring on it in moz
17:16:56 <drogersuk_> drogersuk_ has joined #webappsec
17:16:57 <virginie> Dimitris (naming names I dont know)
17:17:48 <drogersuk_> BH: in terms of what security people like to see is what's the boundary, what goes across it etc
17:18:07 <drogersuk_> ..what isolation, data flows, data leaks, directions
17:18:21 <drogersuk_> DG: I can arrange for that to be done
17:20:46 <drogersuk> drogersuk has joined #webappsec
17:21:03 <drogersuk> DG: please feel free to contact me if you have any questions / suggestions
17:24:30 <Zakim> -gopal
17:30:54 <bhill2> scribenick: bhill2
17:33:07 <bhill2> Topic: Documenting the Web Security Model
17:34:51 <bhill2> drogers: in webcrypto there is a presumption that crypto is "security" in certain camps, another camp positing that "web is insecure" so don't even attempt crypto
17:35:17 <bhill2> ... if you do pay attention to documenting and maintaining the web security model, which needs to happen anyway
17:35:35 <bhill2> ... but is huge amount of work, and typically written to an audience that already understands it
17:35:58 <bhill2> ... needs to bridge the gap to a less security knowledgable audience
17:36:40 <bhill2> ...  e.g. last topic, developers just include script without understanding the security implications because it's easy
17:36:50 <bhill2> ... assume it must be secure or why would people do it
17:37:10 <bhill2> ... been working with Doug Schepers, potentially have a home for this at Web Platform Docs
17:37:25 <bhill2> ... existing documentation such as Tangled Web, etc.
17:37:40 <bhill2> ... want to understand what we should document first, top 5 items
17:38:21 <bhill2> jeffh: as a starting point web platform docs seems a reasonable home for this work
17:38:48 <bhill2> drogers: could be a sisyphean task
17:39:49 <bhill2> bhill: probably discussion should happen on public-web-security@, not public-webappsec@
17:40:03 <bhill2> tlr: the list exists, has a charter, less process to participate
17:40:26 <bhill2> ... a writing project were to progress it would need someone other than abarth to serve as a coordinator
17:40:38 <bhill2> abarth: don't have cycles to pay close attention
17:40:51 <bhill2> drogers: willing to drive this project, need support of experts on this
17:41:24 <jeffh> bhill/tlr suggests leveraging: W3C Web Security Interest Group <public-web-security@w3.org>
17:41:42 <bhill2> ... can you get resources from your companies, etc.
17:42:03 <bhill2> tlr: should line up a few core folk who are willing to commit, take that to a broader list, w/1st draft, etc.
17:42:07 <bhill2> ... to gather others in
17:42:33 <bhill2> tlr: I know that Levon Desmet is working on something that could serve as a start
17:42:42 <tlr> s/Levon/Lieven/
17:42:52 <tlr> s/that could serve as a start/that probably overlaps/
17:42:54 <bhill2> jeffh: I have stuff to contribute on terminology, a problem is that it doesn't reflect reality and we need a rosetta stone on this stuff
17:43:31 <bhill2> drogers: could I put on the list and ask what folk think the priorities should be
17:43:50 <bhill2> ... e.g. same origin workarounds used by developers, documenting best practices in that sense
17:44:00 <bhill2> ... browser implementation inconsistencies
17:44:17 <bhill2> tlr: document them dispassionately
17:44:32 <bhill2> ... you are scoping out the documentation equivalent of an open source project
17:44:43 <bhill2> ... a wonderful thing, but a very significant effort
17:45:12 <bhill2> jeffh: what Zalewski did is an important subcomponent, but the task you want to accomplish lacks a high level roadmap today
17:45:36 <bhill2> ... wouldn't put in the plan at this point to take over what was being done with browser security handbook
17:45:47 <bhill2> ... somebody should, but a separate issue
17:45:55 <bhill2> drogers: yes, start small, if successful it will grow
17:46:20 <bhill2> ... future topics: web components, web app firewalls, reputation filters... etc.
17:47:03 <Zakim> -abarth
17:47:15 <bhill2> bhill: avoid web app firewalls as a topic, a tool and product category, not a part of the security model
17:47:24 <bhill2> drogers: developers need to think about network layers
17:47:45 <bhill2> tlr: there are some security considerations that arise out of http behavior and widely deployed intermediaries
17:48:08 <bhill2> ... there are others that arise from common flaws of such, there are others from such that violate specs
17:48:27 <bhill2> ... focus on those that are part of the platform at the core
17:49:03 <bhill2> bhill2: w3c should NOT write a doc that says, this is how to use a web app firewall to secure your app
17:49:29 <bhill2> drogers: hsts, certificate authorities....
17:50:31 <bhill2> bhill: these should be out of scope - draw boundaries that make task achievable and venue-appropriate
17:51:25 <bhill2> drogers: my work is in mobile- chair the device security group in GSM assn.
17:51:50 <bhill2> ... new security considerations from new devices, physical platforms that havent' traditionally used the web as a browser
17:51:57 <bhill2> ... will become issues for us in the future as the web evolves
17:52:10 <bhill2> ... device APIs will bring new classes of attack we haven't thought about
17:55:08 <bhill2> bhill: POV should be from someone writing code to the open web platform
17:56:13 <bhill2> ... leave things like how to configure your web server for SSL to organizations like OWASP
17:56:57 <bhill2> virginie: in webcrypto there is traction for this kind of work, accurate documentation will solve problems for us
17:57:06 <Zakim> +gopal
17:57:27 <bhill2> ... we need not just a description of how to use technologies correctly, but also what are the limits of the security model and not to oversell
17:57:57 <bhill2> drogers: ian melven's talk at b-sides vancouver was good: is there a web security model?  answer: no
17:58:22 <bhill2> jeffh: there is folklore, we started writing some of it down: new RFCs for web origin concept, cookies ... thank you Adam Barth
17:59:14 <bhill2> jeffh: continuing this work may identify other things that can be "specifiable" beyond just being developer docs
17:59:28 <wseltzer> The Web Origin Concept: https://tools.ietf.org/html/rfc6454
17:59:43 <wseltzer> Cookies: https://tools.ietf.org/html/rfc6265
17:59:45 <bhill2> drogers: these RFCs are good examples to start with, and more like this a potential future goal
18:00:10 <bhill2> ... Interest Group concept removes many risks of IPR - just documenting already existing concepts
18:00:29 <bhill2> devditz: a spec at what stage?  only becomes not an issue after the final Recommendation stage
18:00:47 <bhill2> drogers: maybe we should state we will only talk about specs that have reached CR or similar
18:00:56 <bhill2> dveditz: but then it's too late to have an impact on these specs
18:01:31 <bhill2> bhill: goal here should not be to influence new tech, but to document the already interoperable
18:01:50 <bhill2> wseltzer: once we get the backlog done, we can think about IPR questions for new stuff
18:05:26 <bhill2> bhill: should probably be formally owned by the Security IG, WebAppSec can be liason
18:07:24 <wseltzer> ACTION on tlr to promote the security model documentation project
18:07:24 <trackbot> Error finding 'on'. You can review and register nicknames at <http://www.w3.org/2011/webappsec/track/users>.
18:07:41 <wseltzer> ACTION tlr to promote the security model documentation project
18:07:41 <trackbot> Created ACTION-135 - Promote the security model documentation project [on Thomas Roessler - due 2013-05-03].
18:12:17 <jeffh> jeffh has joined #webappsec
18:18:56 <wseltzer> rrsagent, draft minutes
18:18:57 <RRSAgent> I have made the request to generate http://www.w3.org/2013/04/26-webappsec-minutes.html wseltzer
18:32:05 <neil> neil has joined #webappsec
18:32:51 <wseltzer> RRSAgent, this meeting spans midnight
18:56:14 <Zakim> -Paypal
18:56:24 <Zakim> -gopal
18:56:25 <Zakim> SEC_WASWG(F2F)12:00PM has ended
18:56:25 <Zakim> Attendees were +1.781.369.aaaa, gopal, bhill2, drogersuk, virginie, tlr, wseltzer, jeffh, puhley, Dimitri_Glazkov, +1.650.648.aabb, abarth
18:56:45 <wseltzer> trackbot, end teleconf
18:56:45 <trackbot> Zakim, list attendees
18:56:45 <Zakim> sorry, trackbot, I don't know what conference this is
18:56:48 <bhill2> rrsagent, make minutes
18:56:48 <RRSAgent> I have made the request to generate http://www.w3.org/2013/04/26-webappsec-minutes.html bhill2
18:56:53 <trackbot> RRSAgent, please draft minutes
18:56:53 <RRSAgent> I have made the request to generate http://www.w3.org/2013/04/26-webappsec-minutes.html trackbot
18:56:54 <trackbot> RRSAgent, bye
18:56:54 <RRSAgent> I see no action items