W3C

- DRAFT -

Web Security Interest Group

18 Dec 2013

Agenda

See also: IRC log

Attendees

Present
+1.408.332.aabb, +1.703.948.aaaa, Andrew_Fregly, AndyF, Art_Barstow, BHill, Brad_Hill, Christine_Runnegar, Frederick_Hirsch, Harry_Halpin, Karen_O'Donoghue, Larry_Masinter, Nick_Doty, Virginie_Galindo, Wendy, Wendy_Seltzer, christine, fjh, hhalpin, karen_oDonoghue, manu, masinter, npdoty, nvdbleek, virginie, Manu_Sporny
Regrets
Chair
Virginie_Galindo
Scribe
manu

Contents

Welcome and Introductions

virginie: welcome to Web Security Interest Group
... have a call as an opportunity for introductions, including a new co-chair and Wendy new for this role at W3C

<wseltzer> Agenda

virginie: Virginie Galindo of Gemalto
... a quick role call of delegates

<fjh> Agenda: http://lists.w3.org/Archives/Public/public-web-security/2013Dec/0013.html

AndyF: from Verisign, new to the group and figuring out priorities

ArtB: Art Barstow, chair of a couple WGs, most interested in reviewing specifications of WGs
... like to make sure Web Sec Interest Group a part of the review process

<christine> Christine Runnegar, Internet Society, here as W3C Privacy Interest Group (PING) co-chair

<fjh> Frederick Hirsch, Nokia, chair of Device APIs (DAP) and XML Security WGs

fjh: interested in reviews, or any advice that can be given up front for design, interested in learning

hhalpin: W3C, Web Crypto, encrypted web tools important because hearing about tools/projects that can't use the web

kodonog: from ISOC, here from a general IETF perspective

<hhalpin> Another good example is Cryptocat and the browser plug-ins

<kodonog> Karen O'Donoghue, Internet Society, web crypto, IETF JOSE WG, general IETF security perspective

<fjh> masinter: Larry Masinter, have worked in this area a long time

manu: Web Payments CG, want to make sure this group is aware of work happening elsewhere

<manu> manu: I'm also working with the Secure Messaging work (JSON messages that are digitally signed and/or encrypted)... and HTTP Signatures (adding authentication and working w/ authorization in the HTTP protocol)

wseltzer: As of earlier this month, Tech & Society domain lead
... help figure out how W3C should work on privacy and security issues
... work on strategy and assemble the resources to do that
... resources limited, so working with the community is essential, as in this group

wseltzer: thinking about the problems that we're facing and how to attack those
... ways for users to ensure security of their communications (e.g. NSA)
... no single company or research angle can solve the problem alone
... Consortium is a good place to think about problems collectively and solve them collectively
... using the Web for secure communications and authenticated transactions
... sent a few messages to the list on new work we might take up
... in response to increased attention to security, along with IETF & Internet hardening
... ... since surveillance is interpreted as an attack on the Internet and the Web
... enhancing existing work, have a role doing security reviews
... how can we give good guidance to authors up front and reviewing specs as they're developed
... and to the users of those specs as well as their authors

<masinter> i think part of the agenda is to catelog the threats we're worried about, and establish some criteria for prioritization

<virginie> web security IG wiki http://www.w3.org/Security/wiki/IG

virginie: organize an answer to wseltzer's questions
... very briefly look over the Interest Group and proposed work

<hhalpin> I mean, that may not be true

virginie: formal request from the Mobile Web Interest Group; can we have a report

<hhalpin> You can zero-day native apps much easier

<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap

virginie: on whether web apps are less secure than native apps?

<hhalpin> So I'd be against such blanket statements without lots of details.

virginie: a Web Security model, as proposed by David Rogers

<hhalpin> That being said, I recommend people develop native apps for security purposes until a few critical problems on the Web are fixed. But the upgrade path for native apps is also sketchy.

virginie: one Interest Group task could be to gather such requests
... another task is security review
... we have a formal request from the HTML WG for security review of the EME spec

<virginie> http://www.w3.org/Security/wiki/IG/new_work

virginie: proposed new work -- let's try to secure all the things -- which looks like a charter
... security best practices, developing security on the client-side
... for this call, see who is interested in what, and how to prioritize different topics
... open the mic for anyone to join the discussion

hhalpin: new work list seems to be missing HTTP Auth, currently being rebooted at IETF
... a way to enter username/password in browser chrome
... insecure because the crypto is known to be broken
... look at which new WGs need to be started
... like to build a group that can do security reviews, might need help from IETF

<hhalpin> https://ietf.org/wg/websec/charter/

<hhalpin> We should work with them.

<hhalpin> in terms of reviews

manu: having trouble tracking all the new security related specs that are popping up
... jose, payments, fido alliance, browserid -- where all the specs are, their problems, the overlap
... a lot of uncoordinated work being done in security today
... figure out a way for all these technologies to fit together

<hhalpin> FIDO alliance seems to be moving well, Mozilla Personae unforunately seems to have little to no update (despite being a great design), etc.

manu: renewed interest because of NSA stuff going on, which is great, but need to coordinate

<hhalpin> Yes, the duplication of effort between RDFa, microformats, and microdata was a waste of time IMHO

<hhalpin> I'd like to avoid that in the future

manu: general challenge: can we at least summarize everything that's going on?

<manu> wseltzer, I'm so busy that I'd do a bad job at it.

manu: present back to these groups, so people know what is going on
... every group believes they're working on something unique

<masinter> the main question is the nature of how we organize our own report/plan. Manu argued for documenting "whawt's going on now". THere's another perspective, which is "what needs to be done". And a third, which I argue for, is "what is THIS group's work plan"

manu: needs someone from outside to help them see overlaps; a huge coordination issue

fjh: 1) agree with manu, but it's a huge task just to summarize all work, but just the activities that are going on
... security at different layers, not just the Web level
... perpass and other groups/lists at IETF
... a lot going on with PKI and technologies
... a wiki that people can link to what is going on
... 2) don't confuse security with crypto, details of crypto mechanisms not the best place to start
... 3) creating a Web architecture for security is very ambitious
... ... just dealing with cookies alone is very ambitious given all the legacy implementations
... the details are significant, hesitant to promise overreaching

virginie: documenting on the wiki sounds like a good idea; can you share what you have?

<manu> manu: ArtB and I have been expanding on "work that's going on" here - http://www.w3.org/Security/wiki/IG/W3C_spec_review

fjh: yes, and we all have different stuff

christine: very valuable input all around, fjh has been doing a great job with privacy in specs
... have grand ambitions but be realistic in what we can achieve
... had a conversation in the last Privacy Interest Group (PING) call
... trying to coordinate privacy reviews with security reviews of specifications
... considerations may reinforce each other, and combining reviews can increase our pool of expertise

<Zakim> masinter, you wanted to argue for spending some time on estasblishing a framework for future work before starting on any individual topic

christine: raise that possibility as we go forward

masinter: heard agreement that we should do some planning, summarizing, cataloging

<fjh> maybe cookies was too much of a privacy consideration, let's see how about unknown certificates for example as another example

masinter: before we engage in any specific task (like reviewing) we should do some planning
... let's catalog what's going on (ongoing activities that are security related)

<fjh> agree, we need to understand goals and requirements

masinter: another perspective, catalog what needs to get done
... organized around a longer term perspective
... and what is it that we as a group need to do
... which might be initiating WGs at W3C, establishing liaisons with other groups, etc.
... what does the Web Security Interest Group need to do to be most productive

AndyF: really see this interest group, get threat modeling out there
... a group of people to review that
... a reach-out campaign, who else should be involved?

<masinter> do we have, on the call, the expertise to do a security review of HTML?

wseltzer: would like to work on that project and other specifics, even as we do mapping

<bhill2> (sorry to be late)

virginie: need to find the appropriate people (there are only so many of us), who to ask

<manu> http://www.w3.org/Security/wiki/IG/W3C_spec_review#Candidates_for_Review

manu: Art and I have been hacking on the wiki while the call is going on
... a number of spec candidates for review, what we know are going on out there
... when you're asking people to review specs, everyone already overcomitted
... hard for us to spend a lot of time to do the things that we've just said are very important
... no answer right now, just raising the concern

hhalpin: agree with manu on lack of resources; do think w3c should have someone fulltime
... don't have that person yet, if a W3C Member wanted to send a W3C Fellow, that would be great
... recommend we do security reviews jointly with IETF, given limited resources

<Zakim> masinter, you wanted to say that the best we can do is to establish a process for insuring security review of specs

<hhalpin> In particular, with IETF WebSec WG

<hhalpin> No, we must do security reviews in this group I think.

masinter: there's some agreement that we're not doing the security reviews in this group
... and so the best we can do is a process for doing security reviews, perhaps a process that includes IETF

<hhalpin> The IETF WebSec group is also not toooooo active

<Zakim> manu, you wanted to propose some way forward.

manu: the way we've had a decent number of security reviews has been by chance
... find the people to do the security reviews, ask people directly who have expertise

<wseltzer> [to clarify, I was suggesting that we could use the IETF security considerations as a guide, http://tools.ietf.org/html/rfc3552 ]

<masinter> i don't think this group even is the one to find the reviewers

manu: a lot less time if we can reach out to our social networks

hhalpin: push back, need neutral security reviews from people with background in the topic
... the duty of this group and W3C to do reviews of specs with security implications
... if we don't have all the resources on this telcon, work with IETF websec
... shouldn't do mapping exercise if it takes away from security reviews, which I believe to be the primary purpose

wseltzer: hearing from many that we don't have sufficient expertise/time

<fjh> updated http://www.w3.org/Security/wiki/IG/press_news with IETF Secauth and Perpass links

wseltzer: maybe we don't have everyone this call or that you all are too modest about your expertise
... would like this group to make assertions as least as strong as IETF, that each spec has been reviewed against security considerations
... better yet, have we minimized the security footprint of those changes?
... looking for suggestions, here and offline, on how to get that work done

<masinter> perhaps we should review the charter of the group again? there's a big difference between "securing the web" and "adequately review security of W3C specs". The amount of work is proportional to different values

wseltzer: don't think it's a task we can ignore

<Zakim> masinter, you wanted to suggest explicitly asking chair of IETF websec to this group

masinter: maybe we should review the charter of the group again
... difference between securing the web and adequately reviewing w3c specs
... proportionate to how insecure the web is vs. the number of specs produced

<manu> +1 to Larry's statement about there being a difference between "Securing the Web" and "Doing adequate security review of specs"

<virginie> http://www.w3.org/2011/07/security-ig-charter.html

<fjh> +1 need to distinguish securing the web versus reviewing specs, different yet related goals

masinter: kind of expect the WG that produces the spec not to knowingly introduce security bugs
... just doing adequate review, or focus on what needs to be done to secure the web

virginie: our charter is to give advice and review specifications
... with wseltzer and abarth, identifying other areas

<wseltzer> "Securing the Web" is a reach goal, of course, and never something we can completely achieve -- but surely we should try to improve the risk-balance of web security

virginie: main role is still to do review
... do we have the expertise? related to recruiting participants

<masinter> http://www.w3.org/2011/07/security-ig-charter.html

virginie: if the IG has been quiet, or roadmap is unclear, harder to gather participants

bhill2: for recruiting, there are people out there, but may need to think about structures for Invited Expert status
... my first involvement with w3c was working for a security consulting company
... and had an expiring IE status; hard to convince small company for Membership

<christine> to Virginie - wondering whether you could provide some email text introducing the revamped IG that we could send around to recruit experts?

bhill2: smaller companies that are interested in contributing but not budgeting

<virginie> to christine - i think it is a good idea :)

<masinter> I don't see doing document reviews in the charter at http://www.w3.org/2011/07/security-ig-charter.html

fjh: nothing in the Process that requires privacy/security considerations
... should have such a requirement (ask the Team to raise that)
... in the PING group we've had some experience doing reviews
... it's a lot of work because it requires understanding what the spec does, at least for complicated specs
... like inviting editors of the spec to explain
... Process should call out security/privacy as needed

<christine> Thank you Frederick. Agree re reviews.

fjh: have an expectation that WGs do a first pass themselves

AndyF: still concerned about threat models and the larger picture of web security

<fjh> +1 AndyF bringing us back to IG charter question of web security versus reviews

AndyF: would that be for this group or some new joint effort with IETF?

hhalpin: to bhill, agree IGs shouldn't have that problem of expiration on volunteering IEs
... can push on that rule internally if need be
... at least in the short term can smooth out the IE issue

<masinter> http://www.w3.org/2011/07/security-ig-charter.html

<Zakim> masinter, you wanted to ask if we can walk through charter

masinter: want to look at the charter, think a close reading will be helpful
... can propose new work to W3C, we could write a proposal (about security considerations in the Process, eg)
... nothing here about explicitly reviewing documents, except the focus on HTML5 and related APIs and technologies
... other technologies wouldn't be in scope, or wouldn't be a focus
... others that are related to HTML5 / Web platform would be in scope

<manu> scribe: manu

<scribe> scribenick: manu

masinter: Maybe we shouldn't tie the work to spec production, we need to sync up and have deadlines 'cause a spec is going to CR.
... Or, are we looking at the process of development of the spec / underlying technology.

<npdoty> have to drop for #dnt, nice listening to you all and I hope to be helpful where I can

wseltzer: Quick summary - heard lots of different pieces of interest. Especially in helping w/ the problem and searching for particular areas to engage.

<fjh> I think the IG should selectively review to focus on problems that relate to overall web arch security , e.g. start with Promises and Service Workers, for example?

<fjh> not work reactively but seek areas that may offer rewards

wseltzer: We will share more analysis of that and follow up via email. I'd like to invite people to form task forces around work that they think need to be done. We don't need to centrally direct the work via this group. If you see something you're interested on working on, send out a call on the mailing list, invite people to join the calls and invite people.
... We don't yet have regular phone calls scheduled, tell us if you want them.
... What do this group need to do to make the Web Security goals that you have succesful?

fjh: I put this in the charter already, it may be a bad idea to say we're just going to review stuff.
... I'd rather see us pick topic areas are important to Web Architecture and select material that relates to that issue.
... That's a suggestion, don't know how workable it is.

<Zakim> virginie, you wanted to suggest we first list topics with leaders, then check if falling in the charter

virginie: Yes, let's see some topics and then we can see if we can fold it into the charter.
... We have some specific requests, "please review X"
... We have requests to draw a picture of the different security areas.
... We should catalog different security areas.
... There is a need to select some topics that are important to Web Architecture, I think that was the goal of the IG new work.

<virginie> http://www.w3.org/Security/wiki/IG/new_work

virginie: This is the expression of what the W3C members expressed they would like W3C to work on. We need people ready to work.

<fjh> will add offline security to new work wiki

virginie: I can commit some time for any of those tasks. What can be interesting is that ... can someone say they can allocate some time to this IG.

<virginie> +1

<wseltzer> +1

<masinter> +1

manu: I can commit maybe 1-2 hours every few weeks.

<hhalpin> +1

<fjh> +1

<bhill2> +1

<kodonog> +1 w/ christine

<masinter> Benchmark IETF secdir

virginie: We have some people that are ready to do some work. Maybe we have a call in 1 month. In meantime, Wendy and myself will fill out the wiki that reflects the discussion that we just had.

<kodonog> can we have a discussion on the mailing list about the timing of the call

<kodonog> I have a standing call at this time (monthly)

virginie: In the meantime, fill the wiki with anything you're willing to work on.

<masinter> what is IETF secdir expert-hour-per-document ratio?

virginie: I'll communicate the follow-up over the mailing list.

masinter: If we are going to review documents, how long does it take, can we get commitment?
... That's an issue.

<christine> Thanks all

<fjh> thanks

virginie: Thanks for attendence, please spread the word about the existence of this group. We'll speak again in 1 month.

<wseltzer> Thanks!

<virginie> thanks to the scribes !

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014/01/06 15:39:06 $