IRC log of websec on 2014-01-21

Timestamps are in UTC.

16:50:27 [RRSAgent]

RRSAgent has joined #websec

16:50:27 [RRSAgent]

logging to http://www.w3.org/2014/01/21-websec-irc

16:51:15 [Zakim]

Zakim has joined #websec

16:51:32 [virginie]

Zakim, what conference do you see ?

16:51:32 [Zakim]

I don't understand your question, virginie.

16:51:44 [dom]

dom has joined #websec

16:53:10 [dom]

Zakim, this will be WSIG

16:53:10 [Zakim]

I do not see a conference matching that name scheduled within the next hour, dom

16:53:34 [dom]

Zakim, list conferences

16:53:34 [Zakim]

I see XML_ET-TF()11:00AM, WAI_WCAG()11:00AM, Team_(eme)16:00Z, HTML_WG()11:00AM active

16:53:36 [Zakim]

also scheduled at this time are VB_VBWG()10:00AM, RWC_WebEven()11:00AM, T&S_DNTC()12:00PM, RWC_PEWG()11:00AM, SW_HCLS()11:00AM, SEC_(PUSHAPIPAG)11:00AM

16:53:38 [wseltzer]

zakim, this is WSIG

16:53:40 [Zakim]

sorry, wseltzer, I do not see a conference named 'WSIG' in progress or scheduled at this time

16:53:49 [wseltzer]

zakim, call for 15 at 1200?

16:53:49 [Zakim]

I don't understand your question, wseltzer.

16:53:54 [wseltzer]

zakim, space for 15 at 1200?

16:53:56 [Zakim]

ok, wseltzer; conference Team_(websec)17:00Z scheduled with code 26634 (CONF4) at 12:00 for 60 minutes until 1800Z

16:54:09 [wseltzer]

zakim, make this code WSIG

16:54:09 [Zakim]

I don't understand 'make this code WSIG', wseltzer

16:54:30 [wseltzer]

zakim, code?

16:54:30 [Zakim]

the conference code is 26634 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), wseltzer

16:54:49 [wseltzer]

virginie, I guess today's code will be 26634

16:55:00 [npdoty]

npdoty has joined #websec

16:55:02 [virginie]

ok, i'll send it on the mailing list

16:57:06 [kodonog]

kodonog has joined #websec

16:57:24 [sftcd]

sftcd has joined #websec

16:58:19 [Zakim]

Team_(websec)17:00Z has now started

16:58:26 [Zakim]

+ +1.512.257.aaaa

16:58:36 [Zakim]

+karen_oDonoghue

16:58:57 [fan]

fan has joined #websec

16:59:09 [virginie]

hi all, the conf call code is 26634#

17:00:10 [Zakim]

+ +3531896aabb

17:00:18 [Zakim]

+Masinter

17:00:26 [Zakim]

+ +861381144aacc

17:00:37 [npdoty]

Zakim, code?

17:00:37 [Zakim]

the conference code is 26634 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), npdoty

17:01:01 [wseltzer]

zakim, call wendy-mobile

17:01:01 [Zakim]

ok, wseltzer; the call is being made

17:01:03 [Zakim]

+Wendy

17:01:07 [dom]

Zakim, call dom-home

17:01:07 [Zakim]

ok, dom; the call is being made

17:01:09 [Zakim]

+Dom

17:01:25 [dom]

Zakim, mute me

17:01:25 [Zakim]

Dom should now be muted

17:01:25 [virginie]

zakim, who is on the phone ?

17:01:26 [Zakim]

On the phone I see +1.512.257.aaaa, karen_oDonoghue, +3531896aabb, Masinter, +861381144aacc, Wendy, Dom (muted)

17:01:39 [wseltzer]

zakim, aabb is sftcd

17:01:39 [Zakim]

+sftcd; got it

17:01:47 [wseltzer]

zakim, aaaa is virginie

17:01:47 [Zakim]

+virginie; got it

17:01:51 [sftcd]

thanks wendy

17:02:22 [virginie]

agenda+ welcome

17:02:35 [virginie]

agenda+ ietf liaison

17:02:42 [AndyF]

AndyF has joined #websec

17:03:00 [virginie]

agenda+ W3C TAG security discussions

17:03:33 [virginie]

agenda+ IG priorities and task force leaders

17:03:51 [virginie]

agenda+ AOB

17:04:11 [_JeffH]

_JeffH has joined #websec

17:04:56 [virginie]

zakim, who is on the phone ?

17:04:56 [Zakim]

On the phone I see virginie, karen_oDonoghue, sftcd, Masinter, +861381144aacc, Wendy, Dom (muted)

17:04:58 [_JeffH]

what is the code for the bridge? i tried 9744# and am told it is invalid?

17:05:17 [wseltzer]

_JeffH, 26634

17:05:20 [fan]

aacc is fan

17:05:25 [wseltzer]

zakim, aacc is fan

17:05:25 [Zakim]

+fan; got it

17:05:30 [virginie]

sorry for that the code is 26634#

17:05:32 [Zakim]

+[IPcaller]

17:05:42 [_JeffH]

ok, that worked thx

17:05:48 [_JeffH]

ok, need to update wiki ?

17:05:50 [wseltzer]

zakim, +[IPC is JeffH

17:05:50 [Zakim]

sorry, wseltzer, I do not recognize a party named '+[IPC'

17:05:54 [wseltzer]

zakim, +IPC is JeffH

17:05:54 [Zakim]

sorry, wseltzer, I do not recognize a party named '+IPC'

17:06:04 [wseltzer]

zakim, IPcaller is JeffH

17:06:04 [Zakim]

+JeffH; got it

17:06:05 [_JeffH]

I'm covering for BHill who had a conflict

17:06:25 [Zakim]

-JeffH

17:06:29 [_JeffH]

oops

17:06:38 [virginie]

done

17:07:35 [Zakim]

+[IPcaller]

17:07:41 [kodonog]

I will today...

17:07:43 [wseltzer]

zakim, IPcaller is JeffH

17:07:43 [Zakim]

+JeffH; got it

17:07:56 [Zakim]

+ +1.425.214.aadd

17:07:57 [virginie]

zakim, who is on the phone ?

17:07:58 [Zakim]

On the phone I see virginie, karen_oDonoghue, sftcd, Masinter, fan, Wendy, Dom (muted), JeffH, +1.425.214.aadd

17:08:50 [kodonog]

scribenick kodonog

17:09:09 [Zakim]

+terri

17:09:19 [dom]

s/scribenick kodonog/scribenick: kodonog/

17:09:24 [kodonog]

Introductions

17:09:46 [_JeffH]

i don't see masinter in the irc ?

17:10:00 [dom]

Zakim, unmute me

17:10:00 [Zakim]

Dom should no longer be muted

17:10:05 [_JeffH]

oh it's "larry"

17:10:29 [dom]

Zakim, mute me

17:10:29 [Zakim]

Dom should now be muted

17:10:36 [kodonog]

Virginie, Karen O'Donoghue, Stephen Farrell, Larry Masinter, Dom, Wendy Seltzer, Jeff Hodges

17:11:20 [terri]

terri has joined #websec

17:11:26 [virginie]

agenda?

17:11:50 [kodonog]

Terri (Intel), Nick Doty

17:11:57 [_JeffH]

someone is scribing ?

17:12:50 [wseltzer]

zakim, who is here?

17:12:50 [Zakim]

On the phone I see virginie, karen_oDonoghue, sftcd, Masinter, fan, Wendy, Dom (muted), JeffH, +1.425.214.aadd, terri

17:12:52 [kodonog]

Hannes Tschonfeig

17:12:53 [Zakim]

On IRC I see terri, _JeffH, AndyF, fan, sftcd, kodonog, npdoty, dom, Zakim, RRSAgent, virginie, Larry, wseltzer

17:12:55 [wseltzer]

zakim, aadd is Hannes

17:12:55 [Zakim]

+Hannes; got it

17:13:07 [kodonog]

Virginie address the plan for the meeting.

17:13:35 [_JeffH]

which is coord between IETF, esp security, with overlapping areas in W3C

17:13:52 [kodonog]

First agenda item, Stephen Farrell, IETF work and STRINT workshop

17:14:16 [kodonog]

want an active liaison and conserve resources

17:14:45 [kodonog]

W3C is interested in IETF security review process as we are considering doing the same

17:15:01 [_JeffH]

where "we" == ietf ?

17:15:13 [kodonog]

Stephen Farrell: folks on call already know a lot about the IETF

17:15:17 [wseltzer]

we= W3C

17:15:25 [_JeffH]

k

17:15:53 [kodonog]

… main working groups relevant to the W3C, httpbis, httpauth,

17:16:33 [kodonog]

. . . oauth

17:16:54 [kodonog]

… in ops area also the wpkops wg

17:17:59 [Larry]

UTA Using TLS in Applications

17:18:03 [kodonog]

,,, in the applications area relevant was include websec and uta (using tls in applications)

17:18:16 [Larry]

websec?

17:18:27 [_JeffH]

yes, websec in apps area is impt

17:18:49 [kodonog]

STRINT workshop 28 Feb / 1 Mar before IETF 89 in London

17:19:00 [_JeffH]

got 62 submissions (closed today)

17:19:20 [kodonog]

idea is to continue the discussion started in Vancouver to address pervasive monitoring

17:19:32 [_JeffH]

https://www.w3.org/2014/strint/

17:20:11 [kodonog]

WGLC on IETF document definiting pervasive monitoring as an attack

17:20:25 [_JeffH]

strint is aimed to figure out actual mitigations to pervasive monitoring

17:20:27 [kodonog]

workshop CFP deadline has passed

17:21:05 [kodonog]

regarding IETF security review, there are various directorates in the IETF including the Security Directorate

17:21:35 [kodonog]

every document that is coming up for approval in the IESG gets some security review in the Security Directorate

17:21:39 [_JeffH]

directorates are a means for collecting a review board, and parselling out specs for review

17:21:51 [_JeffH]

have about 40 folks in Sec Dir

17:21:51 [kodonog]

reviews allocated in a round robin basis, 80% hit rate

17:22:07 [kodonog]

each reviewer tends to get one review every few months

17:22:07 [_JeffH]

each reviewer gets a doc to review about every couple months

17:22:33 [kodonog]

Security Area Director uses review during the IESG processing of the document

17:23:09 [kodonog]

useful as an educational tool for people working in the IETF - get exposure to lots of other work in the IETF

17:23:43 [kodonog]

facilitated by a tool with someone to help manage the tool, inputs reviews, allocates reviews, inputs results

17:24:12 [kodonog]

Virginie: description indicates you have quite an infrastructure to support security reviews

17:25:02 [Larry]

q+

17:25:05 [kodonog]

Stephen: have regular liaison calls with Wendy and Mark Nottingham, issues could be raised to that forum, or send direct mail

17:25:15 [kodonog]

Stephen: happy to help as we can

17:25:54 [kodonog]

Larry: concerned about things that have fallen out of websec and not appeared in W3C (missed specific examples)

17:26:43 [kodonog]

Stephen: mime sniffing was really an apps thing so you would be better off talking to them. Believe there wasn't a clear consensus and volunteers to support the work.

17:27:04 [kodonog]

origin is an RFC

17:27:37 [kodonog]

Virginie: W3C and IETF are currently well coordinated,

17:28:13 [_JeffH]

https://tools.ietf.org/search/rfc6454 The Web Origin Concept

17:28:13 [kodonog]

need to monitor output of the STRINT workshop to see if there is some W3C websec work to pursue

17:28:46 [kodonog]

? agenda

17:28:58 [Larry]

what i remember reading was that the Origin RFC is wrong and they are just abandoning it

17:29:04 [kodonog]

(scribe has forgotten how to switch agenda items…)

17:29:10 [wseltzer]

zakim, next agenda

17:29:10 [Zakim]

agendum 1. "welcome" taken up [from virginie]

17:29:15 [wseltzer]

zakim, drop agendum 1

17:29:15 [Zakim]

agendum 1, welcome, dropped

17:29:17 [_JeffH]

larry: really? that on whatwg list?

17:29:18 [wseltzer]

zakim, next agenda

17:29:18 [Zakim]

agendum 2. "ietf liaison" taken up [from virginie]

17:29:20 [sftcd]

@larry - don't whatwg think *everything* is wrong?

17:29:26 [wseltzer]

zakim, take up agendum 3

17:29:26 [Zakim]

agendum 3. "W3C TAG security discussions" taken up [from virginie]

17:29:46 [Larry]

i'll have to find this

17:30:01 [kodonog]

W3C TAG security discussions - need to make some effort to build a community of experts

17:30:13 [sftcd]

I did hear something about whatwg and SOP messing a few months ago

17:30:14 [kodonog]

there are some security topics of interest but possibly not enough contributors

17:30:34 [kodonog]

two things from the TAG discussions:

17:30:59 [kodonog]

TAG members were not that excited by systematic reviews of W3C recommendations

17:31:13 [kodonog]

possibly the implementation reports are sufficient to address this.

17:31:25 [kodonog]

need to consider if we really need these reviews

17:31:51 [virginie]

https://github.com/w3ctag/secure-the-web

17:32:26 [kodonog]

There is now a TAG effort to secure the web.

17:32:35 [kodonog]

This may overlap with activity in the interest group

17:33:04 [kodonog]

TAG concerned that there are a lack of security contributors in the W3C

17:33:12 [kodonog]

need to recruit additional participants

17:33:40 [kodonog]

Virginie will share her slides to the TAG on the wiki

17:34:01 [sftcd]

just to note that PFS for TLS under HTTP is on the charter for the new UTA wg in the IETF

17:34:08 [kodonog]

zakim, next agenda

17:34:08 [Zakim]

I see a speaker queue remaining and respectfully decline to close this agendum, kodonog

17:34:19 [wseltzer]

q?

17:34:28 [Larry]

ack

17:34:30 [wseltzer]

q- Larry

17:34:32 [Larry]

ack

17:34:34 [Larry]

q-

17:34:38 [kodonog]

zakim, next agenda

17:34:38 [Zakim]

agendum 2. "ietf liaison" taken up [from virginie]

17:34:39 [wseltzer]

zakim, next agendum

17:34:39 [Zakim]

agendum 2 was just opened, wseltzer

17:34:45 [wseltzer]

zakim, take up agendum 4

17:34:45 [Zakim]

agendum 4. "IG priorities and task force leaders" taken up [from virginie]

17:34:49 [wseltzer]

zakim, drop agendum 2

17:34:49 [Zakim]

agendum 2, ietf liaison, dropped

17:34:49 [sftcd]

@larry: the general question of HTML5 not referencing RFCs is a good liaison topic for w3c/ieft calls , pete resnick is the right AD for that I think

17:34:59 [virginie]

http://www.w3.org/Security/wiki/IG

17:35:11 [kodonog]

review the wiki to discuss W3C work

17:35:55 [virginie]

http://www.w3.org/Security/wiki/IG/W3C_spec_review

17:36:09 [Zakim]

+ +1.703.948.aaee

17:36:25 [virginie]

http://www.w3.org/Security/wiki/IG/web_security_model

17:36:28 [kodonog]

virginie has updated the page related to spec review

17:37:26 [virginie]

http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis

17:38:10 [virginie]

http://www.w3.org/Security/wiki/IG/W3C_security_roadmap

17:39:15 [kodonog]

virginie is stepping through the current material on the wiki to help develop a work plan for the interest group

17:39:31 [virginie]

http://www.w3.org/Security/wiki/IG/press_news

17:40:06 [kodonog]

looking for people for the IG to contribute to the various topics

17:40:21 [dom]

q+

17:40:23 [AndyF]

++

17:40:28 [dom]

Zakim, unmute me

17:40:28 [Zakim]

Dom should no longer be muted

17:40:44 [Larry]

q+ to ask about 'cloud security' standards and if there's some liaison possibilities

17:40:46 [wseltzer]

zakim, aaee may be AndyF

17:40:46 [Zakim]

+AndyF?; got it

17:40:56 [_JeffH]

sorry, I am overbooked and can't commit to anything new at this time, tho we can see, over the next several months, if we can have someone contribute (no promises tho)

17:41:07 [kodonog]

Dom: for the mobile topic, would like to collaborate with security experts

17:41:12 [virginie]

q?

17:41:16 [dom]

ack me

17:41:59 [virginie]

http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis

17:42:59 [kodonog]

no one on the call from Nokia, perhaps we could contact them

17:43:12 [dom]

Zakim, mute me

17:43:12 [Zakim]

Dom should now be muted

17:44:07 [Larry]

ack me

17:44:07 [Zakim]

Larry, you wanted to ask about 'cloud security' standards and if there's some liaison possibilities

17:44:08 [kodonog]

Larry: see a lot of activity related to cloud

17:44:09 [Larry]

i'm done

17:44:34 [kodonog]

there are possible liaisons to facilitate this work

17:44:45 [Larry]

I'm trying to sort it out, so i'd rather not display my ignorance

17:44:46 [kodonog]

Virginie: are you talking about the Cloud Security Alliance

17:44:59 [kodonog]

they have issued some guidance that is quite vague

17:45:25 [Larry]

operational procedures, etc.

17:45:46 [kodonog]

bring back additional references or recommendations for cloud security work

17:45:59 [Larry]

I can help with that

17:46:01 [kodonog]

asks Larry to provide any additional references for analysis

17:46:10 [virginie]

q?

17:47:50 [kodonog]

beginning to announce the existence of the IG and the ability to do security reviews

17:48:06 [kodonog]

need to recruit members in order to execute on these reviews

17:48:47 [Larry]

all of the 'ongoing issues' in http://www.w3.org/Security/wiki/Main_Page#Ongoing_issues ...

17:48:51 [Larry]

q+

17:49:27 [kodonog]

Larry: Ongoing issues , documents are 2009 and 2010, nothing that has been published recently

17:50:00 [wseltzer]

[that's an old wiki -- we're working from http://www.w3.org/Security/wiki/IG ]

17:50:05 [Zakim]

-Dom

17:50:20 [wseltzer]

[thanks Larry, we'll work to clean up that "Main Page"]

17:50:46 [virginie]

http://www.w3.org/Security/wiki/IG/web_security_model

17:51:04 [Larry]

what about guidelines for W3C working groups about how to do security analysis of their specs?

17:51:05 [kodonog]

Virginie: this is an older wiki and we are working to update the material on the new wiki

17:51:08 [sftcd]

gotta drop off the call - thanks for listening and if we can help just shoot a mail to me stephen.farrell@cs.tcd.ie

17:51:18 [Zakim]

-sftcd

17:51:37 [kodonog]

next steps: each person think about a potential activity that they could lead

17:51:52 [virginie]

http://www.w3.org/Security/wiki/IG/W3C_security_roadmap

17:51:58 [kodonog]

understanding the web security model is important

17:52:35 [terri]

+1 to monthly calls

17:53:03 [kodonog]

proposing a monthly call for the websec IG

17:53:29 [wseltzer]

q?

17:53:29 [kodonog]

no consensus for a monthly call

17:53:35 [wseltzer]

ack Larry

17:53:47 [kodonog]

continue discussions over the mailing list and if interest increases schedule a clal

17:54:16 [_JeffH]

ok thx bye now

17:54:20 [Zakim]

-Masinter

17:54:24 [Larry]

tx

17:54:27 [Zakim]

-JeffH

17:54:38 [Zakim]

-Wendy

17:54:39 [Zakim]

-AndyF?

17:54:39 [Zakim]

-Hannes

17:54:41 [Zakim]

-virginie

17:54:41 [Zakim]

-fan

17:54:50 [Zakim]

-terri

17:57:48 [virginie]

rrsagent, create minutes

17:57:48 [RRSAgent]

I have made the request to generate http://www.w3.org/2014/01/21-websec-minutes.html virginie

18:05:01 [Zakim]

disconnecting the lone participant, karen_oDonoghue, in Team_(websec)17:00Z

18:05:03 [Zakim]

Team_(websec)17:00Z has ended

18:05:03 [Zakim]

Attendees were +1.512.257.aaaa, karen_oDonoghue, +3531896aabb, Masinter, +861381144aacc, Wendy, Dom, sftcd, virginie, fan, JeffH, +1.425.214.aadd, terri, Hannes, +1.703.948.aaee,

18:05:03 [Zakim]

... AndyF?

18:55:10 [terri]

terri has joined #websec

19:26:35 [wseltzer]

rrsagent, set logs public

19:26:41 [wseltzer]

rrsagent, make minutes

19:26:41 [RRSAgent]

I have made the request to generate http://www.w3.org/2014/01/21-websec-minutes.html wseltzer

19:26:55 [wseltzer]

chair: Virginie

19:27:20 [wseltzer]

Meeting: Web Security Interest Group

19:27:22 [wseltzer]

rrsagent, make minutes

19:27:22 [RRSAgent]

I have made the request to generate http://www.w3.org/2014/01/21-websec-minutes.html wseltzer

21:53:15 [terri]

terri has joined #websec

22:26:35 [npdoty]

npdoty has joined #websec

22:58:34 [npdoty]

npdoty has joined #websec