See also: IRC log
<wseltzer> virginie, I guess today's code will be 26634
<virginie> ok, i'll send it on the mailing list
<virginie> hi all, the conf call code is 26634#
<sftcd> thanks wendy
<_JeffH> what is the code for the bridge? i tried 9744# and am told it is invalid?
<wseltzer> _JeffH, 26634
<fan> aacc is fan
<virginie> sorry for that the code is 26634#
<_JeffH> ok, that worked thx
<_JeffH> ok, need to update wiki ?
<_JeffH> I'm covering for BHill who had a conflict
<_JeffH> oops
<virginie> done
I will today...
<scribe> scribenick: kodonog
Introductions
<_JeffH> i don't see masinter in the irc ?
<_JeffH> oh it's "larry"
Virginie, Karen O'Donoghue, Stephen Farrell, Larry Masinter, Dom, Wendy Seltzer, Jeff Hodges
Terri (Intel), Nick Doty
<_JeffH> someone is scribing ?
Hannes Tschonfeig
Virginie address the plan for the meeting.
<_JeffH> which is coord between IETF, esp security, with overlapping areas in W3C
First agenda item, Stephen Farrell, IETF work and STRINT workshop
want an active liaison and conserve resources
W3C is interested in IETF security review process as we are considering doing the same
<_JeffH> where "we" == ietf ?
Stephen Farrell: folks on call already know a lot about the IETF
<wseltzer> we= W3C
<_JeffH> k
… main working groups relevant to the W3C, httpbis, httpauth,
… in ops area also the wpkops wg
<Larry> UTA Using TLS in Applications
,,, in the applications area relevant was include websec and uta (using tls in applications)
<Larry> websec?
<_JeffH> yes, websec in apps area is impt
STRINT workshop 28 Feb / 1 Mar before IETF 89 in London
<_JeffH> got 62 submissions (closed today)
idea is to continue the discussion started in Vancouver to address pervasive monitoring
<_JeffH> https://www.w3.org/2014/strint/
WGLC on IETF document definiting pervasive monitoring as an attack
<_JeffH> strint is aimed to figure out actual mitigations to pervasive monitoring
workshop CFP deadline has passed
regarding IETF security review, there are various directorates in the IETF including the Security Directorate
every document that is coming up for approval in the IESG gets some security review in the Security Directorate
<_JeffH> directorates are a means for collecting a review board, and parselling out specs for review
<_JeffH> have about 40 folks in Sec Dir
reviews allocated in a round robin basis, 80% hit rate
each reviewer tends to get one review every few months
<_JeffH> each reviewer gets a doc to review about every couple months
Security Area Director uses review during the IESG processing of the document
useful as an educational tool for people working in the IETF - get exposure to lots of other work in the IETF
facilitated by a tool with someone to help manage the tool, inputs reviews, allocates reviews, inputs results
Virginie: description indicates you have quite an infrastructure to support security reviews
Stephen: have regular liaison
calls with Wendy and Mark Nottingham, issues could be raised to
that forum, or send direct mail
... happy to help as we can
Larry: concerned about things that have fallen out of websec and not appeared in W3C (missed specific examples)
Stephen: mime sniffing was really an apps thing so you would be better off talking to them. Believe there wasn't a clear consensus and volunteers to support the work.
origin is an RFC
Virginie: W3C and IETF are currently well coordinated,
<_JeffH> https://tools.ietf.org/search/rfc6454 The Web Origin Concept
need to monitor output of the STRINT workshop to see if there is some W3C websec work to pursue
? agenda
<Larry> what i remember reading was that the Origin RFC is wrong and they are just abandoning it
(scribe has forgotten how to switch agenda items…)
<_JeffH> larry: really? that on whatwg list?
<sftcd> @larry - don't whatwg think *everything* is wrong?
<Larry> i'll have to find this
W3C TAG security discussions - need to make some effort to build a community of experts
<sftcd> I did hear something about whatwg and SOP messing a few months ago
there are some security topics of interest but possibly not enough contributors
two things from the TAG discussions:
TAG members were not that excited by systematic reviews of W3C recommendations
possibly the implementation reports are sufficient to address this.
need to consider if we really need these reviews
<virginie> https://github.com/w3ctag/secure-the-web
There is now a TAG effort to secure the web.
This may overlap with activity in the interest group
TAG concerned that there are a lack of security contributors in the W3C
need to recruit additional participants
Virginie will share her slides to the TAG on the wiki
<sftcd> just to note that PFS for TLS under HTTP is on the charter for the new UTA wg in the IETF
<Larry> ack
<Larry> ack
<sftcd> @larry: the general question of HTML5 not referencing RFCs is a good liaison topic for w3c/ieft calls , pete resnick is the right AD for that I think
<virginie> http://www.w3.org/Security/wiki/IG
review the wiki to discuss W3C work
<virginie> http://www.w3.org/Security/wiki/IG/W3C_spec_review
<virginie> http://www.w3.org/Security/wiki/IG/web_security_model
virginie has updated the page related to spec review
<virginie> http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis
<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap
virginie is stepping through the current material on the wiki to help develop a work plan for the interest group
<virginie> http://www.w3.org/Security/wiki/IG/press_news
looking for people for the IG to contribute to the various topics
<AndyF> ++
<_JeffH> sorry, I am overbooked and can't commit to anything new at this time, tho we can see, over the next several months, if we can have someone contribute (no promises tho)
Dom: for the mobile topic, would like to collaborate with security experts
<virginie> http://www.w3.org/Security/wiki/IG/Mobile_Security_analysis
no one on the call from Nokia, perhaps we could contact them
<Zakim> Larry, you wanted to ask about 'cloud security' standards and if there's some liaison possibilities
Larry: see a lot of activity related to cloud
<Larry> i'm done
there are possible liaisons to facilitate this work
<Larry> I'm trying to sort it out, so i'd rather not display my ignorance
Virginie: are you talking about the Cloud Security Alliance
they have issued some guidance that is quite vague
<Larry> operational procedures, etc.
bring back additional references or recommendations for cloud security work
<Larry> I can help with that
asks Larry to provide any additional references for analysis
beginning to announce the existence of the IG and the ability to do security reviews
need to recruit members in order to execute on these reviews
<Larry> all of the 'ongoing issues' in http://www.w3.org/Security/wiki/Main_Page#Ongoing_issues ...
Larry: Ongoing issues , documents are 2009 and 2010, nothing that has been published recently
<wseltzer> [that's an old wiki -- we're working from http://www.w3.org/Security/wiki/IG ]
<wseltzer> [thanks Larry, we'll work to clean up that "Main Page"]
<virginie> http://www.w3.org/Security/wiki/IG/web_security_model
<Larry> what about guidelines for W3C working groups about how to do security analysis of their specs?
Virginie: this is an older wiki and we are working to update the material on the new wiki
<sftcd> gotta drop off the call - thanks for listening and if we can help just shoot a mail to me stephen.farrell@cs.tcd.ie
next steps: each person think about a potential activity that they could lead
<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap
understanding the web security model is important
<terri> +1 to monthly calls
proposing a monthly call for the websec IG
no consensus for a monthly call
continue discussions over the mailing list and if interest increases schedule a clal
<_JeffH> ok thx bye now
<Larry> tx
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/scribenick kodonog/scribenick: kodonog/ Found ScribeNick: kodonog Inferring Scribes: kodonog Default Present: +1.512.257.aaaa, karen_oDonoghue, +3531896aabb, Masinter, +861381144aacc, Wendy, Dom, sftcd, virginie, fan, JeffH, +1.425.214.aadd, terri, Hannes, +1.703.948.aaee, AndyF? Present: +1.512.257.aaaa karen_oDonoghue +3531896aabb Masinter +861381144aacc Wendy Dom sftcd virginie fan JeffH +1.425.214.aadd terri Hannes +1.703.948.aaee AndyF? Got date from IRC log name: 21 Jan 2014 Guessing minutes URL: http://www.w3.org/2014/01/21-websec-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]