21:05:06 RRSAgent has joined #websec 21:05:06 logging to http://www.w3.org/2014/10/27-websec-irc 21:05:17 fjh has joined #websec 21:05:31 hadleybeeman has joined #websec 21:05:33 tanvi has joined #websec 21:05:37 Virginie: Co-chair of Web Security Interest Group 21:05:41 fjh has joined #websec 21:05:42 ckerschb has joined #websec 21:05:45 wseltzer has changed the topic to: Web Security IG at TPAC 21:05:51 wei_james_ has joined #websec 21:05:51 deian has joined #websec 21:05:52 puhley has joined #websec 21:05:52 fjh has joined #websec 21:05:53 Kevin_Hill_ has joined #websec 21:05:58 JeffH_ has joined #websec 21:06:05 brutzman_ has joined #websec 21:06:24 christine has joined #websec 21:06:26 jin has joined #websec 21:06:30 Topic: Introductions 21:07:05 karen_od has joined #websec 21:07:15 Dan_ has joined #websec 21:07:33 colin has joined #websec 21:07:53 rigo has joined #websec 21:08:14 dveditz has joined #websec 21:08:35 bhill2 has joined #websec 21:09:22 Virginie: Thanks for joining us 21:09:32 ... I had some slides, then the projector power died 21:09:51 ... We revived the WebSec IG last year 21:10:02 ... in response to security requests coming from W3C WGs 21:10:22 ... Mission is to discuss security topics; not to produce recs. 21:10:52 ... Build a community, discuss topics of interest, take actions. 21:10:57 virginie has joined #websec 21:11:00 https://www.w3.org/Security/wiki/IG 21:11:20 melinda has joined #websec 21:11:46 DWalp has joined #WebSec 21:11:56 ... Requested to do security reviews, evaluate mobile security 21:12:11 rrsagent, make logs public 21:12:16 rrsagent, make minutes 21:12:16 I have made the request to generate http://www.w3.org/2014/10/27-websec-minutes.html wseltzer 21:12:28 http://www.w3.org/Security/wiki/IG/W3C_security_roadmap 21:12:47 ... understand security model, build roadmap 21:12:51 keiji_ has joined #websec 21:12:55 Chair: Virginie_Galindo 21:13:09 Meeting: Web Security Interest Group informal meeting 21:13:36 Virginie: High expectations, but less ability to deliverable 21:14:11 Virginie: [noting points from http://www.w3.org/Security/wiki/IG/W3C_security_roadmap ] 21:15:04 Dan_ has joined #websec 21:15:31 ... Information-sharing 21:15:51 ... September was workshop season 21:16:02 ... Permissions, WebCrypto vNext 21:16:22 There is still Workshop season: http://www.w3.org/2014/privacyws/ 21:16:52 FYI : permission workshop report is here : http://www.w3.org/2014/07/permissions/ 21:16:54 wseltzer: It was not a formal workshop, more a meeting of the sysops working group — talking about ways to standardise asking for/granting/scoping permissions. 21:17:06 ... Dave Raggett is planning to recap that in a session on Wednesday. 21:17:35 ... For capabilities that go beyond the normal in a browser, where a user might want to control whether the web app has access to sensors or data in a secure storage — 21:17:58 ...— it should be able to ask the user for permission. One time? Hybrid? How does the permission persist? 21:18:23 ... Do we now have enough experience across capabilities and across browsers and devices to form some best practice/standard? And if so, who should do it? 21:19:00 ...It will at least partly be here in Security because the user might be tricked into doing something the don't want, or the web app might not get the capabilities it needs if it doesn't ask accurately 21:19:17 ...How do we balance usability, functionality, performance etc? 21:19:56 W3C Workshop on Privacy and User–Centric Controls 21:20:22 -> http://www.w3.org/wiki/TPAC2014/SessionIdeas#Trust_and_Permissions_in_the_Open_Web_Platform DSR's session proposal for Wednesday's unconference: Trust and Permissions 21:21:36 http://www.w3.org/2014/privacyws/ 21:22:10 workshop with deadline for position papers Friday, please let me know if interested 21:22:28 20-21 Nov, Berlin 21:23:00 Rigo: Stemming from work of DT and Mozilla on understandable user controls 21:23:09 q? 21:23:22 ... I presented research in Pisa: we need to care more about UI 21:24:08 Virginie: WebCrypto vNext workshop 21:24:10 http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/ 21:24:22 ... What comes after WebCrypto gives crypto primitives to web developers 21:24:52 ... Discussed authentication challenges, secure tokens, trusted execution environments, secure tokens -- how to use them on the Web 21:25:01 ... input to rechartering of WebCrypto WG 21:25:06 http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/report.html 21:25:23 virginie: There's lots of interest in Security 21:25:29 ... 70 people at webcrypto workshop 21:25:46 q+ 21:25:50 ... so, how do we transform ideas into deliverables? 21:25:57 QIJINGWANG has joined #websec 21:25:58 ack fjh 21:26:13 fjh: Focus and prioritization 21:26:24 ... where should it lie? 21:26:54 ... Is key management, hardware crypto, environment? 21:27:21 virginie: WebCrypto WG, after publication of v1, will work on new algorithms 21:27:25 q+ to ask about use cases 21:27:27 ... hw tokens, certificate management 21:27:35 Zakim has joined #websec 21:27:43 ... hardware-protected or strong software-protected keys 21:27:43 q+ to ask about use cases 21:28:07 ... Web Security IG hasn't been able to set priorities, because we're looking for contributors 21:28:25 ... We're trying to do reviews, but not finding volunteers 21:28:44 q? 21:28:53 http://www.w3.org/Security/wiki/IG/W3C_spec_review 21:30:00 q? 21:30:01 q+ 21:30:02 ack hadleybeeman 21:30:02 hadleybeeman, you wanted to ask about use cases 21:30:26 hadleybeeman: Wiki has a list of topics. Does the IG have a set of use cases? 21:30:48 virginie: We're trying to build a ccommunity of people willing to take on cases 21:31:00 ack rigo 21:31:02 ack next 21:31:26 rigo: STREWS has written 120 pages 21:31:26 q? 21:31:54 s/120 pages/a WebRTC security report/ 21:33:06 q+ 21:33:32 virginie: What shoudl the IG do? 21:33:50 fjh: Focus could help 21:33:55 q- 21:34:11 q+ 21:34:27 q+ 21:34:45 q- later 21:35:16 Virginie: what are you in the room interested in doing? 21:35:33 christine: Some thoughts from the Privacy Interest Group's experience (PING) 21:35:47 ... e.g. develop guidance that can readily be used by other groups 21:35:53 weijames has joined #websec 21:36:05 ... one group can't review everything 21:36:21 is there anyone on irc who was dialed-in to 92794# Zakim and wants us to re-start the bridge? 21:36:24 one small group 21:36:40 q+ to discuss security consideration in specification 21:36:43 ... one thing we've found helpful is to have iterative discussions with chairs or WG members of groups seeking guidance 21:36:53 ... PING meets Friday, join us 21:36:56 ack christine 21:37:20 ... Guidance: Fingerprinting, privavcy considerations for web protocls, spa: spec privacy assessment 21:38:22 ... Do we do security guidance at the same time as privacy? togehter? 21:38:43 npdoty has joined #websec 21:38:54 virginie: we started an effort to write security consdieration guidance 21:39:17 q- 21:39:20 q+ 21:40:03 wseltzer: As technology and society domain lead now in W3C, we keep hearing from the public that Web Security is important. We need to improve it. But we need your help in focusing how we do that. 21:40:04 +q 21:40:23 FYI : begining of a draft of a try of guideline for security recommandation section https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines 21:40:26 ...We know this is an ecosystem problem. We think W3C is a good point to bring people together to solve web security, improve it. 21:40:48 ...Should we put calls out to volunteers? Or do we need a more focused effort? A group that looks more like the TAG? 21:40:55 q- 21:41:13 ...Do we need you to ask your AC reps to ask W3C to prioritise this, put more resources onto it? Or less effort onto it? 21:41:24 q? 21:41:48 q+ 21:41:51 q+ to advocate a working group — with a lot of dependenices 21:42:08 Kevin_Hill: 1st call to action could be to develop the focus, MS has someone who would help 21:42:09 ack wseltzer 21:42:16 nvdbleek has joined #websec 21:42:35 Dan_ has joined #websec 21:42:35 karen_od: TAG has started discussions. What's happened there? 21:43:23 virginie: some people think TAG + editors is enough to do security review; others think there needs to be an external review 21:44:28 q+ 21:44:32 ack karen_od 21:44:43 ack bhill 21:44:56 bhill: a TAG or Security TAG sounds like a good idea 21:45:35 ... a more formal organization, visibility, prestige, can give people accountability 21:45:45 ack hadleybeeman 21:45:45 hadleybeeman, you wanted to advocate a working group — with a lot of dependenices 21:46:10 hadleybeeman: I'd like us to focus on the things we can build 21:46:14 q+ 21:46:18 q- later 21:46:24 ... that's why I'd say a WG 21:46:41 ... we could easily talk for 10 years, without making something concrete 21:46:43 scribenick: rigo 21:46:46 q+ 21:46:51 ack wselt 21:47:25 wseltzer: we are trying to get some focus and not just talking. WebAppSec is doing a lot of concrete specs for web application 21:47:29 wseltzer: That is where we're trying to get some focus, rather than just talking. We have Web Apps Sec WG producing concrete specs. 21:47:43 scribenick: hadleybeeman 21:47:54 ...Are there other pieces to add to this road map? Can we see other places where the road is insecure? 21:48:06 q? 21:48:16 ack brutzman_ 21:48:20 scribenick: wseltzer 21:48:37 brutzman_: EXI has some specific concerns 21:48:46 q+ 21:49:01 ... just posted to the mailing list, security considerations around canonicalization 21:49:04 ... and digital signatures 21:49:18 ack rigo 21:49:48 rigo: European research scene has multiple roadmapping projects 21:49:55 ... 6-8 months out 21:50:08 ... how about security of linked data? 21:50:11 ... for Efficient XML Interchange (EXI) https://www.w3.org/XML/Group/EXI/ 21:50:18 ... we haven't talked about that at all 21:50:33 q? 21:50:45 ack terri 21:50:57 terri: It's been very hard for me to get time allocated without a roadmap 21:51:03 also we haven't talked about Linked data security at all so far. And this is a pressing need. 21:51:05 ... because it seemed too unstructures 21:51:11 q? 21:51:20 ... we need more structure in order to get volunteers. 21:51:33 oberves that W3C historically hasn't prioritized security -- eg not requiring Recommendations to have (well-crafted) security considerations sections -- also web sec experts per se don't seem to inhabit w3c working groups (in general, there's exceptions of course), plus there isn't a security-oriented community a la IETF SAAG folk -- and so also w/o top-down security emphasis such as that that occurred in the IETF in the mid-to-late 1990's (eg: every RFC SHA[CUT] 21:51:40 fjh has joined #websec 21:52:20 a sec cons section..." -- also there's OWASP where web sec folk seem to hang out -- is there some way to cross-fertilize between W3C and OWASP? 21:52:32 virginie: Takeaways, let's focus, work with PING 21:52:47 ... test the idea of a security TAG 21:53:05 q+ 21:53:11 terri: had some conversations with OWASP 21:53:23 bhill: there are lots of potential people who aren't W3C members 21:54:08 ... consultancies see they're already volunteering their people's time, why also pay membership? 21:54:19 ... other ways to interact? 21:54:44 ack christine 21:55:12 christine: PING hopes to have a breakout Wednesday on privacy considerations for web protocols 21:55:22 q? 21:55:23 ... participate, because there are overlaps between privacy and security 21:55:37 ... and PING is also meeitng Friday 21:56:15 virginie: Thanks WebAppSec for sharing your room 21:56:16 starting early - 8:30 am 21:56:22 ... We'll schedule another call soon 21:56:31 thanks ! 21:56:49 melinda has joined #websec 21:58:21 bhill2 has left #websec 22:10:22 ckerschb has left #websec 22:15:37 Siva has joined #websec 22:16:27 Joining late...is the discussion still alive? 22:17:42 tanvi has joined #websec 22:22:48 test 22:26:29 jin has joined #websec 22:34:28 puhley has left #websec 23:09:06 rrsagent, draft minutes 23:09:06 I have made the request to generate http://www.w3.org/2014/10/27-websec-minutes.html wseltzer 23:09:14 fjh has joined #websec 23:09:31 siva, WebSec discussion finished. Draft minutes ^ 23:10:27 i/Virginie: Co-chair of Web Security Interest Group/scribenick: wseltzer 23:10:34 s/siva, WebSec discussion finished. Draft minutes ^// 23:10:47 rrsagent, draft minutes 23:10:47 I have made the request to generate http://www.w3.org/2014/10/27-websec-minutes.html wseltzer 23:41:45 npdoty has joined #websec 23:56:58 hadleybeeman has left #websec