16:39:17 <RRSAgent> RRSAgent has joined #webappsec
16:39:17 <RRSAgent> logging to http://www.w3.org/2015/12/16-webappsec-irc
16:39:19 <trackbot> RRSAgent, make logs world
16:39:19 <Zakim> Zakim has joined #webappsec
16:39:21 <trackbot> Zakim, this will be WASWG
16:39:21 <Zakim> I do not see a conference matching that name scheduled within the next hour, trackbot
16:39:22 <trackbot> Meeting: Web Application Security Working Group Teleconference
16:39:22 <trackbot> Date: 16 December 2015
16:39:58 <wseltzer> wseltzer has changed the topic to: WebAppSec 16 December: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0035.html
16:40:01 <wseltzer> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0035.html
16:48:14 <gmaone> gmaone has joined #webappsec
16:48:56 <yoav> yoav has joined #webappsec
16:54:46 <wseltzer> present+
16:56:11 <estark> estark has joined #webappsec
17:00:07 <bhill2> bhill2 has joined #webappsec
17:00:40 <francois> present+
17:00:48 <bhill2> present+ bhill2
17:00:53 <estark> present+ estark
17:01:03 <terri> present+
17:01:06 <bhill2> Meeting: WebAppSec Teleconference 16-Dec-2015
17:01:12 <gmaone> present+
17:01:12 <bhill2> Chairs: bhill2, dveditz
17:01:19 <bhill2> Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0035.html
17:02:00 <bhill2> zakim, who is here?
17:02:00 <Zakim> Present: wseltzer, francois, bhill2, estark, terri, gmaone
17:02:02 <Zakim> On IRC I see bhill2, estark, gmaone, Zakim, RRSAgent, francois, bblfish, slightlyoff, tobie, mkwst, timeless, Josh_Soref, dveditz, terri, schuki, Mek, mounir, xiaoqian, trackbot,
17:02:02 <Zakim> ... wseltzer
17:02:20 <mkwst> In another meeting, will be dialing in fairly soon.
17:02:58 <wseltzer> present+ Michael_Irwin
17:03:10 <wseltzer> present+ Ted_Dinklocker
17:04:03 <teddink_> teddink_ has joined #webappsec
17:04:55 <teddink_> Good morning
17:05:00 <dveditz> present+ dveditz
17:05:18 <bhill2> scribenick: bhill2
17:05:20 <dveditz> TOPIC: Agenda bashing
17:05:33 <mkwst> present+ mkwst
17:05:42 <bhill2> no new agenda topics
17:05:50 <bhill2> TOPIC: Minutes approval
17:05:56 <bhill2> http://www.w3.org/2011/webappsec/draft-minutes/2015-11-16-webappsec-minutes.html
17:05:59 <dveditz> TOPIC: Minutes approval
17:05:59 <dveditz> http://www.w3.org/2011/webappsec/draft-minutes/2015-11-16-webappsec-minutes.html
17:06:19 <hta> hta has joined #webappsec
17:06:39 <bhill2> dveditz: any objection to unanimous consent to approve?
17:06:43 <bhill2> no objections
17:06:47 <bhill2> dveditz: minutes approved
17:06:54 <dveditz> TOPIC: News
17:07:12 <bhill2> dveditz: CSP Cookie Controls and CSP Embedded Enforcement specs started calls for exclusions this week
17:07:36 <wseltzer> q+
17:08:13 <bhill2> bhill2: FIDO Alliance has made it's member submission of their 2.0 APIs
17:08:30 <bhill2> wseltzer: and we will shortly be sending a proposed charter for review for web authentication related to this
17:08:36 <bhill2> dveditz: different from credential WG?
17:08:43 <bhill2> wseltzer: entirely separate
17:08:50 <wseltzer> https://w3c.github.io/websec/web-authentication-charter
17:08:53 <bhill2> dveditz: seems like overlapping concerns
17:09:25 <wseltzer> q-
17:09:46 <bhill2> bhill2: I don't think it does overlap much, but a good reason for people here who know and care about security to take a look at the charter
17:10:05 <bhill2> wseltzer: also want to thank the group for lots of good work over the year
17:10:11 <bhill2> TOPIC: Teleconference 2016 meta
17:10:12 <dveditz> TOPIC: Teleconference 2016 meta
17:11:30 <bhill2> Continue with a spec rotation schedule or go to an "as-needed"
17:11:30 <bhill2>   schedule like WebApps/WebPlatform?
17:11:54 <bhill2> mkwst: seems nice to have a forcing function to ensure that specs are acutally moving, there are a few that have not moved in a long time
17:12:00 <bhill2> ... valuable to revisit on a periodic basis
17:12:12 <bhill2> ... not clear we need to structure our calls around that, things may pop up that are more important
17:12:26 <bhill2> ... but at some point it is helpful to have a forcing function to ensure we still want to be doing something
17:12:49 <bhill2> terri: agree, also easier to justify to my management all the specs we are working on, appreciate even null update
17:14:06 <bhill2> bhill2: those were some of my motivations for the approach, I will nominate the specs that have gone the longest time for the early part of next year and fill out the calendar from there
17:14:28 <bhill2> dveditz: seems like unanimous agreement and that as we work on more specs that approach has helped
17:14:36 <bhill2> TOPIC: UI Security
17:14:38 <dveditz> TOPIC: UI Security
17:14:45 <dveditz> https://w3c.github.io/webappsec-uisecurity/
17:16:08 <estark> q+
17:16:34 <bhill2> bhill2: will send a CfC after making some typo corrections, would hope that Googlers can encourage the folks working on Intersection Observer to give feedback
17:16:35 <estark> q-
17:16:51 <bhill2> mkwst: working to ensure that there is a single point of contact at Google for brad and dan on this topic
17:17:06 <dveditz> TOPIC: CSP Level 3
17:17:35 <bhill2> mkwst: would be nice if folks would look at it
17:18:04 <bhill2> ... very few behavioral changes
17:18:26 <bhill2> ... lots of clarifications re: integration of spec with other specifications like fetch and html to make it clear how it integrates with browser internals
17:18:40 <bhill2> ... what hooks are necessary and where those hooks are called
17:19:17 <wseltzer> q+
17:19:29 <bhill2> ... need to upstream some hooks to WHATWG and W3C, but most are present in the CSP3 spec already as a sort of todo list
17:19:39 <bhill2> ... need to know how that will work for HTML at the W3C
17:19:49 <bhill2> wseltzer: maybe we can arrange a chat with Web Platform WG chairs
17:20:20 <dveditz> https://w3c.github.io/webappsec-csp/
17:20:26 <tanvi> tanvi has joined #webappsec
17:20:33 <bhill2> mkwst: other set of changes is to make CSP more modular
17:20:44 <wseltzer> ACTION: wseltzer to schedule conversation with Web Platform WG chairs and WebAppSec re CSP3
17:20:44 <trackbot> Created ACTION-215 - Schedule conversation with web platform wg chairs and webappsec re csp3 [on Wendy Seltzer - due 2015-12-23].
17:20:44 <bhill2> ... CSP2 took an incredibly long time to move, would like CSP3 to move faster
17:21:14 <wseltzer> trackbot, action-215 due 2016-01-15
17:21:14 <trackbot> Set action-215 Schedule conversation with web platform wg chairs and webappsec re csp3 due date to 2016-01-15.
17:21:18 <bhill2> ... at TPAC, discussed breaking out features so things can move quickly, independently of the core
17:21:46 <bhill2> ... mostly directives and algorithms associated with directives
17:21:53 <bhill2> ... and CSP algorithm will call it at the right time
17:22:08 <bhill2> ... hopeful it will also work for new kinds of directives we are coming up with
17:23:35 <bhill2> teddink_: hello from Microsoft Edge team, taking over for Kevin Hill
17:23:46 <bhill2> ... also looking forward to some quality time with CSP3 spec and getting up to speed
17:24:56 <bhill2> mkwst: also working with Ilya Grigorik and web performance WG to define a more generic reporting mechanism
17:25:16 <bhill2> ... not specified inside CSP for broader set of things like xss auditor, error reporting, perf, etc.
17:25:18 <yoav> yoav has joined #webappsec
17:25:38 <bhill2> ... this is important to Google because we are DDoSing google front end servers with CSP violation reports
17:26:00 <bhill2> ... want to be able to coalesce requests at a minimum and hope it will be a one stop shop for this kind of reporting
17:26:09 <bhill2> bhill2: Web Telemetry WG?
17:26:28 <mkwst> webperf
17:26:57 <bhill2> +1 universal telemetry/reporting system would be awesome
17:27:50 <wseltzer> q?
17:27:52 <wseltzer> q-
17:27:53 <dveditz> zakim, who is on the queue?
17:27:53 <Zakim> I see no one on the speaker queue
17:28:43 <bhill2> dveditz: folks at Mozilla are unhappy about deprecating frame-src, want separate control from workers
17:28:49 <bhill2> mkwst: I want to do the same thing
17:29:05 <bhill2> ... know brad had qualms about that, would be good to revisit
17:29:45 <bhill2> well, not happy, b/c it would've created a lot of work :(
17:31:17 <bhill2> hta: has been approved and is just waiting for publication process to complete
17:31:24 <bhill2> (hta is Harald Alvestrand)
17:32:01 <dveditz> TOPIC: Signatures
17:32:39 <bhill2> dveditz: Sean Palmer has proposed a mechanism to support detached signatures for SRI
17:32:58 <bhill2> ... proposed mechanism was in a separate attribute, not sure how he thought they would be combined
17:33:09 <bhill2> ... signatures and an integrity check seem fairly distinct
17:35:07 <bhill2> bhill2: there is also a third proposal that was floated by Dev about using keys where we currently specify hashes in CSP to shorten policy declarations
17:35:46 <bhill2> ... another distinct use case from trusting a remote signing key but yet another approach to trusting content with keys
17:36:36 <bhill2> mkwst: suggest poking SRI editors in new year is a good way, volunteer them for the next call ;)
17:37:03 <bhill2> francios: the Martin Thompson proposal is being implemented at Mozilla for internal purposes (not exposed to web content yet)
17:37:15 <bhill2> ... but will get some implementation experience and be able to talk about it later if it's appropriate
17:37:33 <wseltzer> s/francios/francois/
17:38:28 <bhill2> dveditz: should we resume in the new year on the 6th or the 13th?
17:38:33 <bhill2> thanks wseltzer
17:38:46 <bhill2> mkwst; suggest 4 weeks is better, not much will happen
17:38:51 <bhill2> more comfy chair time
17:39:20 <dveditz> TOPIC: WebRTC/MediaCapture permissions
17:39:37 <bhill2> https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0030.html
17:39:42 <bhill2> https://docs.google.com/document/d/13c4hTlm2XgVYpxfGL1a8fcvI1CAUdIgd662DfElk_ow/edit
17:39:59 <bhill2> hta: some background, when we were doing WebRTC and especially data capture
17:40:10 <bhill2> ... a number of places where we say " and then you grant permission "
17:40:14 <bhill2> ... very ad-hoc
17:40:25 <bhill2> ... questioned why not use the permissions manager module?
17:41:09 <bhill2> ... WebRTC and MediaCapture groups favorably received the idea
17:42:03 <bhill2> dveditz: we want the Permissions spec to be extensible and voluntary, in general happy you've come to us
17:42:57 <bhill2> mkwst: things being done with WebRTC seems very much in the same vein as what else is happening in this document
17:43:33 <bhill2> ... would be a good idea to talk directly with the editors of that document.  Mounir and Marcos
17:43:55 <bhill2> dveditz: technically we own the spec but are sort of midwife for WebAPI group but didn't fit their charter
17:44:51 <Michael_> Michael_ has joined #webappsec
17:44:57 <bhill2> mkwst: convince implementers it makes sense and you are good to go
17:45:19 <wseltzer> q+
17:45:32 <bhill2> ack wseltzer
17:46:04 <bhill2> wseltzer: if anyone is willing to take on some description and evangelism of the work happening here
17:46:27 <terri> q+
17:46:27 <bhill2> ... particularly developer focused and success stories that we can share to get these technologies into broader circulation, that would be fantastic
17:46:48 <bhill2> ... also TAGs documentation of "what's next after Keygen" is also looking for a home
17:47:44 <wseltzer> q?
17:47:47 <bhill2> bhill2: I've looked at that, joined the last TAG call and owe some PRs there
17:48:16 <bhill2> ... think API work that comes out of that doc maybe ends up in proposed Web AuthN WG
17:48:30 <bhill2> terri: I'm working on getting approval to do developer docs
17:48:38 <bhill2> ... will have a better idea in january
17:48:41 <mkwst> q+
17:48:43 <bhill2> yay!
17:48:45 <bhill2> ack terri
17:48:50 <bhill2> ack mkwst
17:50:13 <bhill2> wseltzer: more groups are requiring security and privacy considerations explicitly in charters now
17:50:28 <dveditz> q?
17:50:29 <wseltzer> q?
17:50:55 <bhill2> dveditz: adjourned, see you all on Jan 13
17:51:05 <bhill2> zakim, list attendees
17:51:05 <Zakim> As of this point the attendees have been wseltzer, francois, bhill2, estark, terri, gmaone, Michael_Irwin, Ted_Dinklocker, dveditz, mkwst
17:51:13 <bhill2> rrsagent, make minutes
17:51:13 <RRSAgent> I have made the request to generate http://www.w3.org/2015/12/16-webappsec-minutes.html bhill2
17:51:19 <bhill2> rrsagent, set logs public-visible
17:51:53 <dveditz> Thanks for the questionnaire link, mkwst, I hadn't noticed that came out
17:52:23 <mkwst> dveditz: Nick put together a blog post as well with some links to the PING work.
17:52:33 <mkwst> I can't find that at the moment, but perhaps wseltzer has a link?
17:53:10 <wseltzer> https://www.w3.org/blog/2015/12/tools-to-ensure-security-and-privacy-of-the-open-web-platform/
17:53:17 <wseltzer> thanks mkwst
19:14:53 <yoav> yoav has joined #webappsec
19:30:51 <tanvi> tanvi has left #webappsec
19:48:07 <yoav> yoav has joined #webappsec
19:51:51 <Zakim> Zakim has left #webappsec
20:33:43 <wseltzer> trackbot, end teleconf
20:33:43 <trackbot> Zakim, list attendees
20:33:51 <trackbot> RRSAgent, please draft minutes
20:33:51 <RRSAgent> I have made the request to generate http://www.w3.org/2015/12/16-webappsec-minutes.html trackbot
20:33:52 <trackbot> RRSAgent, bye
20:33:52 <RRSAgent> I see 1 open action item saved in http://www.w3.org/2015/12/16-webappsec-actions.rdf :
20:33:52 <RRSAgent> ACTION: wseltzer to schedule conversation with Web Platform WG chairs and WebAppSec re CSP3 [1]
20:33:52 <RRSAgent>   recorded in http://www.w3.org/2015/12/16-webappsec-irc#T17-20-44
20:33:52 <Zakim> Zakim has joined #webappsec