IRC log of webappsec on 2016-01-27

Timestamps are in UTC.

16:55:27 [RRSAgent]
RRSAgent has joined #webappsec
16:55:27 [RRSAgent]
logging to http://www.w3.org/2016/01/27-webappsec-irc
16:55:29 [trackbot]
RRSAgent, make logs world
16:55:29 [Zakim]
Zakim has joined #webappsec
16:55:31 [trackbot]
Zakim, this will be WASWG
16:55:31 [Zakim]
I do not see a conference matching that name scheduled within the next hour, trackbot
16:55:32 [trackbot]
Meeting: Web Application Security Working Group Teleconference
16:55:32 [trackbot]
Date: 27 January 2016
16:55:35 [wseltzer]
Agenda: https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0163.html
16:56:58 [bhill2]
bhill2 has joined #webappsec
16:59:11 [mkwst]
present+ mkwst
17:00:24 [bhill2]
bhill2 has joined #webappsec
17:01:09 [gmaone]
present+ gmaone
17:01:25 [bhill2]
present+ bhill2
17:01:27 [wseltzer]
present+ wseltzer
17:01:31 [wseltzer]
zakim, who is here?
17:01:31 [Zakim]
Present: mkwst, gmaone, bhill2, wseltzer
17:01:33 [Zakim]
On IRC I see bhill2, Zakim, RRSAgent, francois, Mek, gmaone, bblfish, yoav, tobie, timeless, mkwst, Josh_Soref, slightlyoff, ejcx_, trackbot, dveditz, mounir, terri_offline,
17:01:33 [Zakim]
... schuki, xiaoqian, wseltzer
17:01:49 [dveditz]
present+ dveditz
17:02:00 [wseltzer]
Chairs: bhill2, dveditz
17:02:15 [francois]
present+ francois
17:03:05 [bhill2]
happy to add that
17:03:07 [dveditz]
wseltzer: and "html 5.1" ?
17:03:26 [bhill2]
and Mike wanted to discuss possible next F2F?
17:04:00 [dveditz]
Bermuda?
17:04:24 [bhill2]
TOPIC: Minutes approval
17:04:25 [bhill2]
http://www.w3.org/2011/webappsec/draft-minutes/2016-01-13-webappsec-minutes.html
17:04:45 [bhill2]
minutes approved by unanimous consent
17:04:50 [bhill2]
TOPIC: agenda bashing
17:05:13 [dveditz]
scribenick: dveditz
17:05:19 [bhill2]
https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0163.html
17:05:44 [dveditz]
bhill2: wanted to spend time talking where we are as a group and where we're going
17:06:01 [wseltzer]
agenda+ work mode
17:06:07 [wseltzer]
agenda+ fetch dependencies
17:06:08 [dveditz]
bhill2: can also talk about normative references to whatwg specs, a possible next F2F.... anything else?
17:06:10 [wseltzer]
agenda+ F2F
17:06:25 [wseltzer]
agenda?
17:06:30 [dveditz]
whoa
17:07:05 [teddink]
teddink has joined #webappsec
17:07:10 [wseltzer]
present+ teddink
17:07:28 [wseltzer]
mkwst: 3 visitors from Google's infrastructure security team
17:07:31 [bhill2]
TOPIC: work mode
17:08:00 [dveditz]
bhill2: in the last year we've focused our calls on individual spec status on a regular basis
17:08:22 [dveditz]
bhill2: but looking for what to talk about on next calls I see 16 specs "in flight"
17:09:13 [dveditz]
... a couple of those are close to CR but most look like they're not making much progress toward implementation/adoption
17:09:34 [wseltzer]
-> http://w3c.github.io/webappsec/specs/ Specs in progress
17:10:09 [wseltzer]
q-
17:10:15 [bhill2]
https://www.w3.org/2011/webappsec/
17:10:26 [mkwst]
q+ I am (partially) the problem.
17:10:34 [wseltzer]
q- am
17:10:38 [wseltzer]
q- problem
17:10:47 [wseltzer]
queue=
17:10:49 [bhill2]
ack mkwst
17:11:17 [dveditz]
mkwst: part of the problem is that we have a lot of specs that are ideas as opposed to solid things people are working on
17:11:25 [jochen]
jochen has joined #webappsec
17:11:38 [jochen]
present +jochen
17:11:38 [dveditz]
... such as "clear site data" which we very much want to implement but I'm having trouble finding someone to implement
17:12:05 [dveditz]
... and on the other hand we have things that are potentially good ideas that we want to explore, but we don't know. e.g. Entry point regulation
17:12:31 [dveditz]
... needs some love in terms of implmementation/experimentation but also discussion about the controversial points
17:13:06 [dveditz]
... I agree with the way you framed it, brad, in the agenda in terms of "too many things in flight". But I'd like to resolve that in favor of
17:13:19 [bhill2]
q?
17:13:28 [dveditz]
... "go faster" rather than "do less stuff". but I do agree having a lot of specs just hanging is not good
17:14:08 [dveditz]
bhill2: one of the things happening at W3c is that a lot of groups are moving towards having an "incubator mode" to do the initial exploration
17:14:15 [terri]
present +terri
17:14:26 [dveditz]
... and only have a formal group when there's already work toward having multiple implementation
17:14:28 [mkwst]
q+
17:14:46 [teddink]
q+
17:14:54 [mkwst]
q-
17:14:58 [dveditz]
... Microsoft has been very supportive of the incubator work mode, for example
17:14:59 [bhill2]
ack teddink
17:15:39 [bhill2]
zakim, who is here?
17:15:39 [Zakim]
Present: mkwst, gmaone, bhill2, wseltzer, dveditz, francois, teddink
17:15:41 [Zakim]
On IRC I see jochen, teddink, bhill2, Zakim, RRSAgent, francois, Mek, gmaone, bblfish, yoav, tobie, timeless, mkwst, Josh_Soref, slightlyoff, ejcx_, trackbot, dveditz, mounir,
17:15:41 [Zakim]
... terri, schuki, xiaoqian, wseltzer
17:16:00 [wseltzer]
present+ terri
17:16:02 [dveditz]
teddink: in general microsoft is very supportive of using incubator groups to iterate on things considered to be "good ideas" where there's less pressure from W3C processes, until you have some implementations
17:16:17 [mkwst]
q+
17:16:19 [dveditz]
... before taking it to the w3c leadership to form a formal standards group
17:16:25 [jochen]
present+ jochen
17:16:25 [bhill2]
ack mkwst
17:16:54 [dveditz]
mkwst: I think de facto we /are/ incubating, but we're doing it by publishing working drafts rather than doing it in a separate group
17:17:29 [bhill2]
q+
17:17:41 [dveditz]
... I'm happy to more explicitly incubate, as we are with CORS-1918 and @@, that are happening in other standards but are discussed here
17:18:26 [dveditz]
... but de facto those discussions involve many of the same people so I don't see it as important to make a strict distinction between incubating and standardizing
17:18:42 [bhill2]
ack bhill2
17:19:17 [dveditz]
bhill2: my concern is less that we're weighing the group down--we have a good community--but that we may be weighing down the pipeline of implementors
17:19:27 [teddink]
q+
17:19:36 [wseltzer]
ack bh
17:19:59 [bhill2]
ack teddink
17:20:03 [dveditz]
... what can we do to help guide implementation. I'd rather have 3 specs implemented by multiple browsers than to have all the specs implemented but by non-overlapping browsers
17:21:09 [dveditz]
teddink: I like Mike's proposed idea. makes it easier to make those prioritization discussions (internally) if we can point to a group where other vendors have prioritized the same issues
17:21:13 [bhill2]
q?
17:21:17 [wseltzer]
q+
17:21:25 [wseltzer]
q-
17:21:51 [wseltzer]
q+
17:22:06 [bhill2]
dveditz: At Mozilla, overwhelmed by the number of specs and focusing on what we can do with the people we have
17:22:08 [wseltzer]
q+ to follow up on mkwst's suggestion re threat model
17:22:26 [bhill2]
... a shared sense of prioritization in the group would help us understand that we are working on what others are focused on
17:22:35 [wseltzer]
ack wseltzer
17:22:35 [Zakim]
wseltzer, you wanted to follow up on mkwst's suggestion re threat model
17:23:24 [dveditz]
wseltzer: I like mike's thoughts about describing the threat model that each spec is good at addressing
17:23:35 [mkwst]
q+ to suggest priority queue for features, regardless of spec.
17:23:56 [bhill2]
wseltzer: group could produce threat model document(s) non-normatively and then give reports indicating what specs are relevant and people could give feedback on what is important
17:24:05 [bhill2]
ack mkwst
17:24:05 [Zakim]
mkwst, you wanted to suggest priority queue for features, regardless of spec.
17:24:58 [dveditz]
mkwst: noticed in conversation with folks at Google there's discrepancies in implementations between browsers. could be useful to create a prioritization list
17:25:22 [dveditz]
... in particular thinking of small things like nonces from CSP2
17:25:24 [wseltzer]
+1
17:25:45 [wseltzer]
q+
17:25:59 [dveditz]
... that would be very useful even if "implement all of CSP 2" is overwhelming
17:26:09 [bhill2]
ack wendy
17:26:26 [bhill2]
bhill2: a visible priority queue would be useful guidance to other UA vendors who aren't here
17:27:07 [dveditz]
wseltzer: I like the way this is developing. espcially if implementors took the prioritization as a list of things there was real "customer demand" for particular features
17:28:02 [mkwst]
q+ to note that the priorities should, ideally, be set by developers.
17:28:04 [dveditz]
bhill2: two concrete outcomes are a threat modeling section, and a list of implememntation priorities
17:28:06 [wseltzer]
q-
17:28:16 [bhill2]
ack mkwst
17:28:16 [Zakim]
mkwst, you wanted to note that the priorities should, ideally, be set by developers.
17:28:55 [dveditz]
mkwst: the one thing important: prioritization should come from developers. I have people inside Google saying "I need X" and I'm sure Brad hears from facebook folks
17:29:25 [dveditz]
bhill2: something usable everywhere is better than the exact thing I want that only works in one browser
17:29:33 [teddink]
I agree as well - web servelopers and large web properties should play a critical role in wjatever prioritization we come up with.
17:29:39 [teddink]
Developpers, that is.
17:30:17 [dveditz]
... we could have an anonymous voting system, or one where voters can declare their affiliations, and see if we can come up with a rank order.
17:30:34 [jochen__]
jochen__ has joined #webappsec
17:31:02 [dveditz]
mkwst: voting system or not, doesn't matter, but a wiki page we all "kind of agree on" would be useful. don't want to wait to get this going
17:31:34 [wseltzer]
zakim, take up agendum 2
17:31:34 [Zakim]
agendum 2. "fetch dependencies" taken up [from wseltzer]
17:31:47 [dveditz]
bhill2: let's go to more fun meta work.... normative references to specs outside w3c
17:31:49 [bhill2]
TOPIC: "fetch dependencies"
17:32:11 [wseltzer]
https://www.w3.org/2013/09/normative-references
17:32:24 [dveditz]
wseltzer: one of the fun bits of w3c process we have guidelines for normative references
17:32:45 [dveditz]
... looking at the stability of the reference docs, the nature of the dependencies
17:33:29 [dveditz]
... inside w3c we have criteria for stability for reaching recommendation status. outside groups may or may not meet those criteria and we have to look at them individually
17:33:59 [dveditz]
... in particular we have a lot of specs depending on the "fetch" spec and the director has raised concerns about that -- is it stable and subject to wide public review?
17:34:45 [dveditz]
... tim also has some concerns about implementation of some specific fetch features (worry that the CORS interactions aren't very clear to developers)
17:35:03 [dveditz]
... worries that may indicate there hasn't been enough public review
17:36:03 [mkwst]
q+
17:36:14 [bhill2]
ack mkwst
17:36:19 [dveditz]
... we have multiple specs working through the w3c process that have this dependency. the closest to recommendation status is sub-resource integrity so we have to resolve this
17:36:43 [dveditz]
mkwst: as someone who works on chrome, the fetch spec is what we work from regardless of whether it's a normative reference
17:36:45 [wseltzer]
q+
17:37:08 [dveditz]
... if I can't reference the thing I'm actually using in my specs that raises problems
17:38:05 [dveditz]
... WHATWG has a renewed vigor in defining HTML, and there's a group in w3 working on HTML. it's clear to me what to do with WHATWG -- I send a pull request. not clear to me how to interact with the W3 group
17:38:38 [wseltzer]
q- later
17:38:43 [wseltzer]
q-
17:38:56 [dveditz]
... this is difficult, but browsers gonna browse -- whichever one we reference the behavior will most closely match what the whatwg is producing at the moment
17:39:07 [jochen__]
q+
17:39:13 [bhill2]
ack jochen__
17:39:19 [wseltzer]
ack jochen__
17:39:46 [dveditz]
jochen__: have run into problems with the referrer policy spec where certain things are not specified
17:40:07 [wseltzer]
q+
17:40:16 [dveditz]
... and it seems easier to get that fixed in fetch than through W3c
17:40:30 [dveditz]
thx mkwst
17:41:31 [dveditz]
wseltzer: we do need to do what developers and implementors need, trying to figure out how to make that better.
17:41:35 [bhill2]
q+
17:41:37 [wseltzer]
q-
17:41:48 [wseltzer]
ack bh
17:43:15 [dveditz]
bhill2: we want to make progress, to get things completed and done, and the best thing is to use what the browsers are implementing from. that current seems to be the fetch spec. I'd like to make progress producing things for developers to use and not get hung up on political battles
17:44:24 [dveditz]
wseltzer: any other implementors want to say something here? I too would like this to move forward
17:45:00 [teddink]
I would have to chat with other folks on the Edge team that work on standards before I speak on behalf of Microsoft on this topic.
17:45:17 [dveditz]
mkwst: the "secure context" spec might be a good one. depends on fetch but not anything in HTML "5.1", could be a good clean first forcing function
17:45:18 [wseltzer]
q?
17:47:04 [wseltzer]
dveditz: Mozilla is moving toward fetch
17:47:14 [wseltzer]
mkwst: if you see things you don't understand, file browser bugs
17:47:23 [dveditz]
mkwst: if things are unclear file bugs.... we might need better behavior or better error messages
17:47:38 [bhill2]
TOPIC: potential F2F
17:47:38 [wseltzer]
zakim, take up agendum 3
17:47:38 [Zakim]
agendum 3. "F2F" taken up [from wseltzer]
17:47:41 [dveditz]
bhill2: last topic is potential F2F
17:48:23 [teddink]
Microsoft is also doing work towards a fetch implementation
17:48:49 [wseltzer]
http://conferences.oreilly.com/oscon/open-source-us May 18-19 in Austin, TX
17:48:51 [dveditz]
wseltzer: OSCON is in autin this year... if people are already going there that might be an opportunity
17:49:44 [wseltzer]
q+
17:49:53 [teddink]
I agree - a F2F would be great.
17:49:59 [dveditz]
mkwst: I raised the idea of f2f because people inside google wanted to talk to security spec folks and would be good for us
17:50:02 [bhill2]
wseltzer: TPAC is in Lisbon in September
17:50:10 [dveditz]
wseltzer: TPAC is in lisbon in september this year
17:50:12 [terri]
F2F sounds great, but my travel has to be booked a quarter in advance
17:50:20 [jochen__]
May 18/19 is also Google IO, dunno how many google folks will be involved in that who also might want to go to the f2f
17:50:46 [wseltzer]
[2016 W3C Technical Plenary (TPAC) will be held on 19-23 September 2016 at the Congress Center of Lisbon, in Portugal.]
17:50:57 [dveditz]
terri: is May a quarter in advance? or would it have to be after June?
17:50:59 [wseltzer]
q+
17:51:27 [wseltzer]
https://www.w3.org/Consortium/Recruitment/#security-engineer
17:51:33 [wseltzer]
q-
17:51:46 [dveditz]
bhill2: thanks everyone. will send out some follow up items offline
17:51:48 [bhill2]
zakim, list attendees
17:51:48 [Zakim]
As of this point the attendees have been mkwst, gmaone, bhill2, wseltzer, dveditz, francois, teddink, terri, jochen
17:51:58 [bhill2]
rrsagent, make minutes
17:51:58 [RRSAgent]
I have made the request to generate http://www.w3.org/2016/01/27-webappsec-minutes.html bhill2
17:52:04 [bhill2]
rrsagent, set logs world
17:52:17 [terri]
dveditz: That's a little unclear right now; but probably May is still viable
17:52:32 [francois]
wseltzer: good thing the w3c website got its https sorted, it looks a lot better for a security job posting :)
17:52:42 [wseltzer]
francois :)
17:53:40 [bhill2]
seattle?
17:54:35 [dveditz]
santa cruz?
17:54:37 [dveditz]
:-)
17:59:33 [francois]
seattle would be nice and close :)
18:01:58 [bhill2]
I like Santa Cruz
18:02:08 [bhill2]
maybe we could drag someone from Cupertino down to visit there
18:32:05 [bhill2]
bhill2 has joined #webappsec
18:34:07 [bhill2_]
bhill2_ has joined #webappsec
18:45:17 [jonathanKingston]
jonathanKingston has joined #webappsec
20:06:36 [deian]
deian has joined #webappsec
20:19:10 [deian]
hi all. is the meeting at a different time? (tried joining the webex call at 12PM PST)
20:20:33 [wseltzer]
hi deian, it was at noon Boston/9am PST.
20:20:40 [wseltzer]
sorry we missed you!
20:21:56 [deian]
ah! thanks. I'll just read the scrollback
21:49:59 [bblfish_]
bblfish_ has joined #webappsec
22:32:45 [bblfish]
bblfish has joined #webappsec
23:04:47 [yoav]
yoav has joined #webappsec