W3C

- DRAFT -

Web Security Interest Group

03 May 2016

See also: IRC log

Attendees

Present
wseltzer, virginie, weiler, christine, Chaals-as-leader
Regrets
Chair
Virginie Galindo
Scribe
wseltzer

Contents

<virginie> USA - Belcamp +12153674444, with Conference ID: 68835794

<jusk> hello virginie ça va ?

<virginie> for your information, bridge details are USA - Belcamp +12153674444, with Conference ID: 68835794

<virginie> hello jusk, who are you :)

<jusk> hello, i'm jusk

<jusk> a security independant researcher

welcome

<jusk> thank you

<virginie> thanks for joining, jusk !

<virginie> chaals, any number you would like to have (depending on where you call, madrid ? russia ? australia ? south corea ?)

virginie: Welcome all
... I've been hearing a lot about the need for security in W3C
... security conversations are happening in several places, WebAppSec WG, WebCrypto WG, etc.
... Need a place to get overview and to host the security reviews
... Let's start with introductions

wseltzer: Wendy Seltzer, Technology & Society Domain Lead, W3C

weiler: Sam Weiler, I'll be supporting WebAuthn, other security & privacy
... come from IETF security work
... DNS, routing security

christine: Christine Runnegar, ISOC, co-chair W3C PING

chaals: Charles McCathie Nevile, chair Web Platform WG, Yandex

virginie: Virginie Galindo, chair WebSec IG and WebCrypto
... co-chairing Hardware-Based Secure Services CG
... Some thoughts: security reviews
... TAG and WebAppSec started self-review questionnaire

https://github.com/w3ctag/security-questionnaire

<virginie> wiki https://www.w3.org/Security/wiki/IG

<virginie> New features : https://www.w3.org/Security/wiki/IG/W3C_security_roadmap

virginie: securing resources
... (reviewing https://www.w3.org/Security/wiki/IG/W3C_security_roadmap )
... What do you think W3C needs to address, that we're not currently doing?

w3.org/Security

<virginie> with the roadmap https://www.w3.org/Security/wiki/IG/W3C_security_roadmap

https://www.w3.org/Security/

https://github.com/w3c/websec/blob/gh-pages/security-roadmap.md

<chaals> some stuff

chaals: accessibility and security in the wiki
... another issue arose re passwords in ARIA
... lots of issues in security if you're using accessibility tech
... separate issue, lots of security issues where things don't actually work
... e.g., password input field in HTML, no indication to user
... pieces of security infrastructure that might give false sense of security

virginie: ARIA conversation that concluded on WebAppSec mailing list
... problem about describing security information to user
... conveying information accessibly without changing its integrity
... UA needs to share info on execution context

wseltzer: specs need privacy and security review to move forward; Director will be looking for privacy and security considerations at transitions
... so maybe more of those interested in specs will join us to help do those reviews

christine: One thing that's worked well for PING is inviting the groups (editors,chairs) to join PING for conversation about what they're trying to achieve
... and the privacy considerations invovlved

virginie: where is the follow up?

christine: resourcing is a challenge for us too
... ideally, we'd finish PING privacy questionnaire, ask groups to complete it before coming to us

<virginie> to schuki_ you might join with Conference ID: 68835794 United Kingdom +441489557119

christine: do we need a security directorate?

<Zakim> virginie, you wanted to comment on process

chaals: I represent a big org with security experts; but many of them aren't involved with W3C
... it's easier to get someone who can do some spec work than security work
... and the problem with mandatory security reviews is a disincentive to do work
... how can we make it easy for security people to look at the work
... ?
... non-security people have to help in framing questions security people can respond to
... can we easily describe things that look scary, to motivate people?

<virginie> qq+

weiler: in IETF security reviews, valuable piece was security reviewer asking questions the spec author hadn't thought of
... why are you doing this? how does it work?
... Q for W3C veterans: how important is face-time?

<chaals> [IMHO building a relationship based on physical interaction is really helpful]

virginie: we look for opportunities for informal meetings around other W3C meetings, e.g. TPAC
... WGs haven't been so responsive when sending specs for security review, to explain the spec

chaals: F2F time is valuable to build community of people accountable to one another

virginie: perhaps set up joint call with WG requesting review
... Christine, how does PING questionnaire work with TAG's?

wseltzer: what can we learn from IETF security considerations?

weiler: we started with a list of likely reviewers who'd been meeting over lunch at physical IETF meetings
... about 2/3 were willing to do reviews
... pre-build a list of possible "victims" who you want to ask to help
... also helps to know that if there is no response to the review, the document will be blocked
... you at least need to respond, even if the review was entirely wrong
... by design, we didn't require specific expertise
... to encourage breadth
... start by reading the privacy and security considerations sections, to see if they needed to read the whole thing
... workload. giving reviewers one document every 6-8 weeks, not a huge burden

<virginie> [note : virginie does not see security review in the W3C process https://dvcs.w3.org/hg/AB/raw-file/default/cover.html]

[note: the director requires it in charters and reviewing docs in transitions]

weiler: no checklist
... some guidance documents

<virginie> draft process for review https://www.w3.org/Security/wiki/IG/W3C_spec_review

<christine> apologies I have to join another call

wseltzer: the director requires security & privacy considerations in charters, at transitions

virginie: we should put it into the process too

chaals: better to put it into charters as requirements, than to put it in process
... talk to the director
... also, process is harder to get right

[the intersection of security and accessibility is very interesting]

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/05/03 14:28:57 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/how do we/can we easily/
Succeeded: s/lunchmat/lunch at/
Succeeded: s/fix/get right/
No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer

WARNING: No "Topic:" lines found.

Default Present: wseltzer, virginie, weiler, christine, Chaals-as-leader
Present: wseltzer virginie weiler christine Chaals-as-leader
Got date from IRC log name: 03 May 2016
Guessing minutes URL: http://www.w3.org/2016/05/03-websec-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report
[End of scribe.perl diagnostic output]