See also: IRC log
<virginie> USA - Belcamp +12153674444, with Conference ID: 68835794
<jusk> hello virginie ça va ?
<virginie> for your information, bridge details are USA - Belcamp +12153674444, with Conference ID: 68835794
<virginie> hello jusk, who are you :)
<jusk> hello, i'm jusk
<jusk> a security independant researcher
welcome
<jusk> thank you
<virginie> thanks for joining, jusk !
<virginie> chaals, any number you would like to have (depending on where you call, madrid ? russia ? australia ? south corea ?)
virginie: Welcome all
... I've been hearing a lot about the need for security in
W3C
... security conversations are happening in several places,
WebAppSec WG, WebCrypto WG, etc.
... Need a place to get overview and to host the security
reviews
... Let's start with introductions
wseltzer: Wendy Seltzer, Technology & Society Domain Lead, W3C
weiler: Sam Weiler, I'll be
supporting WebAuthn, other security & privacy
... come from IETF security work
... DNS, routing security
christine: Christine Runnegar, ISOC, co-chair W3C PING
chaals: Charles McCathie Nevile, chair Web Platform WG, Yandex
virginie: Virginie Galindo, chair
WebSec IG and WebCrypto
... co-chairing Hardware-Based Secure Services CG
... Some thoughts: security reviews
... TAG and WebAppSec started self-review questionnaire
https://github.com/w3ctag/security-questionnaire
<virginie> wiki https://www.w3.org/Security/wiki/IG
<virginie> New features : https://www.w3.org/Security/wiki/IG/W3C_security_roadmap
virginie: securing
resources
... (reviewing https://www.w3.org/Security/wiki/IG/W3C_security_roadmap
)
... What do you think W3C needs to address, that we're not
currently doing?
w3.org/Security
<virginie> with the roadmap https://www.w3.org/Security/wiki/IG/W3C_security_roadmap
https://github.com/w3c/websec/blob/gh-pages/security-roadmap.md
<chaals> some stuff
chaals: accessibility and
security in the wiki
... another issue arose re passwords in ARIA
... lots of issues in security if you're using accessibility
tech
... separate issue, lots of security issues where things don't
actually work
... e.g., password input field in HTML, no indication to
user
... pieces of security infrastructure that might give false
sense of security
virginie: ARIA conversation that
concluded on WebAppSec mailing list
... problem about describing security information to user
... conveying information accessibly without changing its
integrity
... UA needs to share info on execution context
wseltzer: specs need privacy and
security review to move forward; Director will be looking for
privacy and security considerations at transitions
... so maybe more of those interested in specs will join us to
help do those reviews
christine: One thing that's
worked well for PING is inviting the groups (editors,chairs) to
join PING for conversation about what they're trying to
achieve
... and the privacy considerations invovlved
virginie: where is the follow up?
christine: resourcing is a
challenge for us too
... ideally, we'd finish PING privacy questionnaire, ask groups
to complete it before coming to us
<virginie> to schuki_ you might join with Conference ID: 68835794 United Kingdom +441489557119
christine: do we need a security directorate?
<Zakim> virginie, you wanted to comment on process
chaals: I represent a big org
with security experts; but many of them aren't involved with
W3C
... it's easier to get someone who can do some spec work than
security work
... and the problem with mandatory security reviews is a
disincentive to do work
... how can we make it easy for security people to look at the
work
... ?
... non-security people have to help in framing questions
security people can respond to
... can we easily describe things that look scary, to motivate
people?
<virginie> qq+
weiler: in IETF security reviews,
valuable piece was security reviewer asking questions the spec
author hadn't thought of
... why are you doing this? how does it work?
... Q for W3C veterans: how important is face-time?
<chaals> [IMHO building a relationship based on physical interaction is really helpful]
virginie: we look for
opportunities for informal meetings around other W3C meetings,
e.g. TPAC
... WGs haven't been so responsive when sending specs for
security review, to explain the spec
chaals: F2F time is valuable to build community of people accountable to one another
virginie: perhaps set up joint
call with WG requesting review
... Christine, how does PING questionnaire work with TAG's?
wseltzer: what can we learn from IETF security considerations?
weiler: we started with a list of
likely reviewers who'd been meeting over lunch at physical IETF
meetings
... about 2/3 were willing to do reviews
... pre-build a list of possible "victims" who you want to ask
to help
... also helps to know that if there is no response to the
review, the document will be blocked
... you at least need to respond, even if the review was
entirely wrong
... by design, we didn't require specific expertise
... to encourage breadth
... start by reading the privacy and security considerations
sections, to see if they needed to read the whole thing
... workload. giving reviewers one document every 6-8 weeks,
not a huge burden
<virginie> [note : virginie does not see security review in the W3C process https://dvcs.w3.org/hg/AB/raw-file/default/cover.html]
[note: the director requires it in charters and reviewing docs in transitions]
weiler: no checklist
... some guidance documents
<virginie> draft process for review https://www.w3.org/Security/wiki/IG/W3C_spec_review
<christine> apologies I have to join another call
wseltzer: the director requires security & privacy considerations in charters, at transitions
virginie: we should put it into the process too
chaals: better to put it into
charters as requirements, than to put it in process
... talk to the director
... also, process is harder to get right
[the intersection of security and accessibility is very interesting]
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/how do we/can we easily/ Succeeded: s/lunchmat/lunch at/ Succeeded: s/fix/get right/ No ScribeNick specified. Guessing ScribeNick: wseltzer Inferring Scribes: wseltzer WARNING: No "Topic:" lines found. Default Present: wseltzer, virginie, weiler, christine, Chaals-as-leader Present: wseltzer virginie weiler christine Chaals-as-leader Got date from IRC log name: 03 May 2016 Guessing minutes URL: http://www.w3.org/2016/05/03-websec-minutes.html People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]