14:00:29 <RRSAgent> RRSAgent has joined #websec
14:00:29 <RRSAgent> logging to http://www.w3.org/2016/09/09-websec-irc
14:02:32 <weiler> weiler has changed the topic to: https://mit.webex.com/mit/j.php?MTID=mfb728390a6bd27aca64816256fa9289d
14:04:22 <weiler> Access code:647 702 442
14:04:49 <weiler> weiler has changed the topic to: https://mit.webex.com/mit/j.php?MTID=mfb728390a6bd27aca64816256fa9289d  or +1-617-324-0000  code 647 702 442
14:05:31 <chaals> chaals has joined #websec
14:05:36 <dezell> dezell has joined #websec
14:05:43 <nickrmc83> nickrmc83 has joined #websec
14:05:47 <engelke> engelke has joined #websec
14:05:49 <chaals> present+ chaals
14:05:56 <virginie> present+ virginie
14:06:16 <weiler> present+
14:06:38 <AndersR> AndersR has joined #websec
14:06:46 <nickrmc83> present+
14:06:49 <dezell> Present+ dezell
14:06:54 <engelke> present+
14:07:09 <AndersR> present+
14:07:19 <virginie> zakim, who is on the call ?
14:07:19 <Zakim> Present: chaals, virginie, weiler, nickrmc, dezell, engelke, AndersR
14:09:12 <weiler> scribenick: weiler
14:10:48 <weiler> virginie: invitation to introduce yourselves.
14:11:24 <weiler> q+ chaals, weiler, nickrmc, dezell, engelke, AndersR, alex
14:12:02 <weiler> engelke: active in webcrypto
14:12:29 <weiler> nickrmc: interest in webappsec
14:12:50 <weiler> dezell: cochair of web payments.  represent assn of convenience stores.
14:13:12 <weiler> AndersR: individual inventor in areas of authentication and security on web
14:13:27 <weiler> alex: interest in security models / provability
14:14:11 <weiler> weiler: came to w3c ~4 mo ago; background in IETF
14:14:13 <weiler> q=
14:14:19 <weiler> queue=
14:15:11 <weiler> virginie: see email on the list  https://lists.w3.org/Archives/Public/public-web-security/2016Sep/0016.html
14:15:22 <weiler> virginie: any agenda changes?
14:16:17 <weiler> ... websecig has low activity; charter is due for renewal.  despite low activity, think this IG is very valuable.
14:16:35 <chaals> q+ to talk about accessibility of security as a topic to raise.
14:16:37 <weiler> ... to have a forum for things outside of current WG charters, and as a home for security reviews
14:17:01 <weiler> ... W3C still sees security as an important topic; this was demonstrated during the last AC mtg.
14:17:21 <weiler> ... low investment of the members in this IG.  lots of efforts into existing WGs, but not prospective work
14:18:08 <weiler> chaals: new topic: accessibility of security / UI.  many normal people don't understand security.  if you don't have UI that they recognize and understand, you fail to provide what they need
14:18:37 <weiler> ... much work done there falls down on accessibility.  users w/ alternative access methods may not see the security UI bits.
14:18:51 <alex_ber> alex_ber has joined #websec
14:18:51 <weiler> virginie: during last websecIG call, we discussed this.
14:19:01 <weiler> present+ alex_ber
14:19:41 <weiler> ... chaals: are you suggesting we gather people in accessibility in security?  What is your request?
14:20:12 <weiler> chaals: other way around: when we review stuff, and when we put forward an idea, it's important that we seek out accessibility people and ask them if they really works
14:20:29 <weiler> ... e.g. indicators in browsers, for screen reader users and screen magnification users.
14:20:43 <weiler> ... can't even tell icon is there.
14:21:30 <weiler> ... extended validation certificates: there was agreement re: UI bits for those, but may not be clear to the visually impaired.
14:21:41 <weiler> .. that's a clear failure in most browsers
14:22:19 <virginie> q?
14:22:21 <weiler> virginie: chaals: is there overall in what you just mentioned and the current security questionnaire?
14:22:28 <virginie> ack chaals
14:22:28 <Zakim> chaals, you wanted to talk about accessibility of security as a topic to raise.
14:23:41 <virginie> https://www.w3.org/2016/08/2016-reorg.html#h.icr45wucrm9i
14:23:42 <weiler> virigine: W3C is doing internal reorg.
14:24:43 <weiler> ... security will fall under A&T / Ralph
14:24:52 <weiler> ... horizontal review will fall there.
14:26:11 <weiler> ... inviting weiler to clarify
14:26:29 <weiler> weiler: impression that all security bits will be under A&T / Ralph not accurate.
14:27:20 <weiler> ... functional organization doesn't really say where skills and expertise will be; I may be in strategy organization under Wnedy
14:27:30 <weiler> ... not sure who websecig team contact will be
14:27:55 <weiler> ... reviews will be under A&T / Ralph
14:28:55 <weiler> ... WG management will be under Phillipe / Project Mgmt
14:29:16 <weiler> virginie: going through slide pack, describing webauthn.
14:30:19 <AndersR> the writeup showed a topic from Alibaba, is there a spec or similar?
14:30:25 <weiler> ... web crypto... webappsec
14:30:52 <weiler> ... webappsec is efficient.  is the core of security activities in W3C.
14:31:58 <weiler> ... impression is that secure contexts WD is the most active of theirs
14:33:14 <chaals> scribe: chaals
14:33:53 <chaals> DE: Good summary. The group has focused on an API that can be used in the browser - and they are about to publish a companion HTTP API that allows for agents to work with payments.
14:34:08 <chaals> … as far as security is concerned we have had a task force look at what we are doing.
14:34:57 <chaals> … and working on verifiable claims - basically all about security. There is a developing proposal to create a W3C Working Group.
14:35:32 <chaals> … Also at ISO, there is a lot of work to bring North America in line with ISO-20022 which a lot of the rest of the world works with.
14:35:57 <chaals> … The approach is like a kitchen sink spec - everything that is related is being put into one giant spec.
14:37:18 <chaals> VG: Short status on Hardware-based services CG. Designing "secure services" - executed in devices or dedicated tokens that provide confidentiality.
14:37:25 <chaals> … e.g. USB key.
14:38:01 <chaals> … CG isn't delivering a standard, but writing the use cases and demonstrating that there are feasible technical solutions, to convince W3C members that it is worth creating a working group on this.
14:38:23 <chaals> … They have finished their initial report, focused on how to provide secure transaction confirmation and secure credential storage.
14:38:44 <chaals> -> https://rawgit.com/w3c/websec/gh-pages/hbss.html CG report
14:38:59 <chaals> … Next steps are to socialise these ideas through the membership.
14:39:08 <chaals> ??: Is it possible to join the CG?
14:39:19 <chaals> VG: Yes, anyone can join.
14:39:20 <virginie> https://www.w3.org/community/hb-secure-services/
14:39:55 <chaals> s|https://www.w3.org/community/hb-secure-services/|-> https://www.w3.org/community/hb-secure-services/ Community group page, with joining information|
14:40:11 <weiler> s/??/alex_ber/
14:40:23 <chaals> VG: Note that also sometimes things people do in the Privacy Interest Group is related.
14:40:37 <AndersR> https://www.w3.org/community/browserext/
14:40:49 <chaals> AR: Browser extensions CG group are working with things that are security related.
14:41:04 <dezell> q+
14:41:29 <chaals> … this work generally goes beyond what browsers normally allow, i.e. loosening security restrictions to provide functionality
14:41:40 <chaals> VG: Active?
14:41:43 <chaals> AR: Yes.
14:41:48 <chaals> … meeting at TPAC.
14:42:27 <chaals> Topic: TPAC
14:42:34 <chaals> VG: Who will be there?
14:42:44 <chaals> CMN: I will be there but *very* busy in general...
14:42:48 <dezell> q-
14:42:51 <chaals> DE: I will be there.
14:43:48 <chaals> VG: I have created a "security Jam" for Wednesday, hopefully jointly with Sam and Wendy.
14:44:20 <chaals> AR: I will be at TPAC - e.g in the browser extension meeting
14:44:28 <chaals> Topic: Security review questionnaire
14:44:54 <chaals> VG: How do we help people think carefully themselves, and do some useful review of their own work for security.
14:44:58 <virginie> https://www.w3.org/TR/security-privacy-questionnaire/
14:45:19 <chaals> s|https://www.w3.org/TR/security-privacy-questionnaire/|-> https://www.w3.org/TR/security-privacy-questionnaire/ security and privacy questionnaire
14:45:44 <chaals> … this is intended to help people consider the important questions they should be taking into account when they are designing technology.
14:46:48 <chaals> … this has also been discussed in various other places. What about creating an "expert group" to help with security reviews. The answer seems to be that we allow Working Groups to be autonomous and develop good skills for security, but seek to provide some backup expertise available for opportunistic review.
14:47:23 <chaals> … So don't try to systematically review everything, but answer specific questions. This means we need to know how useful the questionnaire is.
14:48:10 <chaals> … we need to find people who are ready to answer questions if they come in.
14:48:21 <chaals> … So how would we do that, who would be able to support such work?
14:48:23 <chaals> q+
14:50:16 <chaals> CMN: We would like to provide some support, but we are hoping that questions come directly to this mailing list
14:50:44 <chaals> VG: Yes, that seems to be what happens so far. Don't want to make a complex structure for a small number of people and questions.
14:51:10 <virginie> +1
14:51:26 <chaals> … who expects they can provide general backing to answer security questions that arise on this list?
14:51:28 <chaals> +1
14:51:36 <engelke> 0
14:51:39 <nick-smith> +1
14:51:59 <chaals> [The process we are likely to use is to collet the questions here, redirect them internally, and see if we can bring something back]
14:52:35 <chaals> s/directly to this mailing list/maliing list, and that the IG takes responsibility to collect what has gone back and forth to try and make it more digestable]
14:53:04 <chaals> Topic: Alibaba proposals for identity management
14:53:45 <chaals> VG: This goes further than Web Authentication, by actually connecting authorisation to something that e.g. guarantees there is a real person associated with an identity - whether or not that person is actually positively identified.
14:54:25 <chaals> Topic: other work
14:54:29 <chaals> VG: Are there other topics that we should be writing about, or discussing, related to security
14:54:36 <chaals> [crickets]
14:54:46 <chaals> OK, so we can finish a few minutes early.
14:54:54 <chaals> s/OK/… OK
14:55:31 <chaals> … I wanted to review some breaches that have occurred, but didn't have time to prepare. What about talking about it in a couple of months?
14:55:42 <chaals> … and a debrief on TPAC?
14:55:54 <chaals> q+ to ask for a debrief in one month
14:57:17 <chaals> CMN: Can we have the debrief in a month? Breach explanations are interesting if you haven't already understood the problem and solution…
14:57:29 <chaals> VG: Yes, let's aim for a call in October.
14:58:34 <weiler> Zakim, list participants
14:58:34 <Zakim> As of this point the attendees have been chaals, virginie, weiler, nickrmc, dezell, engelke, AndersR, alex_ber
14:58:43 <weiler> RRSAgent, make log member
14:58:55 <weiler> RRSAgent, generate minutes
14:58:55 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/09-websec-minutes.html weiler
14:59:16 <AndersR> AndersR has left #websec
14:59:35 <weiler> chair: virginie
14:59:37 <weiler> RRSAgent, generate minutes
14:59:37 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/09-websec-minutes.html weiler
15:00:46 <weiler> RRSAgent, make log public
15:00:53 <weiler> RRSAgent, bye
15:00:53 <RRSAgent> I see no action items