SV_MEETING_TITLE -- 09 Sep 2016

Access code:647 702 442

<scribe> scribenick: weiler

virginie: invitation to introduce yourselves.

engelke: active in webcrypto

nickrmc: interest in webappsec

dezell: cochair of web payments. represent assn of convenience stores.

AndersR: individual inventor in areas of authentication and security on web

alex: interest in security models / provability

weiler: came to w3c ~4 mo ago; background in IETF

virginie: see email on the list https://lists.w3.org/Archives/Public/public-web-security/2016Sep/0016.html
... any agenda changes?
... websecig has low activity; charter is due for renewal. despite low activity, think this IG is very valuable.
... to have a forum for things outside of current WG charters, and as a home for security reviews
... W3C still sees security as an important topic; this was demonstrated during the last AC mtg.
... low investment of the members in this IG. lots of efforts into existing WGs, but not prospective work

chaals: new topic: accessibility of security / UI. many normal people don't understand security. if you don't have UI that they recognize and understand, you fail to provide what they need
... much work done there falls down on accessibility. users w/ alternative access methods may not see the security UI bits.

virginie: during last websecIG call, we discussed this.
... chaals: are you suggesting we gather people in accessibility in security? What is your request?

chaals: other way around: when we review stuff, and when we put forward an idea, it's important that we seek out accessibility people and ask them if they really works
... e.g. indicators in browsers, for screen reader users and screen magnification users.
... can't even tell icon is there.
... extended validation certificates: there was agreement re: UI bits for those, but may not be clear to the visually impaired.
... that's a clear failure in most browsers

virginie: chaals: is there overall in what you just mentioned and the current security questionnaire?

<Zakim> chaals, you wanted to talk about accessibility of security as a topic to raise.

<virginie> https://www.w3.org/2016/08/2016-reorg.html#h.icr45wucrm9i

virigine: W3C is doing internal reorg.
... security will fall under A&T / Ralph
... horizontal review will fall there.
... inviting weiler to clarify

weiler: impression that all security bits will be under A&T / Ralph not accurate.
... functional organization doesn't really say where skills and expertise will be; I may be in strategy organization under Wnedy
... not sure who websecig team contact will be
... reviews will be under A&T / Ralph
... WG management will be under Phillipe / Project Mgmt

virginie: going through slide pack, describing webauthn.

<AndersR> the writeup showed a topic from Alibaba, is there a spec or similar?

virginie: web crypto... webappsec
... webappsec is efficient. is the core of security activities in W3C.
... impression is that secure contexts WD is the most active of theirs

<chaals> scribe: chaals

DE: Good summary. The group has focused on an API that can be used in the browser - and they are about to publish a companion HTTP API that allows for agents to work with payments.
... as far as security is concerned we have had a task force look at what we are doing.
... and working on verifiable claims - basically all about security. There is a developing proposal to create a W3C Working Group.
... Also at ISO, there is a lot of work to bring North America in line with ISO-20022 which a lot of the rest of the world works with.
... The approach is like a kitchen sink spec - everything that is related is being put into one giant spec.

VG: Short status on Hardware-based services CG. Designing "secure services" - executed in devices or dedicated tokens that provide confidentiality.
... e.g. USB key.
... CG isn't delivering a standard, but writing the use cases and demonstrating that there are feasible technical solutions, to convince W3C members that it is worth creating a working group on this.
... They have finished their initial report, focused on how to provide secure transaction confirmation and secure credential storage.

-> https://rawgit.com/w3c/websec/gh-pages/hbss.html CG report

scribe: Next steps are to socialise these ideas through the membership.

alex_ber: Is it possible to join the CG?

VG: Yes, anyone can join.

<virginie> Community group page, with joining information

VG: Note that also sometimes things people do in the Privacy Interest Group is related.

<AndersR> https://www.w3.org/community/browserext/

AR: Browser extensions CG group are working with things that are security related.
... this work generally goes beyond what browsers normally allow, i.e. loosening security restrictions to provide functionality

VG: Active?

AR: Yes.
... meeting at TPAC.

TPAC

VG: Who will be there?

CMN: I will be there but *very* busy in general...

DE: I will be there.

VG: I have created a "security Jam" for Wednesday, hopefully jointly with Sam and Wendy.

AR: I will be at TPAC - e.g in the browser extension meeting

Security review questionnaire

VG: How do we help people think carefully themselves, and do some useful review of their own work for security.

<virginie> security and privacy questionnaire

VG: this is intended to help people consider the important questions they should be taking into account when they are designing technology.
... this has also been discussed in various other places. What about creating an "expert group" to help with security reviews. The answer seems to be that we allow Working Groups to be autonomous and develop good skills for security, but seek to provide some backup expertise available for opportunistic review.
... So don't try to systematically review everything, but answer specific questions. This means we need to know how useful the questionnaire is.
... we need to find people who are ready to answer questions if they come in.
... So how would we do that, who would be able to support such work?

CMN: We would like to provide some support, but we are hoping that questions come maliing list, and that the IG takes responsibility to collect what has gone back and forth to try and make it more digestable]

VG: Yes, that seems to be what happens so far. Don't want to make a complex structure for a small number of people and questions.

<virginie> +1

VG: who expects they can provide general backing to answer security questions that arise on this list?

<engelke> 0

<nick-smith> +1

[The process we are likely to use is to collet the questions here, redirect them internally, and see if we can bring something back]

Alibaba proposals for identity management

VG: This goes further than Web Authentication, by actually connecting authorisation to something that e.g. guarantees there is a real person associated with an identity - whether or not that person is actually positively identified.

other work

VG: Are there other topics that we should be writing about, or discussing, related to security

[crickets]

scribe: OK, so we can finish a few minutes early.
... I wanted to review some breaches that have occurred, but didn't have time to prepare. What about talking about it in a couple of months?
... and a debrief on TPAC?

CMN: Can we have the debrief in a month? Breach explanations are interesting if you haven't already understood the problem and solution…

VG: Yes, let's aim for a call in October.

- DRAFT -

SV_MEETING_TITLE
09 Sep 2016

Attendees

Contents

TPAC

Security review questionnaire

Alibaba proposals for identity management

other work

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output

- DRAFT -

SV_MEETING_TITLE 09 Sep 2016

Attendees

Contents

TPAC

Security review questionnaire

Alibaba proposals for identity management

other work

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output

SV_MEETING_TITLE
09 Sep 2016