12:07:14 RRSAgent has joined #web-and-cra 12:07:18 logging to https://www.w3.org/2026/03/25-web-and-cra-irc 12:07:18 RRSAgent, do not leave 12:07:19 RRSAgent, this meeting spans midnight 12:07:19 RRSAgent, make logs public 12:07:21 Meeting: Proposal for Foundational Structural Re-Alignment of EN 304-617 in the Context of the Web Security Model and CRA 12:07:21 Chair: Giovanni Corti, Luca Lumini, Simone Onofri 12:07:21 Agenda: https://github.com/w3c/breakouts-day-2026/issues/20 12:07:21 Zakim has joined #web-and-cra 12:07:22 Zakim, clear agenda 12:07:22 agenda cleared 12:07:22 Zakim, agenda+ Pick a scribe 12:07:24 agendum 1 added 12:07:24 Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy 12:07:24 agendum 2 added 12:07:25 Zakim, agenda+ Goal of this session 12:07:26 agendum 3 added 12:07:26 Zakim, agenda+ Discussion 12:07:26 agendum 4 added 12:07:26 Zakim, agenda+ Next steps / where discussion continues 12:07:27 agendum 5 added 12:07:27 Zakim, agenda+ Adjourn / Use IRC command: Zakim, end meeting 12:07:27 agendum 6 added 12:07:27 breakout-bot has left #web-and-cra 13:47:20 simone has joined #web-and-cra 13:48:22 corti has joined #web-and-cra 13:49:06 q+ 13:49:12 ack s 13:53:29 RRSAgent, pointer? 13:53:29 See https://www.w3.org/2026/03/25-web-and-cra-irc#T13-53-29 13:59:50 corti has joined #web-and-cra 14:13:58 present+ Giovanni, Eshant, Simone 14:16:30 scribe+ 14:16:47 Topic: Background Information 14:17:18 Slides: https://docs.google.com/presentation/d/1OapeUcIkXvXAtqmtcchh4HfSYIblMSTPNGfNz8lQ3Zs/edit?ouid=100636309240434757393&usp=slides_home&ths=true 14:17:26 [slide 2] 14:21:59 Topic: Brief overview 14:22:01 [slide 3] 14:23:50 Link: https://labs.etsi.org/rep/stan4cra/en-304-617/-/issues?show=eyJpaWQiOiI5IiwiZnVsbF9wYXRoIjoic3RhbjRjcmEvZW4tMzA0LTYxNyIsImlkIjozMzA1fQ%3D%3D 14:25:17 Topic: Feedback of our feedback 14:25:17 [slide 4] 14:25:56 Topic: This session... 14:25:56 [slide 5] 14:27:10 Topic: First and foremost 14:27:10 [slide 6] 14:27:33 [slide 7] 14:28:40 Topic: Scope 14:28:40 [slide 11] 14:28:40 [slide 12] 14:32:27 Eshan: my understanding is that is the scope there is the browser is overlapping with the AI Act, and User Agent, does this definition include those terms, e.g. agentic things? 14:35:17 Simone: good question, the question is that if you have browser (defined by law: https://labs.etsi.org/rep/stan4cra/en-304-617/-/blob/main_publish/EN_CRA_Vertical_Harmonised_Standard_Skeleton_draft.md?ref_type=heads#1-scope) 14:37:29 ... and we can use the newer definition of the scope after the reboot: 14:37:29 ... [[ Software products with digital elements that enable end users to access, render, and interact with web content and services hosted on servers that are connected to networks such as the Internet. They typically include a browser engine for interpreting and displaying content written in markup language (e.g. HTML), support for web protocols 14:37:29 (e.g. HTTP, HTTPS), the ability to execute scripts and manage user inputs as well as storage of temporary or persistent data from websites (cookies). 14:37:29 ... This category includes but is not limited to standalone applications that fulfil the functions of browsers, embedded browsers intended for integration into another system or application as well as browsers with AI agent integration.]] 14:38:29 Corti: it is also important to link this is only for CRA, not for AI Act, but I can talk to ETSI group about this 14:39:26 Topic: Clause 4 14:39:26 [slide 13] 14:40:09 Giovanni: we proposed an approach based on Threat Modeling, as CRA is risk-based 14:41:43 ... as threat modeling is the best way for a product to understand the threats connected to a product 14:41:43 ... and also this will help them, but we're working in W3C on the Threat Model for the Web, that can also help them 14:42:00 https://w3c.github.io/threat-model-web/ 14:42:27 [slide 14] 14:42:46 Topic: Top-down approach 14:42:46 [slide 16 14:42:54 s/16/16]/ 14:43:46 Giovanni: in summary, they should start from the legal hook, then understand how this impact a Web Browser 14:44:20 ... and also if a requirement is defined in another specification, the idea is to tell them to refer the other spec 14:44:24 [slide 17] 14:45:21 ... this is an idea on the reboot work I am doing, legal hook, vermatim text, the section of the reboot of the standard, and if the actual skeleton is missing something 14:46:40 Topic: Sum up 14:46:40 [slide 18] 14:47:11 Topic: Q&A 14:47:11 Giovanni: What do you think about of the highlights? Something more that we can do? 14:48:36 Eshan: my feedback, as a personal opinion, is another question, which is the most useful TAG document you would like? 14:54:28 Simone: There is maybe a lack of the web security model, there are some connections 14:54:28 Eshan: Design principles can also be useful for the requirements 14:54:28 Simone: yes, also this is why we should speedup the work on the Threat Model for the Web, having a draft we're happy to share with TAG and work with TAG 15:03:47 Eshan: Another point is about adversting, it is that covered? 15:03:47 Simone: there is something on data minimization, so it can be covered 15:04:11 RRSAgent, draft minutes v2 15:04:12 I have made the request to generate https://www.w3.org/2026/03/25-web-and-cra-minutes.html simone 16:16:56 tidoust has joined #web-and-cra 16:22:46 RRSAgent, bye 16:22:46 I see no action items