BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Sabre//Sabre VObject 4.5.8//EN CALSCALE:GREGORIAN LAST-MODIFIED:20260427T174344Z BEGIN:VTIMEZONE TZID:Europe/Madrid BEGIN:STANDARD DTSTART:20251026T010000 TZOFFSETFROM:+0200 TZOFFSETTO:+0100 TZNAME:CET END:STANDARD BEGIN:STANDARD DTSTART:20261025T010000 TZOFFSETFROM:+0200 TZOFFSETTO:+0100 TZNAME:CET END:STANDARD BEGIN:DAYLIGHT DTSTART:20260329T010000 TZOFFSETFROM:+0100 TZOFFSETTO:+0200 TZNAME:CEST END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:6bd81029-7023-4e06-9a9f-86172ef351cb DTSTAMP:20260427T174344Z SUMMARY:Security Interest Group Plenary Call DTSTART;TZID=Europe/Madrid:20260428T160000 DTEND;TZID=Europe/Madrid:20260428T170000 DESCRIPTION:https://www.w3.org/events/meetings/6bd81029-7023-4e06-9a9f-8617 2ef351cb/20260428T160000/\n\nSecurity Interest Group Plenary call for task assignments.\n\nAgenda: https://github.com/w3c/securityig/tree/main/meeti ngs\n\nAgenda\n\n* **Administrivia**\n * Scribe volunteer(s) or Zoom AI?\ n * Reminders:\n * [Interest Group Membership](https://www.w3.org/grou ps/ig/security/)\n * [W3C Code of Conduct](https://www.w3.org/policies/ code-of-conduct/)\n\n* **Participants Introduction (2 minutes roundtable)* *\n\n* **Next meetings**\n * 12 May 2026\n * 26 May 2026\n\n* **Security Topics**\n\n * **WebMCP: Threat Modeling Approach**\n * Issue: [webma chinelearning/webmcp#154](https://github.com/webmachinelearning/webmcp/iss ues/154)\n * Security and privacy considerations: [Security and Privacy Considerations for WebMCP](https://github.com/webmachinelearning/webmcp/b lob/main/docs/security-privacy-considerations.md)\n * What are we worki ng on: [Readme file](https://github.com/webmachinelearning/webmcp#backgrou nd-and-motivation)\n\n We should discuss the approach on how to work wi th them: (a) filing issues\, or (b) we should be to reverse-engineer the i mplicit threat model from the current security and privacy considerations. A possible outcome is an hybrid approach: file a small number of clear se curity issues if something arises\, while recommending a compact threat-mo deling note to guide the broader review. \n\n* **Security Reviews**\n\n * **Devices and Sensors WG 2026 Charter review**\n * Issue: [w3c/strateg y#530](https://github.com/w3c/strategy/issues/530)\n * Draft charter: [ [DRAFT] Devices and Sensors Working Group Charter](https://w3c.github.io/c harter-drafts/2026/das-wg-charter.html)\n * Background reading: [Periph eral Instinct: How External Devices Breach Browser Sandboxes](https://misc 0110.net/web/files/peripheralinstinct_www25.pdf)\n\n The proposed Devic es and Sensors WG charter should be reviewed with particular attention to APIs that expose device capabilities or persistent device state. The *Peri pheral Instinct* paper has a useful analysis: low-level web access to peri pherals can shift the trust boundary from a trusted host operating system to a potentially malicious web origin\, with effects that may survive the browser session and cross the ordinary browser sandbox boundary. Should we require a threat model during chartering to understand if the residual th reas are accettable? \n\n * Reviews that need volunteer(s):\n * [specs ](https://github.com/w3c/security-request/issues?q=is%3Aissue+is%3Aopen+no %3Aassignee+)\n * [charters](https://github.com/w3c/strategy/issues?q=i s%3Aissue+is%3Aopen+label%3A%22Horizontal+review+requested%22++-label%3A%2 2Security+review+completed%22+-label%3ACouncil)\n\n* **Community / coordin ation**\n * **Threat Modeling Sessions**: We have [DID and RDF](https://w ww.w3.org/groups/cg/tmcg/calendar/)\, maybe adding a session for us to wor k on WebMCP? STATUS:CONFIRMED CREATED:20260427T174343Z LAST-MODIFIED:20260427T174344Z SEQUENCE:1 ORGANIZER;CN=W3C Calendar;PARTSTAT=ACCEPTED;ROLE=NON-PARTICIPANT:mailto:nor eply@w3.org ATTENDEE;CUTYPE=GROUP;ROLE=OPT-PARTICIPANT;RSVP=FALSE;CN=Security Interest Group:mailto:public-security@w3.org RECURRENCE-ID;TZID=Europe/Madrid:20260428T160000 END:VEVENT END:VCALENDAR