See also: IRC log
<inserted> scribenick: wseltzer
Virginie: Co-chair of Web Security Interest Group
Virginie: Thanks for joining
us
... I had some slides, then the projector power died
... We revived the WebSec IG last year
... in response to security requests coming from W3C WGs
... Mission is to discuss security topics; not to produce
recs.
... Build a community, discuss topics of interest, take
actions.
<virginie> https://www.w3.org/Security/wiki/IG
Virginie: Requested to do security reviews, evaluate mobile security
<virginie> http://www.w3.org/Security/wiki/IG/W3C_security_roadmap
Virginie: understand security
model, build roadmap
... High expectations, but less ability to deliverable
... [noting points from http://www.w3.org/Security/wiki/IG/W3C_security_roadmap
]
... Information-sharing
... September was workshop season
... Permissions, WebCrypto vNext
<rigo> There is still Workshop season: http://www.w3.org/2014/privacyws/
<virginie> FYI : permission workshop report is here : http://www.w3.org/2014/07/permissions/
<hadleybeeman> wseltzer: It was not a formal workshop, more a meeting of the sysops working group — talking about ways to standardise asking for/granting/scoping permissions.
<hadleybeeman> ... Dave Raggett is planning to recap that in a session on Wednesday.
<hadleybeeman> ... For capabilities that go beyond the normal in a browser, where a user might want to control whether the web app has access to sensors or data in a secure storage —
<hadleybeeman> ...— it should be able to ask the user for permission. One time? Hybrid? How does the permission persist?
<hadleybeeman> ... Do we now have enough experience across capabilities and across browsers and devices to form some best practice/standard? And if so, who should do it?
<hadleybeeman> ...It will at least partly be here in Security because the user might be tricked into doing something the don't want, or the web app might not get the capabilities it needs if it doesn't ask accurately
<hadleybeeman> ...How do we balance usability, functionality, performance etc?
<fjh> W3C Workshop on Privacy and User–Centric Controls
-> http://www.w3.org/wiki/TPAC2014/SessionIdeas#Trust_and_Permissions_in_the_Open_Web_Platform DSR's session proposal for Wednesday's unconference: Trust and Permissions
<fjh> http://www.w3.org/2014/privacyws/
<fjh> workshop with deadline for position papers Friday, please let me know if interested
<fjh> 20-21 Nov, Berlin
Rigo: Stemming from work of DT
and Mozilla on understandable user controls
... I presented research in Pisa: we need to care more about
UI
Virginie: WebCrypto vNext workshop
http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/
scribe: What comes after
WebCrypto gives crypto primitives to web developers
... Discussed authentication challenges, secure tokens, trusted
execution environments, secure tokens -- how to use them on the
Web
... input to rechartering of WebCrypto WG
http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/report.html
virginie: There's lots of
interest in Security
... 70 people at webcrypto workshop
... so, how do we transform ideas into deliverables?
fjh: Focus and
prioritization
... where should it lie?
... Is key management, hardware crypto, environment?
virginie: WebCrypto WG, after
publication of v1, will work on new algorithms
... hw tokens, certificate management
... hardware-protected or strong software-protected keys
... Web Security IG hasn't been able to set priorities, because
we're looking for contributors
... We're trying to do reviews, but not finding volunteers
<virginie> http://www.w3.org/Security/wiki/IG/W3C_spec_review
<Zakim> hadleybeeman, you wanted to ask about use cases
hadleybeeman: Wiki has a list of topics. Does the IG have a set of use cases?
virginie: We're trying to build a ccommunity of people willing to take on cases
rigo: STREWS has written a WebRTC security report
virginie: What shoudl the IG do?
fjh: Focus could help
Virginie: what are you in the room interested in doing?
christine: Some thoughts from the
Privacy Interest Group's experience (PING)
... e.g. develop guidance that can readily be used by other
groups
... one group can't review everything
<bhill2> is there anyone on irc who was dialed-in to 92794# Zakim and wants us to re-start the bridge?
<JeffH_> one small group
christine: one thing we've found
helpful is to have iterative discussions with chairs or WG
members of groups seeking guidance
... PING meets Friday, join us
... Guidance: Fingerprinting, privavcy considerations for web
protocls, spa: spec privacy assessment
... Do we do security guidance at the same time as privacy?
togehter?
virginie: we started an effort to write security consdieration guidance
<hadleybeeman> wseltzer: As technology and society domain lead now in W3C, we keep hearing from the public that Web Security is important. We need to improve it. But we need your help in focusing how we do that.
<karen_od> +q
<virginie> FYI : begining of a draft of a try of guideline for security recommandation section https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines
<hadleybeeman> ...We know this is an ecosystem problem. We think W3C is a good point to bring people together to solve web security, improve it.
<hadleybeeman> ...Should we put calls out to volunteers? Or do we need a more focused effort? A group that looks more like the TAG?
<hadleybeeman> ...Do we need you to ask your AC reps to ask W3C to prioritise this, put more resources onto it? Or less effort onto it?
Kevin_Hill: 1st call to action could be to develop the focus, MS has someone who would help
karen_od: TAG has started discussions. What's happened there?
virginie: some people think TAG + editors is enough to do security review; others think there needs to be an external review
bhill: a TAG or Security TAG
sounds like a good idea
... a more formal organization, visibility, prestige, can give
people accountability
<Zakim> hadleybeeman, you wanted to advocate a working group — with a lot of dependenices
hadleybeeman: I'd like us to
focus on the things we can build
... that's why I'd say a WG
... we could easily talk for 10 years, without making something
concrete
<rigo> scribenick: rigo
wseltzer: we are trying to get some focus and not just talking. WebAppSec is doing a lot of concrete specs for web application
<hadleybeeman> wseltzer: That is where we're trying to get some focus, rather than just talking. We have Web Apps Sec WG producing concrete specs.
<scribe> scribenick: hadleybeeman
UNKNOWN_SPEAKER: Are there other pieces to add to this road map? Can we see other places where the road is insecure?
<scribe> scribenick: wseltzer
brutzman_: EXI has some specific
concerns
... just posted to the mailing list, security considerations
around canonicalization
... and digital signatures
rigo: European research scene has
multiple roadmapping projects
... 6-8 months out
... how about security of linked data?
<brutzman_> ... for Efficient XML Interchange (EXI) https://www.w3.org/XML/Group/EXI/
rigo: we haven't talked about that at all
terri: It's been very hard for me to get time allocated without a roadmap
<rigo> also we haven't talked about Linked data security at all so far. And this is a pressing need.
terri: because it seemed too
unstructures
... we need more structure in order to get volunteers.
<JeffH_> oberves that W3C historically hasn't prioritized security -- eg not requiring Recommendations to have (well-crafted) security considerations sections -- also web sec experts per se don't seem to inhabit w3c working groups (in general, there's exceptions of course), plus there isn't a security-oriented community a la IETF SAAG folk -- and so also w/o top-down security emphasis such as that that occurred in the IETF in the mid-to-late 1990's (eg: every RFC SHA[CUT]
<JeffH_> a sec cons section..." -- also there's OWASP where web sec folk seem to hang out -- is there some way to cross-fertilize between W3C and OWASP?
virginie: Takeaways, let's focus,
work with PING
... test the idea of a security TAG
terri: had some conversations with OWASP
bhill: there are lots of
potential people who aren't W3C members
... consultancies see they're already volunteering their
people's time, why also pay membership?
... other ways to interact?
christine: PING hopes to have a
breakout Wednesday on privacy considerations for web
protocols
... participate, because there are overlaps between privacy and
security
... and PING is also meeitng Friday
virginie: Thanks WebAppSec for sharing your room
<christine> starting early - 8:30 am
virginie: We'll schedule another call soon
<virginie> thanks !
<Siva> Joining late...is the discussion still alive?
<JeffH_> test
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/120 pages/a WebRTC security report/ Succeeded: i/Virginie: Co-chair of Web Security Interest Group/scribenick: wseltzer Succeeded: s/siva, WebSec discussion finished. Draft minutes ^// Found ScribeNick: wseltzer Found ScribeNick: rigo Found ScribeNick: hadleybeeman Found ScribeNick: wseltzer Inferring Scribes: wseltzer, rigo, hadleybeeman Scribes: wseltzer, rigo, hadleybeeman ScribeNicks: wseltzer, rigo, hadleybeeman WARNING: No "Present: ... " found! Possibly Present: DWalp Dan_ JeffH_ Kevin_Hill Kevin_Hill_ QIJINGWANG Rigo Siva bhill bhill2 brutzman_ christine ckerschb colin deian dveditz fjh hadleybeeman https inserted jin joined karen_od keiji_ melinda npdoty nvdbleek puhley scribenick tanvi terri virginie websec wei_james_ weijames wseltzer You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy Got date from IRC log name: 27 Oct 2014 Guessing minutes URL: http://www.w3.org/2014/10/27-websec-minutes.html People with action items:[End of scribe.perl diagnostic output]