12:54:40 RRSAgent has joined #websec 12:54:40 logging to http://www.w3.org/2016/05/03-websec-irc 12:54:42 Zakim has joined #websec 12:54:49 Meeting: Web Security Interest Group 12:54:53 Chair: Virginie Galindo 12:58:03 USA - Belcamp +12153674444, with Conference ID: 68835794 12:59:16 weiler has joined #websec 12:59:27 present+ wseltzer 12:59:37 present+ virginie 13:03:38 jusk has joined #websec 13:03:53 hello virginie ça va ? 13:04:04 for your information, bridge details are USA - Belcamp +12153674444, with Conference ID: 68835794 13:06:17 chaals has joined #websec 13:06:18 present+ 13:08:23 present+ christine 13:08:34 zakim, who is here? 13:08:34 Present: wseltzer, virginie, weiler, christine 13:08:36 On IRC I see chaals, jusk, weiler, Zakim, RRSAgent, virginie, MartinP, wseltzer, schuki_ 13:08:50 agenda+ exchange on security news inside and outside the W3C 13:08:56 agenda+ discuss potential questions which are out of scope of the other security related WG (aka, web app sec and web crypto) 13:09:04 hello jusk, who are you :) 13:09:31 hello, i'm jusk 13:09:40 a security independant researcher 13:09:49 welcome 13:09:57 thank you 13:09:58 thanks for joining, jusk ! 13:10:43 chaals, any number you would like to have (depending on where you call, madrid ? russia ? australia ? south corea ?) 13:11:03 agenda? 13:12:24 present+ Chaals-as-leader 13:12:56 virginie: Welcome all 13:13:17 virginie: I've been hearing a lot about the need for security in W3C 13:13:39 ... security conversations are happening in several places, WebAppSec WG, WebCrypto WG, etc. 13:14:04 ... Need a place to get overview and to host the security reviews 13:14:18 ... Let's start with introductions 13:15:22 wseltzer: Wendy Seltzer, Technology & Society Domain Lead, W3C 13:15:43 weiler: Sam Weiler, I'll be supporting WebAuthn, other security & privacy 13:15:48 ... come from IETF security work 13:15:54 ... DNS, routing security 13:16:12 christine: Christine Runnegar, ISOC, co-chair W3C PING 13:16:48 chaals: Charles McCathie Nevile, chair Web Platform WG, Yandex 13:17:05 virginie: Virginie Galindo, chair WebSec IG and WebCrypto 13:17:17 ... co-chairing Hardware-Based Secure Services CG 13:18:21 ... Some thoughts: security reviews 13:18:30 ... TAG and WebAppSec started self-review questionnaire 13:18:46 https://github.com/w3ctag/security-questionnaire 13:18:59 wiki https://www.w3.org/Security/wiki/IG 13:19:25 New features : https://www.w3.org/Security/wiki/IG/W3C_security_roadmap 13:20:31 virginie: securing resources 13:20:49 virginie: (reviewing https://www.w3.org/Security/wiki/IG/W3C_security_roadmap ) 13:21:29 virginie: What do you think W3C needs to address, that we're not currently doing? 13:21:34 q+ 13:21:55 q+ 13:22:00 w3.org/Security 13:22:16 with the roadmap https://www.w3.org/Security/wiki/IG/W3C_security_roadmap 13:22:37 ack ws 13:22:45 https://www.w3.org/Security/ 13:23:06 https://github.com/w3c/websec/blob/gh-pages/security-roadmap.md 13:23:24 ack ch 13:23:25 -> https://www.w3.org/Security/wiki/Accessibility some stuff 13:24:05 chaals: accessibility and security in the wiki 13:24:23 ... another issue arose re passwords in ARIA 13:24:49 ... lots of issues in security if you're using accessibility tech 13:25:09 ... separate issue, lots of security issues where things don't actually work 13:25:23 ... e.g., password input field in HTML, no indication to user 13:25:57 ... pieces of security infrastructure that might give false sense of security 13:26:15 q? 13:26:41 virginie: ARIA conversation that concluded on WebAppSec mailing list 13:26:55 christine has joined #websec 13:27:24 ... problem about describing security information to user 13:27:49 ... conveying information accessibly without changing its integrity 13:28:11 ... UA needs to share info on execution context 13:29:19 q+ 13:30:27 q+ 13:30:38 ack wse 13:30:58 ack chr 13:31:05 q+ to comment on process 13:31:27 wseltzer: specs need privacy and security review to move forward; Director will be looking for privacy and security considerations at transitions 13:31:43 ... so maybe more of those interested in specs will join us to help do those reviews 13:32:12 christine: One thing that's worked well for PING is inviting the groups (editors,chairs) to join PING for conversation about what they're trying to achieve 13:32:17 ... and the privacy considerations invovlved 13:34:00 virginie: where is the follow up? 13:34:07 christine: resourcing is a challenge for us too 13:34:35 ... ideally, we'd finish PING privacy questionnaire, ask groups to complete it before coming to us 13:35:38 to schuki_ you might join with Conference ID: 68835794 United Kingdom +441489557119 13:36:46 q+ 13:37:14 ... do we need a security directorate? 13:37:39 q+ 13:37:42 q+ 13:37:54 ack virginie 13:37:54 virginie, you wanted to comment on process 13:39:08 ack ch 13:39:39 chaals: I represent a big org with security experts; but many of them aren't involved with W3C 13:39:52 ... it's easier to get someone who can do some spec work than security work 13:40:16 ... and the problem with mandatory security reviews is a disincentive to do work 13:40:33 ... how can we make it easy for security people to look at the work 13:40:35 ... ? 13:41:06 ... non-security people have to help in framing questions security people can respond to 13:42:23 ... how do we describe things that look scary, to motivate people? 13:42:26 ack wei 13:42:28 qq+ 13:42:35 q+ 13:42:56 s/how do we/can we easily/ 13:43:16 weiler: in IETF security reviews, valuable piece was security reviewer asking questions the spec author hadn't thought of 13:43:26 ... why are you doing this? how does it work? 13:43:42 ... Q for W3C veterans: how important is face-time? 13:43:43 q+ 13:44:18 [IMHO building a relationship based on physical interaction is really helpful] 13:46:25 virginie: we look for opportunities for informal meetings around other W3C meetings, e.g. TPAC 13:47:40 virginie: WGs haven't been so responsive when sending specs for security review, to explain the spec 13:47:57 q- 13:48:05 ack v 13:48:08 ack ch 13:48:09 ack virginie 13:48:41 chaals: F2F time is valuable to build community of people accountable to one another 13:49:13 q? 13:49:18 q+ 13:49:51 virginie: perhaps set up joint call with WG requesting review 13:49:53 q+ 13:50:33 virginie: Christine, how does PING questionnaire work with TAG's? 13:50:40 q- 13:50:51 Q+ 13:50:53 q- 13:51:11 wseltzer: what can we learn from IETF security considerations? 13:51:33 weiler: we started with a list of likely reviewers who'd been meeting over lunchmat physical IETF meetings 13:51:38 s/lunchmat/lunch at/ 13:51:48 ... about 2/3 were willing to do reviews 13:52:20 ... pre-build a list of possible "victims" who you want to ask to help 13:52:39 ... also helps to know that if there is no response to the review, the document will be blocked 13:52:50 ... you at least need to respond, even if the review was entirely wrong 13:53:41 ... by design, we didn't require specific expertise 13:53:44 ... to encourage breadth 13:54:18 ... start by reading the privacy and security considerations sections, to see if they needed to read the whole thing 13:54:34 ... workload. giving reviewers one document every 6-8 weeks, not a huge burden 13:54:51 [note : virginie does not see security review in the W3C process https://dvcs.w3.org/hg/AB/raw-file/default/cover.html] 13:55:13 [note: the director requires it in charters and reviewing docs in transitions] 13:55:20 weiler: no checklist 13:55:27 ... some guidance documents 13:55:46 q+ 13:56:02 q? 13:56:57 draft process for review https://www.w3.org/Security/wiki/IG/W3C_spec_review 13:57:11 apologies I have to join another call 13:57:33 q? 13:57:36 ack ch 13:57:43 q- ch 13:58:37 q+ 13:58:38 q+ 13:58:56 wseltzer: the director requires security & privacy considerations in charters, at transitions 13:59:22 virginie: we should put it into the process too 13:59:24 ack chaals 13:59:26 q- 13:59:49 chaals: better to put it into charters as requirements, than to put it in process 14:00:02 ... talk to the director 14:00:44 ... also, process is harder to fix 14:00:55 s/fix/get right/ 14:02:39 [the intersection of security and accessibility is very interesting] 14:05:28 zakim, list attendees 14:05:28 As of this point the attendees have been wseltzer, virginie, weiler, christine, Chaals-as-leader 14:05:32 zakim, bye 14:05:32 leaving. As of this point the attendees have been wseltzer, virginie, weiler, christine, Chaals-as-leader 14:05:32 Zakim has left #websec 14:05:37 rrsagent, make minutes 14:05:37 I have made the request to generate http://www.w3.org/2016/05/03-websec-minutes.html wseltzer 14:26:08 weiler has left #websec 14:28:48 rrsagent, make logs public 14:28:52 rrsagent, make minutes 14:28:52 I have made the request to generate http://www.w3.org/2016/05/03-websec-minutes.html wseltzer