See also: IRC log
Access code:647 702 442
<scribe> scribenick: weiler
virginie: invitation to introduce yourselves.
engelke: active in webcrypto
nickrmc: interest in webappsec
dezell: cochair of web payments. represent assn of convenience stores.
AndersR: individual inventor in areas of authentication and security on web
alex: interest in security models / provability
weiler: came to w3c ~4 mo ago; background in IETF
virginie: see email on the list
https://lists.w3.org/Archives/Public/public-web-security/2016Sep/0016.html
... any agenda changes?
... websecig has low activity; charter is due for renewal.
despite low activity, think this IG is very valuable.
... to have a forum for things outside of current WG charters,
and as a home for security reviews
... W3C still sees security as an important topic; this was
demonstrated during the last AC mtg.
... low investment of the members in this IG. lots of efforts
into existing WGs, but not prospective work
chaals: new topic: accessibility
of security / UI. many normal people don't understand security.
if you don't have UI that they recognize and understand, you
fail to provide what they need
... much work done there falls down on accessibility. users w/
alternative access methods may not see the security UI
bits.
virginie: during last websecIG
call, we discussed this.
... chaals: are you suggesting we gather people in
accessibility in security? What is your request?
chaals: other way around: when we
review stuff, and when we put forward an idea, it's important
that we seek out accessibility people and ask them if they
really works
... e.g. indicators in browsers, for screen reader users and
screen magnification users.
... can't even tell icon is there.
... extended validation certificates: there was agreement re:
UI bits for those, but may not be clear to the visually
impaired.
... that's a clear failure in most browsers
virginie: chaals: is there overall in what you just mentioned and the current security questionnaire?
<Zakim> chaals, you wanted to talk about accessibility of security as a topic to raise.
<virginie> https://www.w3.org/2016/08/2016-reorg.html#h.icr45wucrm9i
virigine: W3C is doing internal
reorg.
... security will fall under A&T / Ralph
... horizontal review will fall there.
... inviting weiler to clarify
weiler: impression that all
security bits will be under A&T / Ralph not accurate.
... functional organization doesn't really say where skills and
expertise will be; I may be in strategy organization under
Wnedy
... not sure who websecig team contact will be
... reviews will be under A&T / Ralph
... WG management will be under Phillipe / Project Mgmt
virginie: going through slide pack, describing webauthn.
<AndersR> the writeup showed a topic from Alibaba, is there a spec or similar?
virginie: web crypto...
webappsec
... webappsec is efficient. is the core of security activities
in W3C.
... impression is that secure contexts WD is the most active of
theirs
<chaals> scribe: chaals
DE: Good summary. The group has
focused on an API that can be used in the browser - and they
are about to publish a companion HTTP API that allows for
agents to work with payments.
... as far as security is concerned we have had a task force
look at what we are doing.
... and working on verifiable claims - basically all about
security. There is a developing proposal to create a W3C
Working Group.
... Also at ISO, there is a lot of work to bring North America
in line with ISO-20022 which a lot of the rest of the world
works with.
... The approach is like a kitchen sink spec - everything that
is related is being put into one giant spec.
VG: Short status on
Hardware-based services CG. Designing "secure services" -
executed in devices or dedicated tokens that provide
confidentiality.
... e.g. USB key.
... CG isn't delivering a standard, but writing the use cases
and demonstrating that there are feasible technical solutions,
to convince W3C members that it is worth creating a working
group on this.
... They have finished their initial report, focused on how to
provide secure transaction confirmation and secure credential
storage.
-> https://rawgit.com/w3c/websec/gh-pages/hbss.html CG report
scribe: Next steps are to socialise these ideas through the membership.
alex_ber: Is it possible to join the CG?
VG: Yes, anyone can join.
<virginie> Community group page, with joining information
VG: Note that also sometimes things people do in the Privacy Interest Group is related.
<AndersR> https://www.w3.org/community/browserext/
AR: Browser extensions CG group
are working with things that are security related.
... this work generally goes beyond what browsers normally
allow, i.e. loosening security restrictions to provide
functionality
VG: Active?
AR: Yes.
... meeting at TPAC.
VG: Who will be there?
CMN: I will be there but *very* busy in general...
DE: I will be there.
VG: I have created a "security Jam" for Wednesday, hopefully jointly with Sam and Wendy.
AR: I will be at TPAC - e.g in the browser extension meeting
VG: How do we help people think carefully themselves, and do some useful review of their own work for security.
<virginie> security and privacy questionnaire
VG: this is intended to help
people consider the important questions they should be taking
into account when they are designing technology.
... this has also been discussed in various other places. What
about creating an "expert group" to help with security reviews.
The answer seems to be that we allow Working Groups to be
autonomous and develop good skills for security, but seek to
provide some backup expertise available for opportunistic
review.
... So don't try to systematically review everything, but
answer specific questions. This means we need to know how
useful the questionnaire is.
... we need to find people who are ready to answer questions if
they come in.
... So how would we do that, who would be able to support such
work?
CMN: We would like to provide some support, but we are hoping that questions come maliing list, and that the IG takes responsibility to collect what has gone back and forth to try and make it more digestable]
VG: Yes, that seems to be what happens so far. Don't want to make a complex structure for a small number of people and questions.
<virginie> +1
VG: who expects they can provide general backing to answer security questions that arise on this list?
+1
<engelke> 0
<nick-smith> +1
[The process we are likely to use is to collet the questions here, redirect them internally, and see if we can bring something back]
VG: This goes further than Web Authentication, by actually connecting authorisation to something that e.g. guarantees there is a real person associated with an identity - whether or not that person is actually positively identified.
VG: Are there other topics that we should be writing about, or discussing, related to security
[crickets]
scribe: OK, so we can finish a
few minutes early.
... I wanted to review some breaches that have occurred, but
didn't have time to prepare. What about talking about it in a
couple of months?
... and a debrief on TPAC?
CMN: Can we have the debrief in a month? Breach explanations are interesting if you haven't already understood the problem and solution…
VG: Yes, let's aim for a call in October.
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s|https://www.w3.org/community/hb-secure-services/|-> https://www.w3.org/community/hb-secure-services/ Community group page, with joining information| Succeeded: s/??/alex_ber/ Succeeded: s|https://www.w3.org/TR/security-privacy-questionnaire/|-> https://www.w3.org/TR/security-privacy-questionnaire/ security and privacy questionnaire| Succeeded: s/directly to this mailing list/maliing list, and that the IG takes responsibility to collect what has gone back and forth to try and make it more digestable]/ Succeeded: s/OK/… OK/ Found ScribeNick: weiler Found Scribe: chaals Inferring ScribeNick: chaals ScribeNicks: weiler, chaals Default Present: chaals, virginie, weiler, nickrmc, dezell, engelke, AndersR, alex_ber Present: chaals virginie weiler nickrmc dezell engelke AndersR alex_ber WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting Got date from IRC log name: 09 Sep 2016 Guessing minutes URL: http://www.w3.org/2016/09/09-websec-minutes.html People with action items:[End of scribe.perl diagnostic output]