IRC log of websec on 2016-09-21
Timestamps are in UTC.
- 10:05:37 [RRSAgent]
- RRSAgent has joined #websec
- 10:05:37 [RRSAgent]
- logging to http://www.w3.org/2016/09/21-websec-irc
- 10:06:24 [jwehrman]
- jwehrman has joined #websec
- 10:07:02 [RobTrace]
- RobTrace has joined #websec
- 10:07:42 [nadalin_]
- nadalin_ has joined #websec
- 10:08:17 [KLM]
- KLM has joined #websec
- 10:08:33 [wseltzer]
- Meeting: Security Jam
- 10:08:37 [Yoshiro]
- Yoshiro has joined #websec
- 10:08:41 [teddink]
- teddink has joined #websec
- 10:09:02 [kinjim]
- kinjim has joined #websec
- 10:09:05 [weiler]
- weiler has joined #websec
- 10:09:12 [frodek]
- frodek has joined #websec
- 10:09:30 [wseltzer]
- Virginie: an update on the state of security work at W3C, with room for questions and ideas
- 10:09:36 [mikepie]
- mikepie has joined #websec
- 10:09:47 [keiji]
- keiji has joined #websec
- 10:09:48 [QingAn]
- QingAn has joined #websec
- 10:10:04 [brunoj]
- brunoj has joined #websec
- 10:10:52 [fwagner]
- fwagner has joined #websec
- 10:11:37 [wseltzer]
- Virginie: I work for a security company, have been working for 4 years to bring greater visibility to security at W3C
- 10:11:45 [wseltzer]
- ... very important topic
- 10:12:05 [wseltzer]
- ... W3C Groups: WebAppSec, WebCrypto, WebAuthn
- 10:12:13 [jib]
- jib has joined #websec
- 10:12:48 [wseltzer]
- ... also WebSec IG, Hardware Based Secure Services CG
- 10:13:01 [schunter]
- schunter has joined #websec
- 10:13:17 [wseltzer]
- https://www.w3.org/Security/
- 10:16:54 [wseltzer]
- https://www.w3.org/2011/webappsec/
- 10:17:32 [wseltzer]
- CSP, Secure Contexts, Subresource Integrity, Mixed Content, etc.
- 10:17:34 [shigeya]
- shigeya has joined #websec
- 10:17:48 [wseltzer]
- WebCrypto: Aims to move to PR in the next few weeks
- 10:18:13 [wseltzer]
- Virginie: WebSec IG is a discussion group
- 10:18:29 [wseltzer]
- ... we've decided to reshape the group
- 10:18:56 [wseltzer]
- ... place to discuss (incubate) new topics; share information and analysis on web vulnerabilities
- 10:21:10 [wseltzer]
- wseltzer: We will be taking ideas for incubation to CGs or IG, before bringing them to Rec track
- 10:21:42 [wseltzer]
- Virginie: Hardwarew Based Secure Services https://www.w3.org/community/hb-secure-services/
- 10:22:06 [wseltzer]
- ... hardware for secure credential storage, crypto operations. how do you bridge those to the web
- 10:23:36 [wseltzer]
- ... 2 subjects, secure credential storage + verification of where the credentials are stored
- 10:23:47 [wseltzer]
- ... secure transaction confirmation
- 10:24:38 [wseltzer]
- -> https://rawgit.com/w3c/websec/gh-pages/hbss.html Report Hardware Based Secure Services features
- 10:24:41 [Karima]
- Karima has joined #websec
- 10:25:33 [wseltzer]
- Kepeng: Real Person-linking biometric authentication
- 10:26:27 [wseltzer]
- ... some feedback when I presented to WebSec: some parts covered in WebAuthn
- 10:27:16 [wseltzer]
- Virginie: We've been asking, how does accessibility interface with security? How do we make security features fully accessible
- 10:27:36 [wseltzer]
- nadalin_: has any blockchain or claims work come up?
- 10:29:18 [wseltzer]
- Virginie: blockchain CG
- 10:29:23 [wseltzer]
- ... asked about key recovery
- 10:29:31 [wseltzer]
- ... Also, Web Payments
- 10:30:09 [bhill2]
- bhill2 has joined #websec
- 10:30:18 [wseltzer]
- AdrianHB: Web Payments has 2 parts: Payment Request, Payment App (3d party processing)
- 10:30:35 [wseltzer]
- ... Payment App will be based on service worker, has to return
- 10:31:03 [wseltzer]
- ... expect there will be service workers using WebAuthn for authentication
- 10:31:30 [wseltzer]
- ... could use Hardware Sec when more mature
- 10:32:44 [wseltzer]
- AdrianHB: it's up to the payment app to decide what to use
- 10:34:02 [wseltzer]
- Virginie: we're working to support other groups -- Security reviews, questionnaire
- 10:34:17 [hwlee]
- hwlee has joined #websec
- 10:34:37 [wseltzer]
- https://w3ctag.github.io/security-questionnaire/
- 10:35:07 [wseltzer]
- https://www.w3.org/TR/security-privacy-questionnaire/
- 10:36:09 [wseltzer]
- Virginie: who wants to do spec reviews?
- 10:36:19 [wseltzer]
- q+
- 10:38:08 [wseltzer]
- q-
- 10:38:42 [wseltzer]
- wseltzer: All spec transitions require security considerations, so if you want a new feature, you need to help us get it reviewed
- 10:39:15 [wseltzer]
- kepeng: In IETF, author needs to get reviews
- 10:40:42 [wseltzer]
- schunter: will it be required in all charters?
- 10:40:53 [wseltzer]
- wseltzer: yes, and it's the WG's responsibility to get reviews
- 10:41:08 [wseltzer]
- Frank: what about overlap between privacy and security questionnaires?
- 10:42:08 [wseltzer]
- AdrianHB: in Payments, we had members of the group do reviews, and it helped to improve the specs
- 10:42:38 [wseltzer]
- ... Mozilla and Yandes reviewers
- 10:43:21 [wseltzer]
- Kepeng: PING created some guidelines, such as fingerprinting guidance. Should WebSec do so?
- 10:43:34 [fwagner]
- Frank: and some kind of categorization like critical / uncritical would help to decide how intensive the review should be
- 10:44:29 [wseltzer]
- AdrianHB: Security guidelines would be valuable from W3C at a spec design level. e.g. questions about where security boundaries are
- 10:44:42 [wseltzer]
- ... origins, paths, cookies,
- 10:45:03 [wseltzer]
- ... guidance to app developers, not just spec developers
- 10:45:22 [wseltzer]
- ... e.g. "if these are your requirements, you need to use origin boundaries"
- 10:46:04 [wseltzer]
- ... guidance or harder push-back against non-origin boundaries
- 10:46:24 [wseltzer]
- dveditz: and WebAppSec is defining suborigins
- 10:46:57 [wseltzer]
- ... service worker isn't using the path as a security boundary, but for code separation
- 10:47:15 [wseltzer]
- AdrianHB: as a developer, I might think the scope is the secuirty boundary
- 10:47:24 [wseltzer]
- ... help get shared understanding of the design decisions
- 10:48:07 [wseltzer]
- wseltzer: Good feedback for Ralph in A&T function
- 10:48:55 [weiler]
- weiler has joined #websec
- 10:49:27 [wseltzer]
- Virginie: I didn't hear new features here, but more support for spec authors and web developers
- 10:49:59 [wseltzer]
- drogers: do we have responsible disclosure at W3C site?
- 10:50:24 [wseltzer]
- ... on the standards
- 10:50:35 [wseltzer]
- ... 3GPP is working on
- 10:51:05 [wseltzer]
- AdrianHB: for Hardware Security, blockchain payments require ability to use stored private key to sign transactions
- 10:51:51 [wseltzer]
- ... and using the details relevant to the specific blockchain
- 10:51:53 [frodek]
- frodek has joined #websec
- 10:53:59 [wseltzer]
- rrsagent, make minutes
- 10:53:59 [RRSAgent]
- I have made the request to generate http://www.w3.org/2016/09/21-websec-minutes.html wseltzer
- 10:54:04 [wseltzer]
- rrsagent, make logs public
- 10:54:06 [wseltzer]
- rrsagent, make minutes
- 10:54:06 [RRSAgent]
- I have made the request to generate http://www.w3.org/2016/09/21-websec-minutes.html wseltzer
- 11:32:18 [bhill2]
- bhill2 has joined #websec
- 11:41:02 [keiji]
- keiji has joined #websec
- 11:57:10 [shigeya]
- shigeya has joined #websec
- 11:59:15 [weiler]
- weiler has joined #websec
- 12:01:47 [bhill2]
- bhill2 has joined #websec
- 12:08:56 [Karima]
- Karima has joined #websec
- 12:12:55 [schunter]
- schunter has joined #websec
- 12:16:53 [fwagner]
- fwagner has joined #websec
- 12:19:17 [frodek]
- frodek has joined #websec
- 12:19:53 [frodek]
- frodek has left #websec
- 12:54:34 [keiji]
- keiji has joined #websec
- 13:02:48 [fwagner]
- fwagner has joined #websec
- 13:03:09 [schunter]
- schunter has joined #websec
- 13:04:41 [Karima]
- Karima has joined #websec
- 13:13:02 [keiji]
- keiji has joined #websec
- 13:16:43 [bhill2]
- bhill2 has joined #websec
- 13:27:13 [schunter]
- schunter has joined #websec
- 14:29:08 [Karima]
- Karima has joined #websec
- 14:38:51 [Karima]
- Karima has joined #websec
- 14:45:19 [Karima]
- Karima has joined #websec
- 14:58:04 [Karima]
- Karima has joined #websec
- 15:26:23 [bhill2]
- bhill2 has joined #websec
- 15:35:29 [schunter]
- schunter has joined #websec
- 15:41:26 [Karima]
- Karima has joined #websec
- 15:45:00 [chaals]
- chaals has joined #websec
- 15:48:37 [Karima]
- Karima has joined #websec
- 16:08:15 [Karima]
- Karima has joined #websec
- 16:52:05 [schunter]
- schunter has joined #websec
- 16:56:54 [bhill2]
- bhill2 has joined #websec
- 17:22:26 [Karima]
- Karima has joined #websec
- 18:21:57 [keiji]
- keiji has joined #websec
- 18:49:20 [keiji]
- keiji has joined #websec
- 20:01:04 [bhill2]
- bhill2 has joined #websec
- 20:37:20 [Karima]
- Karima has joined #websec
- 20:38:10 [Karima]
- Karima has joined #websec
- 20:56:31 [schunter]
- schunter has joined #websec
- 20:57:15 [schunter]
- schunter has left #websec
- 21:43:09 [bhill2_]
- bhill2_ has joined #websec
- 22:01:17 [bhill2]
- bhill2 has joined #websec
- 22:19:53 [bhill2_]
- bhill2_ has joined #websec
- 22:21:46 [bhill2]
- bhill2 has joined #websec
- 22:22:24 [bhill2]
- bhill2 has joined #websec
- 22:23:22 [bhill2_]
- bhill2_ has joined #websec