PING - informal chairs' summary - 30 January 2014

PING informal chairs' summary for 30 January 2014

Regrets: Wendy Seltzer
Thank you to Rich Tibbet from the Device APIs WG for joining us to discuss the draft Network Services Discovery specification. Also thanks to Nick Doty for scribing once more.

Our next call will take place on 13 March 2014 at UTC 16. Please mark your calendars.

1. Network Services Discovery specification
Rich Tibbett, from from the Device APIs WG, gave a detailed overview of the Network Services Discovery draft specification [1], in order to explore its privacy and security considerations. Network Services Discovery is a mechanism for an HTML document to discover and communicate with HTTP-based services advertised; the idea was to provide a means where a developer can request a well-known service type so they can communicate with services on different devices. Rich indicated that there are some privacy and security concerns, notably around exposing unsafe devices (and there is a wide range of networked devices). Some measures have already been proposed, such as a requirement that services not be exposed by the browser; a provisioning prompt for users to select which services they want to share (like permissioning in a Web browser); and limited persistence of permissions (e.g., revoked if the page is reloaded or the user navigates away from the page), but Rich is soliciting a more thorough review of the privacy concerns. Note that the most useful version of the document to review is the editor’s draft [2]. Of particular note is the issue of leaking local IP configuration [3] (this issue also applied to the WebRTC specification); obfuscating IP addresses may not be a productive approach, so Rich welcomes further suggestions on how to deal with this problem.

2. WebID specs
Henry Story informed PING about the new release of a series of specifications from the WebID Community Group [4], to which preliminary privacy and security sections have been added. Henry invited feedback from PING on those sections. 

3. Other documents in progress
Reviews are ongoing for a number of documents:

* Fingerprinting Guidance for Web Specification Authors [5]
* Privacy Considerations for Web Protocols [6]
* Privacy Considerations and SPA [7]
* EME [8] and getUserMedia [9]

Comments are welcome on all the documents. Frederick Hirsch offered to provide some comments on the Fingerprinting Guidance document. EME and getUserMedia could benefit from further review. Joe Hall has already contributed to this effort, and suggests we might try to come up with a more systematic way of conducting reviews. Joe, along with Frank Dawson, has offered to host a working meeting, on Friday 7 March 2014 at CDT in Washington, DC from 13:30-16:30 to work on this review process. 

4. Other meetings of interest
As mentioned in the December call, the W3C and the IAB are holding a workshop adjacent to IETF 89 on "Strengthening the Internet Against Pervasive Monitoring" (STRINT), on 28 February and 1 March 2014 (https://www.w3.org/2014/strint/).

There will also be an informal PING face-to-face meeting alongside IETF 89 on Tuesday 4 March 2014, 11:30 - 13:00 at the Berkeley Room, Mezzanine, Hilton London Metropole. Please RSVP (to Christine and/or Tara).


Link to the minutes: http://www.w3.org/2014/01/30-privacy-minutes.html

Christine and Tara

[1] http://www.w3.org/TR/discovery-api/
[2] https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html
[3] https://2x.io/read/security-by-obscurity
[4] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html
[5] http://w3c.github.io/fingerprinting-guidance/
[6] http://www.tschofenig.priv.at/w3c-privacy-guidelines.html#guidelines
[7] http://yrlesru.github.io/SPA/
[8] https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html
[9] http://dev.w3.org/2011/webrtc/editor/getusermedia.html