CSP & IETF BOF on HTTP Application Security?

• From: Arthur Barstow <art.barstow@nokia.com>
• Date: Thu, 03 Jun 2010 14:39:21 -0400
• To: ext Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Arun Ranganathan <arun@mozilla.com>, ext Daniel Veditz <dveditz@mozilla.com>
• CC: "public-web-security@w3.org" <public-web-security@w3.org>
• Message-ID: <4C07F6D9.7000404@nokia.com>

Would this be a reasonable/acceptable place for CSP?

-Art Barstow

P.S. "hasmat" - that's a good one!
>> From: Peter Saint-Andre<stpeter@stpeter.im>
>> Date: 3 June 2010 20:14:13 GMT+02:00
>> To: "apps-discuss@ietf.org"<apps-discuss@ietf.org>
>> Subject: Re: HTTP Application Security (HAS) BoF
>>
>> We now have a dedicated list for this BoF:
>>
>> https://www.ietf.org/mailman/listinfo/hasmat
>>
>> Please discuss further on that list. I'll be blasting various lists and
>> individuals regarding the BoF.
>>
>> On 6/2/10 8:11 AM, Peter Saint-Andre wrote:
>>      
>>> I've received a proposal to hold a birds of a feather (BoF) session at
>>> IETF 78 in Maastricht on the topic of HTTP Application Security.  A
>>> draft charter and agenda can be found below.  Please discuss on the
>>> apps-discuss@ietf.org list:
>>>
>>> https://www.ietf.org/mailman/listinfo/apps-discuss
>>>
>>> /psa
>>>
>>> ###
>>>
>>> Charter for HTTP Application Security (HAS) WG
>>>
>>> Problem Statement
>>>
>>> Although modern Web applications are built on top of HTTP, they provide
>>> rich functionality and have requirements beyond the original vision of
>>> static web pages.  HTTP, and the applications built on it, have evolved
>>> organically.  Over the past few years, we have seen a proliferation of
>>> AJAX-based web applications (AJAX being shorthand for asynchronous
>>> JavaScript and XML), as well as Rich Internet Applications (RIAs), based
>>> on so-called Web 2.0 technologies.  These applications bring both
>>> luscious eye-candy and convenient functionality, e.g. social networking,
>>> to their users, making them quite compelling.  At the same time, we are
>>> seeing an increase in attacks against these applications and their
>>> underlying technologies.
>>>
>>> The list of attacks is long and includes Cross-Site-Request Forgery
>>> (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS)
>>> attacks, attacks against browsers supporting anti-XSS policies,
>>> clickjacking attacks, malvertising attacks, as well as man-in-the-middle
>>> (MITM) attacks against "secure" (e.g. Transport Layer Security
>>> (TLS/SSL)-based) web sites along with distribution of the tools to carry
>>> out such attacks (e.g. sslstrip).
>>>
>>> Objectives
>>>
>>> With the arrival of new attacks the introduction of new web security
>>> indicators, security techniques, and policy communication mechanisms
>>> have sprinkled throughout the various layers of the Web and HTTP.
>>>
>>> The goal of this working group is to standardize a small number of
>>> selected specifications that have proven to improve security of Internet
>>> Web applications. The requirements guiding the work will be taken from
>>> the Web application and Web security communities.  Initial work will be
>>> limited to the following topics:
>>>
>>>    - Media type sniffing, as discussed in draft-abarth-mime-sniff
>>>    - Same origin policy, as discussed in draft-abarth-origin (expired)
>>>    - Strict transport security, as discussed in
>>>      draft-hodges-stricttransportsec (to be submitted shortly)
>>>
>>> This working group will work closely with IETF Apps Area WGs (such as
>>> HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s).
>>>
>>> Deliverables
>>>
>>> 1. A document illustrating the security problems Web applications are
>>> facing and listing design requirements.  This document shall be
>>> Informational.
>>>
>>> 2. A selected set of technical specifications documenting deployed
>>> HTTP-based Web security solutions.
>>> These documents shall be Standards Track.
>>>
>>> Goals and Milestones
>>>
>>> Oct 2010    Submit "HTTP Application Security Problem Statement and
>>>             Requirements" as initial WG item.
>>> Oct 2010    Submit "Media Type Sniffing" as initial WG item.
>>> Oct 2010    Submit "Web Origin Concept" as initial WG item.
>>> Oct 2010    Submit "Strict Transport Security" as initial WG item.
>>> Feb 2011    Submit "HTTP Application Security Problem Statement and
>>>             Requirements" to the IESG for consideration as an
>>>             Informational RFC.
>>> Mar 2011    Submit "Media Type Sniffing" to the IESG for consideration
>>>             as a Standards Track RFC.
>>> Mar 2011    Submit "Web Origin Concept" to the IESG for consideration as
>>>             a Standards Track RFC.
>>> Mar 2011    Submit "Strict Transport Security" to the IESG for
>>>             consideration as a Standards Track RFC.
>>> Apr 2011    Possible re-chartering
>>>
>>> ###
>>>
>>> Agenda for HTTP Application Security (HAS) BoF, IETF 78
>>>
>>> Chairs: Hannes Tschofenig and Jeff Hodges (to be finalized)
>>>
>>> 5 min   Agenda bashing (Chairs)
>>>
>>> 10 min  Description of the problem space (TBD)
>>>
>>> 20 min  Motivation for standardizing (TBD)
>>>         draft-abarth-mime-sniff
>>>         draft-abarth-origin
>>>         draft-hodges-stricttransportsec
>>>
>>> 15 min  Presentation of charter text (TBD)
>>>
>>> 60 min  Discussion of charter text and choice of the initial
>>> specifications (All)
>>>
>>> 10 min  Conclusion (Chairs/ADs)
>>>
>>> ###
>>>
>>>
>>>        
>> _______________________________________________
>> Apps-Discuss mailing list
>> Apps-Discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/apps-discuss
>>      
>
>    

Received on Thursday, 3 June 2010 18:40:03 UTC