- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Wed, 09 Jun 2010 15:36:45 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi, We will be hosting the "HTTP Application Security Minus Authentication and Transport (HASMAT)" Birds-of-a-Feather (BoF) session at IETF-78 in Maastricht NL during the week of July 25-30, 2010 (see [0] for mailing list). The purpose of IETF BoFs is to determine whether there is a problem worth solving, and whether the IETF is the right group to solve it. To that end, the problem statement is summarized below in the Draft HASMAT Working Group Charter, and is drawn from this paper [1]. Various facets of this work are already underway, as outlined below in the draft WG charter, e.g. Strict Transport Security (STS) [2]. Of course the scope of "HTTP application security" is quite broad (as outlined in [1]), thus the intent is to coordinate this work closely with related work likely to land in the W3C (and possibly other orgs), e.g. Content Security Policy (CSP) [3]. We have created a public mailing list [0] for pre-BoF discussion -- hasmat@ietf.org -- to which you can freely subscribe here: <https://www.ietf.org/mailman/listinfo/hasmat> We encourage all interested parties to join the hasmat@ mailing list and engage in the on-going discussion there. thanks, =JeffH (current IETF HTTPstate WG chair) Peter Saint-Andre (IETF Applications Area Director) Hannes Tschofenig (IAB, IETF WG chair) ---------------------------------------------------- [0] HASMAT mailing list. https://www.ietf.org/mailman/listinfo/hasmat [1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy Framework", W2SP position paper, 2010. http://w2spconf.com/2010/papers/p11.pdf [2] Hodges, Jackson, and Barth, "Strict Transport Security (STS)", revision -06. http://lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html see also: http://en.wikipedia.org/wiki/Strict_Transport_Security [3] Sterne and Stamm, "Content Security Policy (CSP)". https://wiki.mozilla.org/Security/CSP/Specification see also: http://people.mozilla.org/~bsterne/content-security-policy/ https://wiki.mozilla.org/Security/CSP/Design_Considerations ### Proposed HASMAT BoF agenda -------------------------- Chairs: Hannes Tschofenig and Jeff Hodges 5 min Agenda bashing (Chairs) 10 min Description of the problem space (TBD) 20 min Motivation for standardizing (TBD) draft-abarth-mime-sniff draft-abarth-origin draft-hodges-stricttransportsec (to-be-submitted) 15 min Presentation of charter text (TBD) 60 min Discussion of charter text and choice of the initial specifications (All) 10 min Conclusion (Chairs/ADs) ### Draft Charter for HASMAT: HTTP Application Security Minus Authentication and Transport WG Problem Statement Although modern Web applications are built on top of HTTP, they provide rich functionality and have requirements beyond the original vision of static web pages. HTTP, and the applications built on it, have evolved organically. Over the past few years, we have seen a proliferation of AJAX-based web applications (AJAX being shorthand for asynchronous JavaScript and XML), as well as Rich Internet Applications (RIAs), based on so-called Web 2.0 technologies. These applications bring both luscious eye-candy and convenient functionality, e.g. social networking, to their users, making them quite compelling. At the same time, we are seeing an increase in attacks against these applications and their underlying technologies. The list of attacks is long and includes Cross-Site-Request Forgery (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS) attacks, attacks against browsers supporting anti-XSS policies, clickjacking attacks, malvertising attacks, as well as man-in-the-middle (MITM) attacks against "secure" (e.g. Transport Layer Security (TLS/SSL)-based) web sites along with distribution of the tools to carry out such attacks (e.g. sslstrip). Objectives and Scope With the arrival of new attacks the introduction of new web security indicators, security techniques, and policy communication mechanisms have sprinkled throughout the various layers of the Web and HTTP. The goal of this working group is to standardize a small number of selected specifications that have proven to improve security of Internet Web applications. The requirements guiding the work will be taken from the Web application and Web security communities. Initial work will be limited to the following topics: - Same origin policy, as discussed in draft-abarth-origin - Strict transport security, as discussed in draft-hodges-stricttransportsec (to be submitted shortly) - Media type sniffing, as discussed in draft-abarth-mime-sniff In addition, this working group will consider the overall topic of HTTP application security and compose a "problem statement and requirements" document that can be used to guide further work. This working group will work closely with IETF Apps Area WGs (such as HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s). Out of Scope As noted in this working group's title, this working group's scope does not include working on HTTP Authentication nor underlying transport (secure or not) topics. So, for example, these items are out-of-scope for this WG: - Replacements for BASIC and DIGEST authentication - New transports (e.g. SCTP and the like) Deliverables 1. A document illustrating the security problems Web applications are facing and listing design requirements. This document shall be Informational. 2. A selected set of technical specifications documenting deployed HTTP-based Web security solutions. These documents shall be Standards Track. Goals and Milestones Oct 2010 Submit "HTTP Application Security Problem Statement and Requirements" as initial WG item. Oct 2010 Submit "Media Type Sniffing" as initial WG item. Oct 2010 Submit "Web Origin Concept" as initial WG item. Oct 2010 Submit "Strict Transport Security" as initial WG item. Feb 2011 Submit "HTTP Application Security Problem Statement and Requirements" to the IESG for consideration as an Informational RFC. Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration as a Standards Track RFC. Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as a Standards Track RFC. Mar 2011 Submit "Strict Transport Security" to the IESG for consideration as a Standards Track RFC. Apr 2011 Possible re-chartering ###
Received on Wednesday, 9 June 2010 22:37:14 UTC