And some more info on various W3C security activities

List of Security Groups in W3C (these are all links to the group web site)

1. Tracking Protection Working Group<http://www.w3.org/2011/tracking-protection/>

DNT:1
Do not track - indicate to web site that you do not want to be tracked


2. Privacy Interest Group<https://www.w3.org/Privacy/>

Discussion, not specs.  Anything privacy and web related.  Does reviews of specs from WGs for privacy issues. .  Can develop use cases and requirements to suggest new privacy work in WGs.

A major concern in W3C about privacy is fingerprinting.  Sites can use information about the device and software to identify the device (and person).  EFF (Electronic Freedom Foundation) Panopticlick project demonstrated identifying devices out of millions.


3. Web Application Security Working Group<http://www.w3.org/2011/webappsec/>

Home of:

CORS (Cross Origin Resource Sharing) - enabling controlled resource sharing outside the usual same origin restriction (http header says other domains can access a resource from a Browser/UA)

CSP (Content Security Policy) - control over where resources are permitted to come from for a page.  E.g. scripts or images only from some servers, forbid inline JavaScript, use nonce for inline JavaScript, provide hash for inline css, and lots of other stuff.

Subresource Integrity -- Hash associated with link to a resource so UA/Browser can tell if it has been tampered with

Secure Cross-Domain Framing: User Interface Security Directives for Content Security Policy  -- secure mashups using cross domain framing

Mixed Content - protection when content delivered over a secure channel accesses resources that are not over a secure channel

Lightweight Isolated / Safe Content  -- lighter weight mechanism for providing iframe like isolation


4. Web Cryptography Working Group<http://www.w3.org/2012/webcrypto/>

JavaScript APIs for crypto, hash


5. Web Security Interest Group<http://www.w3.org/Security/IG/>

Discussion, not specs.  Anything security and web related.  Does reviews of specs from WGs for security issues.  Can develop use cases and requirements to suggest new security work in WGs.


6. HTML WG Encrypted Media Extensions (EME)
https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html
For playing DRM protected content in web pages.  Passes messages to a Content Decryption Module (CDM).   CDM is a blob, not defined.  Message passing is defined to pass credentials.


7. Web Crypto Next Steps: Authentication, Hardware Tokens and Beyond Workshop<http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/Overview.html>
http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/Overview.html
10-11 September 2014, Silicon Valley (Mountain View), California

Considering things like FIDO mutual authentication.


8. XML Security Working Group<https://www.w3.org/2008/xmlsec/>

Finished its specs.  It just handles errata, maintenance.  For xml dig sig.




Adam M Abramski
Product Planner
Intel Software & Services Group
503-264-8269 (o)
503-550-7910 (m)
adam.m.abramski@intel.com

Received on Saturday, 26 July 2014 00:37:09 UTC