Re: [securityig] Agenda: 2026-02-17 (#41) from Johann Hofmann on 2026-02-10 (public-security@w3.org from February 2026)

From: Johann Hofmann <johannhof@google.com>
Date: Tue, 10 Feb 2026 00:37:29 -0500
To: peace@acm.org
Cc: Simone Onofri via GitHub <noreply@w3.org>, public-security@w3.org
Message-ID: <CAD_OO4hVOAOuNaKLOvMr54YE19q2_HDXRd8=1VhArA2ykU73og@mail.gmail.com>

Hey, as someone involved in the security work on WebMCP, I want to note
that there is also an (IMO) good writeup of the most pertinent risks
in the Security
& Privacy Considerations document
<https://github.com/webmachinelearning/webmcp/blob/main/docs/security-privacy-considerations.md>.
There are active discussions about security in the WebML group and this was
a major topic at TPAC as well, both in breakouts as well as the WebML group
meetings.

If you'd like to put this topic on the agenda for SING, I think some of us
on the WebMCP side would be happy to join and discuss WebMCP and how it
affects the Web's threat model.

On Mon, Feb 9, 2026 at 8:12 PM Tom Jones <thomasclinganjones@gmail.com>
wrote:

> Here is a very troubling addition being made to chromium which will
> probably get propagated to all the big browsers.
> https://github.com/webmachinelearning/webmcp
>
> Look at the explainer where the entire security section says:
> There are security considerations that will need to be accounted for,
> especially if the WebMCP API is used by semi-autonomous systems like
> LLM-based agents. Engagement from the community is welcome.
>
> I do not know if a TAG review is requested or other w3c input.  BUT  IMHO
> this would make any compliant browser a privacy / security nightmare.
> What do i do to get this on the appropriate w3c attention?
>
> second question - should i be an extension to the existing use case /
> Threat Model for scripted AI?  Or a new TM just focused on this?
>
> can you add it to the agenda?
> i've never been able to get a pull request to work.
>
>
> Peace ..tom jones
>
>
> On Mon, Feb 9, 2026 at 6:37 AM Simone Onofri via GitHub <noreply@w3.org>
> wrote:
>
>> Agenda published here:
>> https://github.com/w3c/securityig/blob/main/meetings/2026/2026-02-17_agenda.md
>>
>> Feel free to PR the agenda itself
>>
>> --
>> GitHub Notification of comment by simoneonofri
>> Please view or discuss this issue at
>> https://github.com/w3c/securityig/issues/41#issuecomment-3872120175
>> using your GitHub account
>>
>>
>> --
>> Sent via github-notify-ml as configured in
>> https://github.com/w3c/github-notify-ml-config
>>
>>

Received on Tuesday, 10 February 2026 05:37:46 UTC