Re: [securityig] Agenda: 2026-02-17 (#41) from Simone Onofri on 2026-02-10 (public-security@w3.org from February 2026)

From: Simone Onofri <simone@w3.org>
Date: Tue, 10 Feb 2026 18:19:58 +0100
To: Nishant Jain <jain.nishant777@gmail.com>, Johann Hofmann <johannhof@google.com>, peace@acm.org
Cc: public-security@w3.org
Message-Id: <295DBE1D-31E6-46F0-AA13-C3F6C1EDCD84@w3.org>

Hi all,

Since there is interest, I will put it on the agenda for the 17th, and we can also discuss whether we want to do it here in your CG or start with a model during the TMCG calls we are planning.

Who wants to prepare a short introduction on the topic? I would say on “What are we working on?”

I will put it after ETSI/CRA EN-304-617.

Thank you,

Simone

> On 10 Feb 2026, at 07:28, Nishant Jain <jain.nishant777@gmail.com> wrote:
> 
> I think webMCP would be a good idea. I have been involved with MCP SEPs, as well (not webMCP) but super curious to know about this! 
> 
> On Mon, Feb 9, 2026 at 9:37 PM Johann Hofmann <johannhof@google.com> wrote:
> Hey, as someone involved in the security work on WebMCP, I want to note that there is also an (IMO) good writeup of the most pertinent risks in the Security & Privacy Considerations document. There are active discussions about security in the WebML group and this was a major topic at TPAC as well, both in breakouts as well as the WebML group meetings.
> 
> If you'd like to put this topic on the agenda for SING, I think some of us on the WebMCP side would be happy to join and discuss WebMCP and how it affects the Web's threat model.
> 
> On Mon, Feb 9, 2026 at 8:12 PM Tom Jones <thomasclinganjones@gmail.com> wrote:
> Here is a very troubling addition being made to chromium which will probably get propagated to all the big browsers.
> https://github.com/webmachinelearning/webmcp
> 
> Look at the explainer where the entire security section says:
> There are security considerations that will need to be accounted for, especially if the WebMCP API is used by semi-autonomous systems like LLM-based agents. Engagement from the community is welcome.
> 
> I do not know if a TAG review is requested or other w3c input.  BUT  IMHO this would make any compliant browser a privacy / security nightmare.  
> What do i do to get this on the appropriate w3c attention?
> 
> second question - should i be an extension to the existing use case / Threat Model for scripted AI?  Or a new TM just focused on this?
> 
> can you add it to the agenda?
> i've never been able to get a pull request to work.
> 
> 
> Peace ..tom jones
> 
> 
> On Mon, Feb 9, 2026 at 6:37 AM Simone Onofri via GitHub <noreply@w3.org> wrote:
> Agenda published here: https://github.com/w3c/securityig/blob/main/meetings/2026/2026-02-17_agenda.md
> 
> Feel free to PR the agenda itself
> 
> -- 
> GitHub Notification of comment by simoneonofri
> Please view or discuss this issue at https://github.com/w3c/securityig/issues/41#issuecomment-3872120175 using your GitHub account
> 
> 
> -- 
> Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
>

Received on Tuesday, 10 February 2026 17:20:31 UTC