IETF BOF on HTTP Application Security

• From: Thomas Roessler <tlr@w3.org>
• Date: Thu, 3 Jun 2010 20:23:40 +0200
• To: public-web-security@w3.org
• Cc: Thomas Roessler <tlr@w3.org>
• Message-Id: <4C100AC7-95F6-41A0-BF4B-F988EFF5ED8E@w3.org>

FYI.
--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







Begin forwarded message:

> From: Peter Saint-Andre <stpeter@stpeter.im>
> Date: 3 June 2010 20:14:13 GMT+02:00
> To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
> Subject: Re: HTTP Application Security (HAS) BoF
> 
> We now have a dedicated list for this BoF:
> 
> https://www.ietf.org/mailman/listinfo/hasmat
> 
> Please discuss further on that list. I'll be blasting various lists and
> individuals regarding the BoF.
> 
> On 6/2/10 8:11 AM, Peter Saint-Andre wrote:
>> I've received a proposal to hold a birds of a feather (BoF) session at
>> IETF 78 in Maastricht on the topic of HTTP Application Security.  A
>> draft charter and agenda can be found below.  Please discuss on the
>> apps-discuss@ietf.org list:
>> 
>> https://www.ietf.org/mailman/listinfo/apps-discuss
>> 
>> /psa
>> 
>> ###
>> 
>> Charter for HTTP Application Security (HAS) WG
>> 
>> Problem Statement
>> 
>> Although modern Web applications are built on top of HTTP, they provide
>> rich functionality and have requirements beyond the original vision of
>> static web pages.  HTTP, and the applications built on it, have evolved
>> organically.  Over the past few years, we have seen a proliferation of
>> AJAX-based web applications (AJAX being shorthand for asynchronous
>> JavaScript and XML), as well as Rich Internet Applications (RIAs), based
>> on so-called Web 2.0 technologies.  These applications bring both
>> luscious eye-candy and convenient functionality, e.g. social networking,
>> to their users, making them quite compelling.  At the same time, we are
>> seeing an increase in attacks against these applications and their
>> underlying technologies.
>> 
>> The list of attacks is long and includes Cross-Site-Request Forgery
>> (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS)
>> attacks, attacks against browsers supporting anti-XSS policies,
>> clickjacking attacks, malvertising attacks, as well as man-in-the-middle
>> (MITM) attacks against "secure" (e.g. Transport Layer Security
>> (TLS/SSL)-based) web sites along with distribution of the tools to carry
>> out such attacks (e.g. sslstrip).
>> 
>> Objectives
>> 
>> With the arrival of new attacks the introduction of new web security
>> indicators, security techniques, and policy communication mechanisms
>> have sprinkled throughout the various layers of the Web and HTTP.
>> 
>> The goal of this working group is to standardize a small number of
>> selected specifications that have proven to improve security of Internet
>> Web applications. The requirements guiding the work will be taken from
>> the Web application and Web security communities.  Initial work will be
>> limited to the following topics:
>> 
>>   - Media type sniffing, as discussed in draft-abarth-mime-sniff
>>   - Same origin policy, as discussed in draft-abarth-origin (expired)
>>   - Strict transport security, as discussed in
>>     draft-hodges-stricttransportsec (to be submitted shortly)
>> 
>> This working group will work closely with IETF Apps Area WGs (such as
>> HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s).
>> 
>> Deliverables
>> 
>> 1. A document illustrating the security problems Web applications are
>> facing and listing design requirements.  This document shall be
>> Informational.
>> 
>> 2. A selected set of technical specifications documenting deployed
>> HTTP-based Web security solutions.
>> These documents shall be Standards Track.
>> 
>> Goals and Milestones
>> 
>> Oct 2010    Submit "HTTP Application Security Problem Statement and
>>            Requirements" as initial WG item.
>> Oct 2010    Submit "Media Type Sniffing" as initial WG item.
>> Oct 2010    Submit "Web Origin Concept" as initial WG item.
>> Oct 2010    Submit "Strict Transport Security" as initial WG item.
>> Feb 2011    Submit "HTTP Application Security Problem Statement and
>>            Requirements" to the IESG for consideration as an
>>            Informational RFC.
>> Mar 2011    Submit "Media Type Sniffing" to the IESG for consideration
>>            as a Standards Track RFC.
>> Mar 2011    Submit "Web Origin Concept" to the IESG for consideration as
>>            a Standards Track RFC.
>> Mar 2011    Submit "Strict Transport Security" to the IESG for
>>            consideration as a Standards Track RFC.
>> Apr 2011    Possible re-chartering
>> 
>> ###
>> 
>> Agenda for HTTP Application Security (HAS) BoF, IETF 78
>> 
>> Chairs: Hannes Tschofenig and Jeff Hodges (to be finalized)
>> 
>> 5 min   Agenda bashing (Chairs)
>> 
>> 10 min  Description of the problem space (TBD)
>> 
>> 20 min  Motivation for standardizing (TBD)
>>        draft-abarth-mime-sniff
>>        draft-abarth-origin
>>        draft-hodges-stricttransportsec
>> 
>> 15 min  Presentation of charter text (TBD)
>> 
>> 60 min  Discussion of charter text and choice of the initial
>> specifications (All)
>> 
>> 10 min  Conclusion (Chairs/ADs)
>> 
>> ###
>> 
>> 
> 
> _______________________________________________
> Apps-Discuss mailing list
> Apps-Discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

Received on Thursday, 3 June 2010 18:23:44 UTC