RE: Web Security IG - a proposal of actions

Thanks David, Dom for your feedbacks.
Let's catch ideas/ analysis/suggestions in the dedicated wiki

Mobile Security :

Security Model :

One obviously should feed the other...

Have a nice week.

-----Original Message-----
From: David Rogers []
Sent: lundi 21 octobre 2013 13:07
To: 'Dominique Hazael-Massieux'; GALINDO Virginie
Cc:; 'Wendy Seltzer'
Subject: RE: Web Security IG - a proposal of actions

Dear all,

As some of you know I have been a very strong advocate of security in this area and I would like to contribute in any way I can.

I have been thinking about this for a while and some of the things that we need to concentrate on are:

* Basic developer documentation for security through (as has been discussed in webcrypto and webappsec) and clear documentation and understanding of the "web security model". (I have already agreed to kick this work off).
* Clear user-controllable / configurable boundaries between the outside "web world" and the local device
* Security-in-mind API design to allow for graceful failure as a result of user denial of access to particular features (e.g. device APIs / sysapps)

In the future I think we should also think about safety critical applications (i.e. in relation to automotive and mobile), but I think it is too early to consider this right now.



-----Original Message-----
From: Dominique Hazael-Massieux []
Sent: 17 October 2013 08:42
To: GALINDO Virginie
Cc:; Wendy Seltzer
Subject: Re: Web Security IG - a proposal of actions

Hi Virginie,

Le mercredi 16 octobre 2013 à 17:30 +0200, GALINDO Virginie a écrit :
> As announced by Wendy, I am now joining the Web Security IG team and I
> shared with Adam and Wendy few topics I believe this IG could discuss.
> So here is a proposal of topics we could focus in the coming months,
> to bring back this IG to life :)
> -       Mobile security
> We should support the web & mobile IG [1] to understand what are the
> main security weaknesses in the web app model, compared to native app
> model. This would help W3C to fill the gap in terms of security
> feature for the mobile web.

As you know, I'm very interested on this topic, and will be available to help; a big part of the work that needs to be done here is identify what content/servie providers see as gaps, and document which of these gaps are real, and which have solutions but that are not sufficiently well-know.


This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Received on Monday, 21 October 2013 12:37:26 UTC