- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 20 Apr 2016 05:33:00 +0200
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
- Cc: Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <5716F86C.70109@gmail.com>
Virginie, The kernel of people (particularly W3C members) who are monitoring new security requirements are simply put not hanging out in this list. If you or the W3C want to create more action you may need to activate people to contribute with more concrete stuff. For example we know by now that the core Web architects do not consider the traditional eID useful and are actively constraining its usage on the Web. It started with removing plugins and continued with restrictions on using "localhost" services as well as disabling the on-line certificate provisioning support like <keygen>. Obviously governments all over the globe needs a transition plan where they turn to supported technologies like FIDO. A write-up on how such services would be designed using FIDO would be extremely interesting. Another area worth looking into is security for payments. AFAICT, the W3 Web Payment API is free from security constructs; the Web payment folks rather hope that the "schemes" are going to provide that. There has to date been no such contributions which IMO casts a shadow over the entire effort. Then we have this itching topic with TAG and WebAppSec have declared no interest in: How are Web developers going to exploit the "App" revolution? Ignoring "Apps" which is W3C's strategy is not consistent with the market which of course want to make the best possible applications and have no prejudice regarding technologies to use. BTW, it seems hard to get [qualified] feedback as well. I have for example created a "tentative de-facto standard" for JSON signatures adapted for Web browsers and JavaScript but there has been very little feedback on that: https://cyberphone.github.io/openkeystore/resources/docs/jsonsignatures.html JSON tool vendors OTOH have shown commitment to fixing a potential interoperability issue that the core concept introduces: https://github.com/dotnet/corefx/pull/6665#issuecomment-198995847 https://github.com/golang/go/issues/14749#issuecomment-207890933 https://bugs.chromium.org/p/chromium/issues/detail?id=586202#c6 thanx, Anders non-member On 2016-04-19 18:09, GALINDO Virginie wrote: > > Dear all, > > Last month was held the W3C AC members meeting, together with the AB meeting in MIT. Some of the point of discussions cold be of interest for you, followers of security activities in W3C. > > *About security importance in W3C membership > > A live survey demonstrated during the AC meeting that security stays the big next topic for the W3C, confirming the importance to develop a trusted open web platform. Today there are some active groups in the security area, delivering some excellent features, but it seems that the membership wants more. > > *About AB activity and security > > One of the project developed by the AB is the security area. A wiki has been developed to list what would be great to achieve soon, in order to improve the security consistency and activity in W3C. https://www.w3.org/wiki/AB/2016_Priorities/Security. If you read that plan carefully, you will see that there is the ambition to improve the number of companies contributors in the security area. In addition, there is an expectation to have the W3C building a security expert community to give advice and potentially review the specification (usual topics, I know). > > *About this Web Security IG > > Turning the question in all possible directions, it appears that a lots of people are expecting this Web Security IG to be alive and kicking. > > *My proposal > > Based on those news, my suggestion is : lets revival the Web Security IG with regular monthly calls, it will be a chance to (1) exchange on security news inside and outside the W3C, (2) discuss potential questions which are out of scope of the other security related WG (aka, web app sec and web crypto), (3) keep a kernel of people motivated to monitor new security requirements. > > Here is a doodle to set up a call, thanks for answering it by the end of the week : http://doodle.com/poll/wp24eh5e5atvxw4v#table > > Hoping we can have that IG live and useful to the W3C community. > > Regards, > > Virginie > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Wednesday, 20 April 2016 03:33:34 UTC