Re: Input Paper for STRINT


Hi there —

Based on current progress I don’t think we are ready to make a formal input paper into the STRINT workshop from the TAG by EOD today, which is the deadline.

I’d like to suggest that instead we make a less formal statement of interest from the TAG.  My suggested text for this input is the following:

"While exploring new ideas for adding security to Internet protocols and Web formats and languages, we should also be encouraging the use of the current existent mechanisms which can add security to existing Web transactions.

The TAG is working on a best practices document which will highlight these currently available techniques and technologies, with a view to influencing greater adoption by Web sites. In particular, we plan to focus on the use of Perfect Forward Secrecy over HTTPS, key strength, certificate pinning, use of up-to-date versions of security algorithms, HTTP Strict Transport Security and the general use of TLS in more circumstances.

These practices are currently being used on some high-volume production Web sites, but the whole Web would benefit from their adoption in more places and in more scenarios, especially when confidentiality is desirable. Currently some of these techniques may not have come into wide use due to cost of implementation or a perception that the majority of users are using browsers that do not support them. However, with the increased industry attention on security and anti-snooping, and considerting that most modern browsers have implemented these techniques, adoption should be widely encouraged.

Furthermore, we believe that additional work needs to be done in order to further secure the Web platform, particularly in light of emerging Web APIs into privacy-encoraching device information such as the user’s address book, calendar, camera, microphone and geo-information.

We look forward to working with the wider community of practice on all these topics as we work together towards a more secure Web that is less susceptible to pervasive monitoring.”

Make sense?

Dan

BTW turns out the deadline isn’t until 12:00 UTC tomorrow so plenty of time to augment still…

Dan
This electronic message contains information from Telefonica UK or Telefonica Europe which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email. Switchboard: +44 (0)113 272 2000 Email: feedback@o2.com Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85 Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 05310128. VAT number: GB 778 6037 85 Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 7884976. VAT number: GB 778 6037 85

Received on Monday, 20 January 2014 16:31:56 UTC