Re: [HASMAT] moving forward

=JeffH <> Tue, 24 August 2010 23:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E1F043A6953 for <>; Tue, 24 Aug 2010 16:39:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.804
X-Spam-Status: No, score=-100.804 tagged_above=-999 required=5 tests=[AWL=-0.953, BAYES_40=-0.185, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yvOBPef8MdV5 for <>; Tue, 24 Aug 2010 16:39:02 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id C703A3A6960 for <>; Tue, 24 Aug 2010 16:39:02 -0700 (PDT)
Received: (qmail 7308 invoked by uid 0); 24 Aug 2010 23:39:35 -0000
Received: from unknown (HELO ( by with SMTP; 24 Aug 2010 23:39:35 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=Q3nmMz9+QWR4ng3KZc9cR3T0lqP3/T6DpHKikNs8sU2E4ZnwsXvTOSUWDYLgB+X6YAXN+gnGmcPcUjAbDbO9BrXNy9zhQxDD8aMDXYky8quGgp8f8dIuctcWlwrewHM0;
Received: from ([] helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <>) id 1Oo35b-0005eO-Fr for; Tue, 24 Aug 2010 17:39:35 -0600
Message-ID: <>
Date: Tue, 24 Aug 2010 16:39:35 -0700
From: =JeffH <>
User-Agent: Thunderbird (X11/20100411)
MIME-Version: 1.0
To: IETF HASMAT list <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [HASMAT] moving forward
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Aug 2010 23:39:04 -0000

Thanks Peter for keeping the ball moving.

 > Following up on the successful BoF we held in Maastricht,

yea! thanks all who attended (it was standing-room-only)

 > I'd like to
 > keep us moving toward formation of a working group. Here are some open
 > tasks:
 > 1. Chairs. Tobias Gondrom (currently co-chair of the LTANS WG in the
 > Security Area) has stepped forward to volunteer and I think he'll make a
 > good co-chair. Thanks, Tobias!

Indeed, thanks Tobias.

 > However, we need someone to work with Tobias,

thoughts / volunteers?

I'm presently slated to hack on specs, thus am not a chair candidate.

 > 2. Charter. We had some feedback at the BoF about charter revisions,
 > especially focusing on the three drafts under immediate consideration
 > and removing the text about developing a long-term framework for web
 > security. Jeff or Hannes, could you send updated charter text to the
 > list for discussion?

working on it. tomorrow or Wed.

 > 3. Name. Some people have said that "HASMAT" isn't very descriptive of
 > the subject matter, and that we might want something like "WEBSEC". As
 > long as folks don't think "WEBSEC" means that we'd be working on
 > everything under the sun related to the security of the web, I'd be fine
 > with a name like that. Other suggestions are welcome

It isn't descriptive unless one knows what the acronym represents -- HTTP app 
sec minus authn & transport -- and then it's very descriptive.

It's also sort of an "inside joke" in that HTTP authn is something that gets 
derided often but no one has really wanted to take up and try to do something 
about (AFAIK Peter S-A came up with the HASMAT moniker), and transport 
security, ie TLS/SSL, is addressed elsewhere already, and no one really wants 
to step on their toes. Hence the "HASMAT" double-entendre.

That said we could use "websec" with the understanding (and explicitness in the 
charter) that it's "minus authn & transport".

"websec" will be easier for IETF newbies to find and grok than "hasmat". Tho it 
might get a bit confusing wrt the in-genesis W3C "WebAppSec" WG.

more thoughts?