Re: [HASMAT] HASMAT Charter Proposal
"Thomas Hardjono" <ietf@hardjono.net> Tue, 08 June 2010 19:58 UTC
Return-Path: <ietf@hardjono.net>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4AC213A68A4 for <hasmat@core3.amsl.com>; Tue, 8 Jun 2010 12:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Level:
X-Spam-Status: No, score=0.335 tagged_above=-999 required=5 tests=[BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcdlWwp6K+M5 for <hasmat@core3.amsl.com>; Tue, 8 Jun 2010 12:58:53 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id 338273A67C2 for <hasmat@ietf.org>; Tue, 8 Jun 2010 12:58:53 -0700 (PDT)
Received: (qmail 24815 invoked by uid 0); 8 Jun 2010 19:58:54 -0000
Received: from unknown (HELO box251.bluehost.com) (69.89.31.51) by cpoproxy2.bluehost.com with SMTP; 8 Jun 2010 19:58:54 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=hardjono.net; h=Received:From:To:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:Thread-Index:Content-Language:X-Identified-User; b=V9L7yKMMbYUz3SeTrEWJBUyR8AMI2CeqDf1ry4/oK7myKWFCT7M379iYTFhIO24Q7OurBnEw5guQJLa6J2tEMsrvT3AXF00zCwprFCyFrNbuAZctGJSGFmrpgTT3GEba;
Received: from dyn-209-2-219-84.dyn.columbia.edu ([209.2.219.84] helo=WINCE7P9IL9EJ0) by box251.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <ietf@hardjono.net>) id 1OM4wo-0007Or-4f; Tue, 08 Jun 2010 13:58:54 -0600
From: Thomas Hardjono <ietf@hardjono.net>
To: "'Tschofenig, Hannes (NSN - FI/Espoo)'" <hannes.tschofenig@nsn.com>, hasmat@ietf.org
References: <3D3C75174CB95F42AD6BCC56E5555B4502AF72B4@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B4502AF72B4@FIESEXC015.nsn-intra.net>
Date: Tue, 08 Jun 2010 15:58:52 -0400
Message-ID: <004c01cb0745$05d90e40$118b2ac0$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcsHPvKzQFtM8z7xSluj8hZNEppqtgABZNYw
Content-Language: en-us
X-Identified-User: {727:box251.bluehost.com:hardjono:hardjono.net} {sentby:smtp auth 209.2.219.84 authed with ietf@hardjono.net}
Subject: Re: [HASMAT] HASMAT Charter Proposal
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 19:58:54 -0000
> -----Original Message----- > From: hasmat-bounces@ietf.org [mailto:hasmat-bounces@ietf.org] On Behalf Of > Tschofenig, Hannes (NSN - FI/Espoo) > Sent: Tuesday, June 08, 2010 3:15 PM > To: hasmat@ietf.org > Subject: [HASMAT] HASMAT Charter Proposal > > Charter for HASMAT -- HTTP Application Security Minus Authentication and > Transport WG > > Problem Statement > > Although modern Web applications are built on top of HTTP, they provide > rich functionality and have requirements beyond the original vision of > static web pages. HTTP, and the applications built on it, have evolved > organically. Over the past few years, we have seen a proliferation of > AJAX-based web applications (AJAX being shorthand for asynchronous > JavaScript and XML), as well as Rich Internet Applications (RIAs), based > on so-called Web 2.0 technologies. These applications bring both > luscious eye-candy and convenient functionality, e.g. social networking, > to their users, making them quite compelling. At the same time, we are > seeing an increase in attacks against these applications and their > underlying technologies. > > The list of attacks is long and includes Cross-Site-Request Forgery > (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS) > attacks, attacks against browsers supporting anti-XSS policies, > clickjacking attacks, malvertising attacks, as well as man-in-the-middle > (MITM) attacks against "secure" (e.g. Transport Layer Security > (TLS/SSL)-based) web sites along with distribution of the tools to carry > out such attacks (e.g. sslstrip). > > Objectives > > With the arrival of new attacks the introduction of new web security > indicators, security techniques, and policy communication mechanisms > have sprinkled throughout the various layers of the Web and HTTP. > > The goal of this working group is to standardize a small number of > selected specifications that have proven to improve security of Internet > Web applications. The requirements guiding the work will be taken from > the Web application and Web security communities. Initial work will be > limited to the following topics: > > - Media type sniffing, as discussed in draft-abarth-mime-sniff > - Same origin policy, as discussed in draft-abarth-origin (expired) > - Strict transport security, as discussed in > draft-hodges-stricttransportsec (to be submitted shortly) > > This working group will work closely with IETF Apps Area WGs (such as > HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s). > > Deliverables > > 1. A document illustrating the security problems Web applications are > facing and listing design requirements. This document shall be > Informational. > > 2. A selected set of technical specifications documenting deployed > HTTP-based Web security solutions. > These documents shall be Standards Track. > > Goals and Milestones > > Oct 2010 Submit "HTTP Application Security Problem Statement and > Requirements" as initial WG item. > Oct 2010 Submit "Media Type Sniffing" as initial WG item. > Oct 2010 Submit "Web Origin Concept" as initial WG item. > Oct 2010 Submit "Strict Transport Security" as initial WG item. > Feb 2011 Submit "HTTP Application Security Problem Statement and > Requirements" to the IESG for consideration as an > Informational RFC. > Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration > as a Standards Track RFC. > Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as > a Standards Track RFC. > Mar 2011 Submit "Strict Transport Security" to the IESG for > consideration as a Standards Track RFC. > Apr 2011 Possible re-chartering > > _______________________________________________ Hannes, What is out of scope for the HASMAT WG? (ie. should anything be called out by the Charter as being out of scope, such as authentication and transport topics). /thomas/
- [HASMAT] HASMAT Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [HASMAT] HASMAT Charter Proposal Thomas Hardjono
- Re: [HASMAT] HASMAT Charter Proposal Peter Saint-Andre
- Re: [HASMAT] HASMAT Charter Proposal Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [HASMAT] HASMAT Charter Proposal =JeffH
- Re: [HASMAT] HASMAT Charter Proposal =JeffH
- Re: [HASMAT] HASMAT Charter Proposal Adam Barth
- Re: [HASMAT] HASMAT Charter Proposal =JeffH