Re: [HASMAT] HASMAT/Websec Charter Proposal - last call - comments until Sep-8

Julian Reschke <julian.reschke@gmx.de> Wed, 08 September 2010 13:38 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 056B73A6949 for <hasmat@core3.amsl.com>; Wed, 8 Sep 2010 06:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.425
X-Spam-Level:
X-Spam-Status: No, score=-103.425 tagged_above=-999 required=5 tests=[AWL=-3.240, BAYES_40=-0.185, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxmCEDPrjOLz for <hasmat@core3.amsl.com>; Wed, 8 Sep 2010 06:38:19 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 5FE283A68D5 for <hasmat@ietf.org>; Wed, 8 Sep 2010 06:38:11 -0700 (PDT)
Received: (qmail invoked by alias); 08 Sep 2010 13:38:23 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.143]) [217.91.35.233] by mail.gmx.net (mp062) with SMTP; 08 Sep 2010 15:38:23 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18FrAAUOkMFBGM8HkXZLfy1vwfdATwyoabEmMdKLJ 57+vONTgaah0/Q
Message-ID: <4C8791CA.1010305@gmx.de>
Date: Wed, 08 Sep 2010 15:38:18 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <4C817C9A.1060105@KingsMountain.com> <4C8270C8.3010605@gondrom.org>
In-Reply-To: <4C8270C8.3010605@gondrom.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] HASMAT/Websec Charter Proposal - last call - comments until Sep-8
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 13:38:23 -0000

On 04.09.2010 18:16, Tobias Gondrom wrote:
>   Dear all,
>
> as I haven't seen too much controversy on the charter, to get the work
> going I like to close final comments on the initial charter and the name
> of the new WG until Sep-8. After that we should submit the final
> proposal to the AD and get to the more important work on the drafts.
> Best regards, Tobias
>
>
> Ps.: We need to finish the formal stuff (name, charter) for the WG until
> Sep-12 so that we are in time before the cut-off date to book the
> meeting slot for Beijing and so we can focus on the real stuff: the drafts.
>
>
>
> ======================================================
>
>
> Charter for WebSec -- Web Security WG
>
> Problem Statement
>
> Although modern Web applications are built on top of HTTP, they provide
> rich functionality and have requirements beyond the original vision of
> static web pages.  HTTP, and the applications built on it, have evolved
> organically.  Over the past few years, we have seen a proliferation of
> AJAX-based web applications (AJAX being shorthand for asynchronous
> JavaScript and XML), as well as Rich Internet Applications (RIAs), based
> on so-called Web 2.0 technologies.  These applications bring both
> luscious eye-candy and convenient functionality, e.g. social networking,
> to their users, making them quite compelling.  At the same time, we are
> seeing an increase in attacks against these applications and their
> underlying technologies.

This has many Buzzwords. Maybe it could be shortened.

> The list of attacks is long and includes Cross-Site-Request Forgery
> (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS)

"content-sniffing cross-site-scripting"?

> ...
> This working group will work closely with IETF Apps Area WGs (such as
> HYBI, HTTPstate, and HTTPbis), as well as appropriate W3C working group(s)
> (e.g. HTML5, WebApps).

It's the W3C "HTML" Working Group...

> References
>
> [1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy
> Framework", W2SP position paper, 2010.
> http://w2spconf.com/2010/papers/p11.pdf
>
> Appendix
>
> A. Relationship of Origin work in IETF WebSec and in W3C HTML5
>
> draft-abarth-origin defines the nuts-and-bolts of working with
> origins (computing them from URLs, comparing them to each other, etc).
 > ...

 From URIs or IRIs, I assume :-)

Best regards, Julian