Re: [HASMAT] HASMAT/Websec Charter Proposal - last call - comments until Sep-8
Julian Reschke <julian.reschke@gmx.de> Wed, 08 September 2010 13:38 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 056B73A6949 for <hasmat@core3.amsl.com>; Wed, 8 Sep 2010 06:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.425
X-Spam-Level:
X-Spam-Status: No, score=-103.425 tagged_above=-999 required=5 tests=[AWL=-3.240, BAYES_40=-0.185, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxmCEDPrjOLz for <hasmat@core3.amsl.com>; Wed, 8 Sep 2010 06:38:19 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 5FE283A68D5 for <hasmat@ietf.org>; Wed, 8 Sep 2010 06:38:11 -0700 (PDT)
Received: (qmail invoked by alias); 08 Sep 2010 13:38:23 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.143]) [217.91.35.233] by mail.gmx.net (mp062) with SMTP; 08 Sep 2010 15:38:23 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18FrAAUOkMFBGM8HkXZLfy1vwfdATwyoabEmMdKLJ 57+vONTgaah0/Q
Message-ID: <4C8791CA.1010305@gmx.de>
Date: Wed, 08 Sep 2010 15:38:18 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <4C817C9A.1060105@KingsMountain.com> <4C8270C8.3010605@gondrom.org>
In-Reply-To: <4C8270C8.3010605@gondrom.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] HASMAT/Websec Charter Proposal - last call - comments until Sep-8
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 13:38:23 -0000
On 04.09.2010 18:16, Tobias Gondrom wrote: > Dear all, > > as I haven't seen too much controversy on the charter, to get the work > going I like to close final comments on the initial charter and the name > of the new WG until Sep-8. After that we should submit the final > proposal to the AD and get to the more important work on the drafts. > Best regards, Tobias > > > Ps.: We need to finish the formal stuff (name, charter) for the WG until > Sep-12 so that we are in time before the cut-off date to book the > meeting slot for Beijing and so we can focus on the real stuff: the drafts. > > > > ====================================================== > > > Charter for WebSec -- Web Security WG > > Problem Statement > > Although modern Web applications are built on top of HTTP, they provide > rich functionality and have requirements beyond the original vision of > static web pages. HTTP, and the applications built on it, have evolved > organically. Over the past few years, we have seen a proliferation of > AJAX-based web applications (AJAX being shorthand for asynchronous > JavaScript and XML), as well as Rich Internet Applications (RIAs), based > on so-called Web 2.0 technologies. These applications bring both > luscious eye-candy and convenient functionality, e.g. social networking, > to their users, making them quite compelling. At the same time, we are > seeing an increase in attacks against these applications and their > underlying technologies. This has many Buzzwords. Maybe it could be shortened. > The list of attacks is long and includes Cross-Site-Request Forgery > (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS) "content-sniffing cross-site-scripting"? > ... > This working group will work closely with IETF Apps Area WGs (such as > HYBI, HTTPstate, and HTTPbis), as well as appropriate W3C working group(s) > (e.g. HTML5, WebApps). It's the W3C "HTML" Working Group... > References > > [1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy > Framework", W2SP position paper, 2010. > http://w2spconf.com/2010/papers/p11.pdf > > Appendix > > A. Relationship of Origin work in IETF WebSec and in W3C HTML5 > > draft-abarth-origin defines the nuts-and-bolts of working with > origins (computing them from URLs, comparing them to each other, etc). > ... From URIs or IRIs, I assume :-) Best regards, Julian
- Re: [HASMAT] HASMAT Charter Proposal (revised-01) =JeffH
- [HASMAT] HASMAT/Websec Charter Proposal - last ca… Tobias Gondrom
- Re: [HASMAT] HASMAT Charter Proposal (revised-01) Tobias Gondrom
- Re: [HASMAT] HASMAT/Websec Charter Proposal - las… Julian Reschke
- Re: [HASMAT] HASMAT/Websec Charter Proposal - las… Tobias Gondrom