Re: [HASMAT] HASMAT/Websec Charter Proposal - last call - comments until Sep-8

Tobias Gondrom <> Thu, 09 September 2010 13:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A61C73A68C4 for <>; Thu, 9 Sep 2010 06:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -95.825
X-Spam-Status: No, score=-95.825 tagged_above=-999 required=5 tests=[AWL=1.537, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, GB_I_LETTER=-2, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Sv0d1XV+XZ4O for <>; Thu, 9 Sep 2010 06:49:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A8F063A680F for <>; Thu, 9 Sep 2010 06:49:07 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=U5uDCe/72NRv6081G/OHsixQ5jKPQNMvlcETAWbmNMpBxOYVH+Qmie5vGbhhewbC7u7ANeFpE8a8twqLqqFifFnQj1Lm9buIxecEPIbbVV6Tvbq7wUDosypxhz6AnTPs; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:X-Priority:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 5134 invoked from network); 9 Sep 2010 15:49:19 +0200
Received: from (HELO seraphim.heaven) ( by with (DHE-RSA-AES256-SHA encrypted) SMTP; 9 Sep 2010 15:49:19 +0200
Message-ID: <>
Date: Thu, 09 Sep 2010 14:49:24 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100802 SUSE/3.1.2 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: Julian Reschke <>
X-Priority: 4 (Low)
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: IETF HASMAT list <>
Subject: Re: [HASMAT] HASMAT/Websec Charter Proposal - last call - comments until Sep-8
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Sep 2010 13:49:10 -0000

 Dear Julian,
thanks a lot for your feedback. I corrected the points you mentioned
except for the "buzzword part". Answers inline.
I think we are ready to go now.
Best regards, Tobias

On 09/08/2010 02:38 PM, Julian Reschke wrote:
> On 04.09.2010 18:16, Tobias Gondrom wrote:
>>   Dear all,
>> as I haven't seen too much controversy on the charter, to get the work
>> going I like to close final comments on the initial charter and the name
>> of the new WG until Sep-8. After that we should submit the final
>> proposal to the AD and get to the more important work on the drafts.
>> Best regards, Tobias
>> Ps.: We need to finish the formal stuff (name, charter) for the WG until
>> Sep-12 so that we are in time before the cut-off date to book the
>> meeting slot for Beijing and so we can focus on the real stuff: the
>> drafts.
>> ======================================================
>> Charter for WebSec -- Web Security WG
>> Problem Statement
>> Although modern Web applications are built on top of HTTP, they provide
>> rich functionality and have requirements beyond the original vision of
>> static web pages.  HTTP, and the applications built on it, have evolved
>> organically.  Over the past few years, we have seen a proliferation of
>> AJAX-based web applications (AJAX being shorthand for asynchronous
>> JavaScript and XML), as well as Rich Internet Applications (RIAs), based
>> on so-called Web 2.0 technologies.  These applications bring both
>> luscious eye-candy and convenient functionality, e.g. social networking,
>> to their users, making them quite compelling.  At the same time, we are
>> seeing an increase in attacks against these applications and their
>> underlying technologies.
> This has many Buzzwords. Maybe it could be shortened.
Hm, yes maybe, reminds me of Pascal ("I have made this [letter] longer,
because I have not had the time to make it shorter.") Shortening it
would have required rewriting it, which would mean new review (and time
delay), so left the Problem Statement as it is with the buzzwords.

>> The list of attacks is long and includes Cross-Site-Request Forgery
>> (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS)
> "content-sniffing cross-site-scripting"?
thanks. Added the comma between the words.

>> ...
>> This working group will work closely with IETF Apps Area WGs (such as
>> HYBI, HTTPstate, and HTTPbis), as well as appropriate W3C working
>> group(s)
>> (e.g. HTML5, WebApps).
> It's the W3C "HTML" Working Group...
>> References
>> [1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy
>> Framework", W2SP position paper, 2010.
>> Appendix
>> A. Relationship of Origin work in IETF WebSec and in W3C HTML5
>> draft-abarth-origin defines the nuts-and-bolts of working with
>> origins (computing them from URLs, comparing them to each other, etc).
> > ...
> From URIs or IRIs, I assume :-)
Yes, it's URI. Corrected.

> Best regards, Julian