Re: [HASMAT] moving forward

Tobias Gondrom <> Mon, 23 August 2010 14:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 817FA3A6817 for <>; Mon, 23 Aug 2010 07:59:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -93.484
X-Spam-Status: No, score=-93.484 tagged_above=-999 required=5 tests=[AWL=-0.722, BAYES_50=0.001, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4iEVNAUOVTxZ for <>; Mon, 23 Aug 2010 07:59:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0027B3A657C for <>; Mon, 23 Aug 2010 07:59:33 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=VgI2UKu9u7ZRKapobZQajSKMkqL+KpaCJ8KLvYTRUD97pdbp+m1TfZKXzKdqyFmx9cLPArzPHV7TEyvsoqGKxrW0KG8lA2qyTqb0vuRiqSraIURS3YwhM3Bg235NozLK; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 28086 invoked from network); 23 Aug 2010 16:59:03 +0200
Received: from (HELO seraphim.heaven) ( by with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Aug 2010 16:59:03 +0200
Message-ID: <>
Date: Mon, 23 Aug 2010 15:59:17 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100802 SUSE/3.1.2 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
X-Priority: 4 (Low)
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [HASMAT] moving forward
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Aug 2010 14:59:35 -0000

 Hi all,

just a quick introduction for the ones who might not already know me:
Currently living in London, UK (timezone UTC/GMT+1). My background is in
Web application security, where until recently I spent the last couple
of years heading the security department of an ISV. I've been
co-chairing the LTANS WG in the security area for a couple of years
until this September when we successfully finish its work and close it.
Over the years I became a big fan of "rough consensus and running code".
;-) For me these principles helped a lot to get things done.
Besides enjoying IETF work, I am also member of OWASP (Open Web
Application Security Project) and probably have seen every web app
security problem in the book (and some which aren't).
When I read the drafts and saw the BOF proposal before Maastricht, I
feel very excited about it.
In the past I always worked around some of the problems posed by
underlying infrastructure and this is a great opportunity to remedy some
of the problems at the root!

Whatever I can do to help (even if it's not directly related to the WG),
please feel free to contact me via email, phone, skype,...  and of
course during IETF meetings. I am looking forward to work with you, the
progress of the WG, its charter and the three initial drafts and getting
things done!

Many greetings, Tobias

Ps.: as Peter mentioned we are still looking for a co-chair: Personally,
I feel a WG is faster and more productive with two co-chairs then just
one. So if you think about co-chairing with me, please please drop me a

Tobias Gondrom
Sloan Fellowship 2009
London Business School
mobile: +447521003005

On 08/20/2010 07:08 PM, Peter Saint-Andre wrote:
> Following up on the successful BoF we held in Maastricht, I'd like to
> keep us moving toward formation of a working group. Here are some open
> tasks:
> 1. Chairs. Tobias Gondrom (currently co-chair of the LTANS WG in the
> Security Area) has stepped forward to volunteer and I think he'll make a
> good co-chair. Thanks, Tobias! However, we need someone to work with
> Tobias, preferably someone with (a) more experience in the Applications
> Area and (b) strong knowledge of HTTP. Please contact me if you're
> interested or you would like to suggest someone else.
> 2. Charter. We had some feedback at the BoF about charter revisions,
> especially focusing on the three drafts under immediate consideration
> and removing the text about developing a long-term framework for web
> security. Jeff or Hannes, could you send updated charter text to the
> list for discussion?
> 3. Name. Some people have said that "HASMAT" isn't very descriptive of
> the subject matter, and that we might want something like "WEBSEC". As
> long as folks don't think "WEBSEC" means that we'd be working on
> everything under the sun related to the security of the web, I'd be fine
> with a name like that. Other suggestions are welcome.
> Thanks!
> Peter