Re: [HASMAT] moving forward

Brandon Sterne <> Tue, 31 August 2010 20:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ED6703A6AFB for <>; Tue, 31 Aug 2010 13:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OqGKIlbofQZ0 for <>; Tue, 31 Aug 2010 13:38:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3C51F3A6891 for <>; Tue, 31 Aug 2010 13:38:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
Received: from [] ( []) (Authenticated sender: by (Postfix) with ESMTP id 286E3B801E; Tue, 31 Aug 2010 13:38:49 -0700 (PDT)
Message-ID: <>
Date: Tue, 31 Aug 2010 13:42:49 -0700
From: Brandon Sterne <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100825 Thunderbird/3.1.3
MIME-Version: 1.0
To: Peter Saint-Andre <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [HASMAT] moving forward
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Aug 2010 20:38:31 -0000

On 08/20/2010 11:08 AM, Peter Saint-Andre wrote:
> Following up on the successful BoF we held in Maastricht, I'd like to
> keep us moving toward formation of a working group. Here are some open
> tasks:

Thanks, Peter, for keeping the ball rolling here.

> 2. Charter. We had some feedback at the BoF about charter revisions,
> especially focusing on the three drafts under immediate consideration
> and removing the text about developing a long-term framework for web
> security.

Not being present at the BoF, I missed the discussion about removing the
creation of a long-term security framework.  If the group focuses on
standardizing a small set of security mechanisms won't it be
contributing to the "sprinkling" problem in the first part of the
Objectives and Scope section?

> 3. Name. Some people have said that "HASMAT" isn't very descriptive of
> the subject matter, and that we might want something like "WEBSEC". As
> long as folks don't think "WEBSEC" means that we'd be working on
> everything under the sun related to the security of the web, I'd be fine
> with a name like that. Other suggestions are welcome.

Personally, I do think WEBAPPSEC is the right name.  Someone pointed out
that is registered already, but that space is occupied by
the Web Application Security Consortium who generally go by the acronym
WASC.  Other than the domain issue, is this still a problem?