Fwd: [apps-discuss] Fwd: WG Review: Web Security (websec)
Mark Nottingham <mnot@mnot.net> Sat, 02 October 2010 01:39 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15A6B3A6E09 for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Fri, 1 Oct 2010 18:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.013
X-Spam-Level:
X-Spam-Status: No, score=-9.013 tagged_above=-999 required=5 tests=[AWL=1.586, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5jF8eUuUmNw for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Fri, 1 Oct 2010 18:39:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id 721AE3A6A39 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 1 Oct 2010 18:39:05 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1P1r3W-0002Uh-I0 for ietf-http-wg-dist@listhub.w3.org; Sat, 02 Oct 2010 01:38:30 +0000
Received: from bart.w3.org ([128.30.52.63]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1P1r3K-0002Sb-6J for ietf-http-wg@listhub.w3.org; Sat, 02 Oct 2010 01:38:18 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1P1r3H-0005rc-VG for ietf-http-wg@w3.org; Sat, 02 Oct 2010 01:38:18 +0000
Received: from chancetrain-lm.mnot.net (unknown [118.209.143.94]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 88B0B509DC for <ietf-http-wg@w3.org>; Fri, 1 Oct 2010 21:37:48 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Sat, 02 Oct 2010 11:37:45 +1000
References: <4CA22A4F.3080502@stpeter.im>
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <651A3E8C-53DC-47C5-B886-DDBD46E8E640@mnot.net>
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
Received-SPF: pass
X-SPF-Guess: pass
X-W3C-Hub-Spam-Status: No, score=-2.6
X-W3C-Hub-Spam-Report: BAYES_00=-2.599, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: bart.w3.org 1P1r3H-0005rc-VG c6c47a6a9121fa3dba0eb08becd42779
X-Original-To: ietf-http-wg@w3.org
Subject: Fwd: [apps-discuss] Fwd: WG Review: Web Security (websec)
Archived-At: <http://www.w3.org/mid/651A3E8C-53DC-47C5-B886-DDBD46E8E640@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/9297
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1P1r3W-0002Uh-I0@frink.w3.org>
Resent-Date: Sat, 02 Oct 2010 01:38:30 +0000
In case you haven't seen it... Begin forwarded message: > From: Peter Saint-Andre <stpeter@stpeter.im> > Date: 29 September 2010 3:47:59 AM AEST > To: "apps-discuss@ietf.org" <apps-discuss@ietf.org> > Subject: [apps-discuss] Fwd: WG Review: Web Security (websec) > > FYI. > > -------- Original Message -------- > Subject: WG Review: Web Security (websec) > Date: Tue, 28 Sep 2010 10:15:06 -0700 (PDT) > From: IESG Secretary <iesg-secretary@ietf.org> > Reply-To: iesg@ietf.org > To: ietf-announce@ietf.org > CC: hasmat@ietf.org > > A new IETF working group has been proposed in the Applications Area. The > IESG has not made any determination as yet. The following draft charter > was submitted, and is provided for informational purposes only. Please > send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday, > October 5, 2010. > > Web Security (websec) > --------------------------------------------- > Status: Proposed Working Group > Last updated: 2010-09-23 > > Chairs(s) > Tobias Gondrom <tobias.gondrom@gondrom.org> > > Applications Area Directors: > Alexey Melnikov <alexey.melnikov@isode.com> > Peter Saint-Andre <stpeter@stpeter.im> > > Applications Area Advisor: > Peter Saint-Andre <stpeter@stpeter.im> > > Security Area Advisor: > Sean Turner <turners@ieca.com> > > Mailing Lists: > General Discussion: hasmat@ietf.org > To Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat> > Archive: <http://www.ietf.org/mail-archive/web/hasmat/> > [to be changed to websec@ietf.org if approved] > > Problem Statement > > Although modern Web applications are built on top of HTTP, they provide > rich functionality and have requirements beyond the original vision of > static web pages. HTTP, and the applications built on it, have evolved > organically. Over the past few years, we have seen a proliferation of > AJAX-based web applications (AJAX being shorthand for asynchronous > JavaScript and XML), as well as Rich Internet Applications (RIAs), based > on so-called Web 2.0 technologies. These applications bring both > luscious eye-candy and convenient functionality, e.g. social networking, > to their users, making them quite compelling. At the same time, we are > seeing an increase in attacks against these applications and their > underlying technologies. > > The list of attacks is long and includes Cross-Site-Request Forgery > (CSRF)-based attacks, content-sniffing, cross-site-scripting (XSS) > attacks, attacks against browsers supporting anti-XSS policies, > clickjacking attacks, malvertising attacks, as well as man-in-the-middle > (MITM) attacks against "secure" (e.g. Transport Layer Security > (TLS/SSL)-based) web sites along with distribution of the tools to carry > out such attacks (e.g. sslstrip). > > Objectives and Scope > > With the arrival of new attacks the introduction of new web security > indicators, security techniques, and policy communication mechanisms > have sprinkled throughout the various layers of the Web and HTTP. > > The goal of this working group is to compose an overall "problem > statement and requirements" document derived from surveying the > issues outlined in the above section ([1] provides a starting point). > The requirements guiding the work will be taken from the Web > application and Web security communities. The scope of this document > is HTTP applications security, but does not include HTTP authentication, > nor internals of transport security which are addressed by other working > groups (although it may make reference to transport security as an > available security "primitive"). See the "Out of Scope" section, below. > > Additionally, the WG will standardize a small number of selected > specifications that have proven to improve security of Internet > Web applications. Initial work will be the following topics: > > - Same origin policy, as discussed in draft-abarth-origin > (see also Appendices A and B, below) > > - HTTP Strict transport security, as discussed in > draft-hodges-strict-transport-sec > > - Media type sniffing, as discussed in draft-abarth-mime-sniff > > This working group will work closely with IETF Apps Area WGs (such as > HYBI, HTTPstate, and HTTPbis), as well as appropriate W3C working > group(s) (e.g. HTML, WebApps). > > Out of Scope > > As noted in the objectives and scope (above), this working group's > scope does not include working on HTTP Authentication nor underlying > transport (secure or not) topics. So, for example, these items are > out-of-scope for this WG: > > - Replacements for BASIC and DIGEST authentication > > - New transports (e.g. SCTP and the like) > > Deliverables > > 1. A document illustrating the security problems Web applications are > facing and listing design requirements. This document shall be > Informational. > > 2. A selected set of technical specifications documenting deployed > HTTP-based Web security solutions. These documents shall be Standards > Track. > > Goals and Milestones > > Oct 2010 Submit "HTTP Application Security Problem Statement and > Requirements" as initial WG item. > > Oct 2010 Submit "Media Type Sniffing" as initial WG item. > > Oct 2010 Submit "Web Origin Concept" as initial WG item. > > Oct 2010 Submit "Strict Transport Security" as initial WG item. > > Feb 2011 Submit "HTTP Application Security Problem Statement and > Requirements" to the IESG for consideration as an > Informational RFC. > > Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration > as a Standards Track RFC. > > Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as > a Standards Track RFC. > > Mar 2011 Submit "Strict Transport Security" to the IESG for > consideration as a Standards Track RFC. > > Apr 2011 Possible re-chartering > > References > > [1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy > Framework", W2SP position paper, 2010. > http://w2spconf.com/2010/papers/p11.pdf > > Appendices > > A. Relationship between origin work in IETF WebSec and W3C HTML WG > > draft-abarth-origin defines the nuts-and-bolts of working with > origins (computing them from URIs, comparing them to each other, etc). > HTML5 defines HTML-specific usage of origins. For example, when > making an HTTP request, HTML5 defines how to compute which origin > among all the origins rendering HTML is the one responsible for making > the request. draft-abarth-origin then takes that origin, serializes > it to a string, and shoves it in a header. > > B. Origin work may yield two specifications > > There also seems to be demand for a document that describes the > same-origin security model overall. However, it seems like that > document ought to be more informative rather than normative. The > working group may split draft-abarth-origin into separate informative > and standards track specifications, the former describing same-origin > security model, and the latter specifying the nuts-and-bolts of working > with origins (computing them from URLs, comparing them to each other, > etc). > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss -- Mark Nottingham http://www.mnot.net/
- Fwd: [apps-discuss] Fwd: WG Review: Web Security … Mark Nottingham