[hybi] WebSocket and HASMAT (was>:IETF BoF @IETF-78 Maastricht: HASMAT - HTTP Application Security Minus Authentication and Transport)
Salvatore Loreto <salvatore.loreto@ericsson.com> Thu, 10 June 2010 07:04 UTC
Return-Path: <salvatore.loreto@ericsson.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C32333A68F1 for <hybi@core3.amsl.com>; Thu, 10 Jun 2010 00:04:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.024
X-Spam-Level:
X-Spam-Status: No, score=-3.024 tagged_above=-999 required=5 tests=[AWL=-0.425, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNa+-yZ2dHKV for <hybi@core3.amsl.com>; Thu, 10 Jun 2010 00:04:51 -0700 (PDT)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by core3.amsl.com (Postfix) with ESMTP id E5E473A6888 for <hybi@ietf.org>; Thu, 10 Jun 2010 00:04:50 -0700 (PDT)
X-AuditID: c1b4fb39-b7b80ae000001aa1-65-4c108e93d5e2
Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id 4A.1E.06817.39E801C4; Thu, 10 Jun 2010 09:04:51 +0200 (CEST)
Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Thu, 10 Jun 2010 09:04:51 +0200
Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Thu, 10 Jun 2010 09:04:50 +0200
Received: from nomadiclab.lmf.ericsson.se (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id AE6B224BC for <hybi@ietf.org>; Thu, 10 Jun 2010 10:04:50 +0300 (EEST)
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 9E1294F9E5 for <hybi@ietf.org>; Thu, 10 Jun 2010 10:04:50 +0300 (EEST)
Received: from n166.nomadiclab.com (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 53EF94F168 for <hybi@ietf.org>; Thu, 10 Jun 2010 10:04:50 +0300 (EEST)
Message-ID: <4C108E92.7080507@ericsson.com>
Date: Thu, 10 Jun 2010 10:04:50 +0300
From: Salvatore Loreto <salvatore.loreto@ericsson.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: hybi@ietf.org
References: <4C1019AB.3050705@KingsMountain.com>
In-Reply-To: <4C1019AB.3050705@KingsMountain.com>
Content-Type: multipart/alternative; boundary="------------060102000106030407060705"
X-Virus-Scanned: ClamAV using ClamSMTP
X-OriginalArrivalTime: 10 Jun 2010 07:04:50.0831 (UTC) FILETIME=[383E21F0:01CB086B]
X-Brightmail-Tracker: AAAAAA==
Subject: [hybi] WebSocket and HASMAT (was>:IETF BoF @IETF-78 Maastricht: HASMAT - HTTP Application Security Minus Authentication and Transport)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 07:04:53 -0000
Hi there, the HASMAT BoF is really important for HyBi, and I encourage all the people interested and involved in the WebSocket protocol design to participate to the BoF and become involved in the HASMAT mailing list discussion among the other stuff: - HASMAT is related to Issue 3 we have currently in the Issues tracker: http://trac.tools.ietf.org/wg/hybi/trac/ticket/3 - and it is also related to the security requirement we have in the requirement draft: http://tools.ietf.org/html/draft-ietf-hybi-websocket-requirements-00#section-3.4 and in particular to the following one REQ. 19: WebSocket should be designed to be robust against cross- protocol attacks. The protocol design should consider and mitigate the risk presented by WebSocket clients to existing servers (including HTTP servers). It should also consider and mitigate the risk to WebSocket servers presented by clients for other protocols (including HTTP). cheers /Sal On 6/10/10 1:46 AM, =JeffH wrote: > Hi, > > We will be hosting the "HTTP Application Security Minus Authentication and > Transport (HASMAT)" Birds-of-a-Feather (BoF) session at IETF-78 in Maastricht > NL during the week of July 25-30, 2010 (see [0] for mailing list). > > The purpose of IETF BoFs is to determine whether there is a problem worth > solving, and whether the IETF is the right group to solve it. To that end, the > problem statement is summarized below in the Draft HASMAT Working Group > Charter, and is drawn from this paper [1]. > > Various facets of this work are already underway, as outlined below in the > draft WG charter, e.g. Strict Transport Security (STS) [2]. > > Of course the scope of "HTTP application security" is quite broad (as outlined > in [1]), thus the intent is to coordinate this work closely with related work > likely to land in the W3C (and possibly other orgs), e.g. Content Security > Policy (CSP) [3]. > > We have created a public mailing list [0] for pre-BoF discussion -- > hasmat@ietf.org -- to which you can freely subscribe here: > <https://www.ietf.org/mailman/listinfo/hasmat> > > We encourage all interested parties to join the hasmat@ mailing list and engage > in the on-going discussion there. > > thanks, > > =JeffH (current IETF HTTPstate WG chair) > Peter Saint-Andre (IETF Applications Area Director) > Hannes Tschofenig (IAB, IETF WG chair) > ---------------------------------------------------- > > [0] HASMAT mailing list. > https://www.ietf.org/mailman/listinfo/hasmat > > [1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy > Framework", W2SP position paper, 2010. > http://w2spconf.com/2010/papers/p11.pdf > > [2] Hodges, Jackson, and Barth, "Strict Transport Security (STS)", > revision -06. > http://lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html > > > see also: http://en.wikipedia.org/wiki/Strict_Transport_Security > > > [3] Sterne and Stamm, "Content Security Policy (CSP)". > https://wiki.mozilla.org/Security/CSP/Specification > see also: http://people.mozilla.org/~bsterne/content-security-policy/ > https://wiki.mozilla.org/Security/CSP/Design_Considerations > > > ### > > Proposed HASMAT BoF agenda > -------------------------- > > Chairs: Hannes Tschofenig and Jeff Hodges > > 5 min Agenda bashing (Chairs) > > 10 min Description of the problem space (TBD) > > 20 min Motivation for standardizing (TBD) > draft-abarth-mime-sniff > draft-abarth-origin > draft-hodges-stricttransportsec (to-be-submitted) > > 15 min Presentation of charter text (TBD) > > 60 min Discussion of charter text and choice of the initial > specifications (All) > > 10 min Conclusion (Chairs/ADs) > > > > ### > > Draft Charter for HASMAT: > > HTTP Application Security Minus Authentication and Transport WG > > > Problem Statement > > Although modern Web applications are built on top of HTTP, they provide > rich functionality and have requirements beyond the original vision of > static web pages. HTTP, and the applications built on it, have evolved > organically. Over the past few years, we have seen a proliferation of > AJAX-based web applications (AJAX being shorthand for asynchronous > JavaScript and XML), as well as Rich Internet Applications (RIAs), based > on so-called Web 2.0 technologies. These applications bring both > luscious eye-candy and convenient functionality, e.g. social networking, > to their users, making them quite compelling. At the same time, we are > seeing an increase in attacks against these applications and their > underlying technologies. > > The list of attacks is long and includes Cross-Site-Request Forgery > (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS) > attacks, attacks against browsers supporting anti-XSS policies, > clickjacking attacks, malvertising attacks, as well as man-in-the-middle > (MITM) attacks against "secure" (e.g. Transport Layer Security > (TLS/SSL)-based) web sites along with distribution of the tools to carry > out such attacks (e.g. sslstrip). > > > Objectives and Scope > > With the arrival of new attacks the introduction of new web security > indicators, security techniques, and policy communication mechanisms > have sprinkled throughout the various layers of the Web and HTTP. > > The goal of this working group is to standardize a small number of > selected specifications that have proven to improve security of Internet > Web applications. The requirements guiding the work will be taken from > the Web application and Web security communities. Initial work will be > limited to the following topics: > > - Same origin policy, as discussed in draft-abarth-origin > > - Strict transport security, as discussed in > draft-hodges-stricttransportsec (to be submitted shortly) > > - Media type sniffing, as discussed in draft-abarth-mime-sniff > > In addition, this working group will consider the overall topic of HTTP > application security and compose a "problem statement and requirements" > document that can be used to guide further work. > > This working group will work closely with IETF Apps Area WGs (such as > HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s). > > > Out of Scope > > As noted in this working group's title, this working group's scope does > not include working on HTTP Authentication nor underlying transport > (secure or not) topics. So, for example, these items are out-of-scope > for this WG: > > - Replacements for BASIC and DIGEST authentication > > - New transports (e.g. SCTP and the like) > > > Deliverables > > 1. A document illustrating the security problems Web applications are > facing and listing design requirements. This document shall be > Informational. > > 2. A selected set of technical specifications documenting deployed > HTTP-based Web security solutions. > These documents shall be Standards Track. > > > Goals and Milestones > > Oct 2010 Submit "HTTP Application Security Problem Statement and > Requirements" as initial WG item. > > Oct 2010 Submit "Media Type Sniffing" as initial WG item. > > Oct 2010 Submit "Web Origin Concept" as initial WG item. > > Oct 2010 Submit "Strict Transport Security" as initial WG item. > > Feb 2011 Submit "HTTP Application Security Problem Statement and > Requirements" to the IESG for consideration as an > Informational RFC. > > Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration > as a Standards Track RFC. > > Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as > a Standards Track RFC. > > Mar 2011 Submit "Strict Transport Security" to the IESG for > consideration as a Standards Track RFC. > > Apr 2011 Possible re-chartering > > > > ### > > > > > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi > > -- Salvatore Loreto www.sloreto.com
- [hybi] IETF BoF @IETF-78 Maastricht: HASMAT - HTT… =JeffH
- [hybi] WebSocket and HASMAT (was>:IETF BoF @IETF-… Salvatore Loreto