[hybi] IETF BoF @IETF-78 Maastricht: HASMAT - HTTP Application Security Minus Authentication and Transport

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 09 June 2010 22:46 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id E0DC53A6893 for <hybi@core3.amsl.com>; Wed, 9 Jun 2010 15:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.982
X-Spam-Status: No, score=-2.982 tagged_above=-999 required=5 tests=[AWL=-0.717, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id djRXb-+ZvM9l for <hybi@core3.amsl.com>; Wed, 9 Jun 2010 15:46:02 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com []) by core3.amsl.com (Postfix) with SMTP id 7FF2D3A6803 for <hybi@ietf.org>; Wed, 9 Jun 2010 15:46:02 -0700 (PDT)
Received: (qmail 32728 invoked by uid 0); 9 Jun 2010 22:46:04 -0000
Received: from unknown (HELO box514.bluehost.com) ( by cpoproxy2.bluehost.com with SMTP; 9 Jun 2010 22:46:04 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=XTwUrzYD34eBUxHh9Jlezh/oCoeoz2Msxc32i19fugTiNAlmTzdoxd492+jILAXD2J3wjNhFbRQ2smNwSyCsvJvgl8zXE4jGQc1oXuWAVfmrEMnG5T0AZqArgPByvktQ;
Received: from outbound4.ebay.com ([] helo=[]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OMU28-0004zK-7K for hybi@ietf.org; Wed, 09 Jun 2010 16:46:04 -0600
Message-ID: <4C1019AB.3050705@KingsMountain.com>
Date: Wed, 09 Jun 2010 15:46:03 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird (X11/20100411)
MIME-Version: 1.0
To: IETF Hypertext Bidirectional WG <hybi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth authed with jeff.hodges+kingsmountain.com}
Subject: [hybi] IETF BoF @IETF-78 Maastricht: HASMAT - HTTP Application Security Minus Authentication and Transport
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2010 22:46:04 -0000


We will be hosting the "HTTP Application Security Minus Authentication and
Transport (HASMAT)" Birds-of-a-Feather (BoF) session at IETF-78 in Maastricht
NL during the week of July 25-30, 2010  (see [0] for mailing list).

The purpose of IETF BoFs is to determine whether there is a problem worth
solving, and whether the IETF is the right group to solve it. To that end, the
problem statement is summarized below in the Draft HASMAT Working Group
Charter, and is drawn from this paper [1].

Various facets of this work are already underway, as outlined below in the
draft WG charter, e.g. Strict Transport Security (STS) [2].

Of course the scope of "HTTP application security" is quite broad (as outlined
in [1]), thus the intent is to coordinate this work closely with related work
likely to land in the W3C (and possibly other orgs), e.g. Content Security
Policy (CSP) [3].

We have created a public mailing list [0] for pre-BoF discussion --
hasmat@ietf.org -- to which you can freely subscribe here:

We encourage all interested parties to join the hasmat@ mailing list and engage
in the on-going discussion there.


=JeffH             (current IETF HTTPstate WG chair)
Peter Saint-Andre  (IETF Applications Area Director)
Hannes Tschofenig  (IAB, IETF WG chair)

[0] HASMAT mailing list.

[1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy
Framework", W2SP position paper, 2010.

[2] Hodges, Jackson, and Barth, "Strict Transport Security (STS)",
revision -06.

see also: http://en.wikipedia.org/wiki/Strict_Transport_Security

[3] Sterne and Stamm, "Content Security Policy (CSP)".
see also: http://people.mozilla.org/~bsterne/content-security-policy/


Proposed HASMAT BoF agenda

Chairs: Hannes Tschofenig and Jeff Hodges

5 min   Agenda bashing (Chairs)

10 min  Description of the problem space (TBD)

20 min  Motivation for standardizing (TBD)
         draft-hodges-stricttransportsec (to-be-submitted)

15 min  Presentation of charter text (TBD)

60 min  Discussion of charter text and choice of the initial
specifications (All)

10 min  Conclusion (Chairs/ADs)


Draft Charter for HASMAT:

    HTTP Application Security Minus Authentication and Transport WG

Problem Statement

Although modern Web applications are built on top of HTTP, they provide
rich functionality and have requirements beyond the original vision of
static web pages.  HTTP, and the applications built on it, have evolved
organically.  Over the past few years, we have seen a proliferation of
AJAX-based web applications (AJAX being shorthand for asynchronous
JavaScript and XML), as well as Rich Internet Applications (RIAs), based
on so-called Web 2.0 technologies.  These applications bring both
luscious eye-candy and convenient functionality, e.g. social networking,
to their users, making them quite compelling.  At the same time, we are
seeing an increase in attacks against these applications and their
underlying technologies.

The list of attacks is long and includes Cross-Site-Request Forgery
(CSRF)-based attacks, content-sniffing cross-site-scripting (XSS)
attacks, attacks against browsers supporting anti-XSS policies,
clickjacking attacks, malvertising attacks, as well as man-in-the-middle
(MITM) attacks against "secure" (e.g. Transport Layer Security
(TLS/SSL)-based) web sites along with distribution of the tools to carry
out such attacks (e.g. sslstrip).

Objectives and Scope

With the arrival of new attacks the introduction of new web security
indicators, security techniques, and policy communication mechanisms
have sprinkled throughout the various layers of the Web and HTTP.

The goal of this working group is to standardize a small number of
selected specifications that have proven to improve security of Internet
Web applications. The requirements guiding the work will be taken from
the Web application and Web security communities.  Initial work will be
limited to the following topics:

    - Same origin policy, as discussed in draft-abarth-origin

    - Strict transport security, as discussed in
      draft-hodges-stricttransportsec (to be submitted shortly)

    - Media type sniffing, as discussed in draft-abarth-mime-sniff

In addition, this working group will consider the overall topic of HTTP
application security and compose a "problem statement and requirements"
document that can be used to guide further work.

This working group will work closely with IETF Apps Area WGs (such as
HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s).

Out of Scope

As noted in this working group's title, this working group's scope does
not include working on HTTP Authentication nor underlying transport
(secure or not) topics. So, for example, these items are out-of-scope
for this WG:

    - Replacements for BASIC and DIGEST authentication

    - New transports (e.g. SCTP and the like)


1. A document illustrating the security problems Web applications are
facing and listing design requirements.  This document shall be

2. A selected set of technical specifications documenting deployed
HTTP-based Web security solutions.
These documents shall be Standards Track.

Goals and Milestones

Oct 2010    Submit "HTTP Application Security Problem Statement and
             Requirements" as initial WG item.

Oct 2010    Submit "Media Type Sniffing" as initial WG item.

Oct 2010    Submit "Web Origin Concept" as initial WG item.

Oct 2010    Submit "Strict Transport Security" as initial WG item.

Feb 2011    Submit "HTTP Application Security Problem Statement and
             Requirements" to the IESG for consideration as an
             Informational RFC.

Mar 2011    Submit "Media Type Sniffing" to the IESG for consideration
             as a Standards Track RFC.

Mar 2011    Submit "Web Origin Concept" to the IESG for consideration as
             a Standards Track RFC.

Mar 2011    Submit "Strict Transport Security" to the IESG for
             consideration as a Standards Track RFC.

Apr 2011    Possible re-chartering