[hybi] HTTP Application Security (HAS) BoF

Peter Saint-Andre <stpeter@stpeter.im> Wed, 02 June 2010 14:12 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF5C13A67E5; Wed, 2 Jun 2010 07:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.49
X-Spam-Level:
X-Spam-Status: No, score=-0.49 tagged_above=-999 required=5 tests=[AWL=-0.491, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7m2KiZ2I2MG; Wed, 2 Jun 2010 07:12:00 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 0BD153A6883; Wed, 2 Jun 2010 07:12:00 -0700 (PDT)
Received: from squire.local (dsl-251-206.dynamic-dsl.frii.net [216.17.251.206]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 320D440E14; Wed, 2 Jun 2010 08:11:46 -0600 (MDT)
Message-ID: <4C0666A1.8070308@stpeter.im>
Date: Wed, 02 Jun 2010 08:11:45 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080102010707040804060601"
X-Mailman-Approved-At: Thu, 03 Jun 2010 22:26:09 -0700
Cc: "hybi@ietf.org" <hybi@ietf.org>, "Adam Barth (abarth@eecs.berkeley.edu)" <abarth@eecs.berkeley.edu>, Discuss HTTP State Management Mechanism <http-state@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, Andy Steingruebl <asteingruebl@paypal.com>, Thomas Roessler <tlr@w3.org>, Brandon Sterne <bsterne@mozilla.com>, Sid Stamm <sid@mozilla.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Subject: [hybi] HTTP Application Security (HAS) BoF
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2010 14:12:05 -0000

I've received a proposal to hold a birds of a feather (BoF) session at
IETF 78 in Maastricht on the topic of HTTP Application Security.  A
draft charter and agenda can be found below.  Please discuss on the
apps-discuss@ietf.org list:

https://www.ietf.org/mailman/listinfo/apps-discuss

/psa

###

Charter for HTTP Application Security (HAS) WG

Problem Statement

Although modern Web applications are built on top of HTTP, they provide
rich functionality and have requirements beyond the original vision of
static web pages.  HTTP, and the applications built on it, have evolved
organically.  Over the past few years, we have seen a proliferation of
AJAX-based web applications (AJAX being shorthand for asynchronous
JavaScript and XML), as well as Rich Internet Applications (RIAs), based
on so-called Web 2.0 technologies.  These applications bring both
luscious eye-candy and convenient functionality, e.g. social networking,
to their users, making them quite compelling.  At the same time, we are
seeing an increase in attacks against these applications and their
underlying technologies.

The list of attacks is long and includes Cross-Site-Request Forgery
(CSRF)-based attacks, content-sniffing cross-site-scripting (XSS)
attacks, attacks against browsers supporting anti-XSS policies,
clickjacking attacks, malvertising attacks, as well as man-in-the-middle
(MITM) attacks against "secure" (e.g. Transport Layer Security
(TLS/SSL)-based) web sites along with distribution of the tools to carry
out such attacks (e.g. sslstrip).

Objectives

With the arrival of new attacks the introduction of new web security
indicators, security techniques, and policy communication mechanisms
have sprinkled throughout the various layers of the Web and HTTP.

The goal of this working group is to standardize a small number of
selected specifications that have proven to improve security of Internet
Web applications. The requirements guiding the work will be taken from
the Web application and Web security communities.  Initial work will be
limited to the following topics:

   - Media type sniffing, as discussed in draft-abarth-mime-sniff
   - Same origin policy, as discussed in draft-abarth-origin (expired)
   - Strict transport security, as discussed in
     draft-hodges-stricttransportsec (to be submitted shortly)

This working group will work closely with IETF Apps Area WGs (such as
HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s).

Deliverables

1. A document illustrating the security problems Web applications are
facing and listing design requirements.  This document shall be
Informational.

2. A selected set of technical specifications documenting deployed
HTTP-based Web security solutions.
These documents shall be Standards Track.

Goals and Milestones

Oct 2010    Submit "HTTP Application Security Problem Statement and
            Requirements" as initial WG item.
Oct 2010    Submit "Media Type Sniffing" as initial WG item.
Oct 2010    Submit "Web Origin Concept" as initial WG item.
Oct 2010    Submit "Strict Transport Security" as initial WG item.
Feb 2011    Submit "HTTP Application Security Problem Statement and
            Requirements" to the IESG for consideration as an
            Informational RFC.
Mar 2011    Submit "Media Type Sniffing" to the IESG for consideration
            as a Standards Track RFC.
Mar 2011    Submit "Web Origin Concept" to the IESG for consideration as
            a Standards Track RFC.
Mar 2011    Submit "Strict Transport Security" to the IESG for
            consideration as a Standards Track RFC.
Apr 2011    Possible re-chartering

###

Agenda for HTTP Application Security (HAS) BoF, IETF 78

Chairs: Hannes Tschofenig and Jeff Hodges (to be finalized)

5 min   Agenda bashing (Chairs)

10 min  Description of the problem space (TBD)

20 min  Motivation for standardizing (TBD)
        draft-abarth-mime-sniff
        draft-abarth-origin
        draft-hodges-stricttransportsec

15 min  Presentation of charter text (TBD)

60 min  Discussion of charter text and choice of the initial
specifications (All)

10 min  Conclusion (Chairs/ADs)

###