Re: [keyassure] Fwd: WG Review: Web Security (websec)
"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Tue, 28 September 2010 18:22 UTC
Return-Path: <jwkckid1@ix.netcom.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A346A3A6D80 for <keyassure@core3.amsl.com>; Tue, 28 Sep 2010 11:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.63
X-Spam-Level:
X-Spam-Status: No, score=-1.63 tagged_above=-999 required=5 tests=[AWL=0.969, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q416HS9D9j55 for <keyassure@core3.amsl.com>; Tue, 28 Sep 2010 11:22:52 -0700 (PDT)
Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) by core3.amsl.com (Postfix) with ESMTP id A2F503A6CB9 for <keyassure@ietf.org>; Tue, 28 Sep 2010 11:22:52 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=MViTSnv0v23SCsnx7i1kEqJtM3agwX+JBBWaT6z+V8P/0wfNBDcu8jQt5oGLF8S/; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.37] (helo=elwamui-karabash.atl.sa.earthlink.net) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1P0epx-0000VM-Um; Tue, 28 Sep 2010 14:23:33 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Tue, 28 Sep 2010 14:23:33 -0400
Message-ID: <11525266.1285698213923.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net>
Date: Tue, 28 Sep 2010 13:23:33 -0500
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, keyassure@ietf.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e5196068811cacc8d52dd48ec50907fc325946254350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.37
Subject: Re: [keyassure] Fwd: WG Review: Web Security (websec)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 18:22:54 -0000
Paul and all, This is good stuff and a necesarry WG IMPO. BTW, whomever wrote this up did a bang up job! >:) -----Original Message----- >From: Paul Hoffman <paul.hoffman@vpnc.org> >Sent: Sep 28, 2010 12:28 PM >To: keyassure@ietf.org >Subject: [keyassure] Fwd: WG Review: Web Security (websec) > >This is of interest to this still-not-yet-a-Working-Group, including at least one of the three documents listed in the middle of the proposed charter. > >>A new IETF working group has been proposed in the Applications Area. The >>IESG has not made any determination as yet. The following draft charter >>was submitted, and is provided for informational purposes only. Please >>send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday, >>October 5, 2010. >> >>Web Security (websec) >>--------------------------------------------- >>Status: Proposed Working Group >>Last updated: 2010-09-23 >> >>Chairs(s) >> Tobias Gondrom <tobias.gondrom@gondrom.org> >> >>Applications Area Directors: >> Alexey Melnikov <alexey.melnikov@isode.com> >> Peter Saint-Andre <stpeter@stpeter.im> >> >>Applications Area Advisor: >> Peter Saint-Andre <stpeter@stpeter.im> >> >>Security Area Advisor: >> Sean Turner <turners@ieca.com> >> >>Mailing Lists: >> General Discussion: hasmat@ietf.org >> To Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat> >> Archive: <http://www.ietf.org/mail-archive/web/hasmat/> >> [to be changed to websec@ietf.org if approved] >> >>Problem Statement >> >>Although modern Web applications are built on top of HTTP, they provide >>rich functionality and have requirements beyond the original vision of >>static web pages. HTTP, and the applications built on it, have evolved >>organically. Over the past few years, we have seen a proliferation of >>AJAX-based web applications (AJAX being shorthand for asynchronous >>JavaScript and XML), as well as Rich Internet Applications (RIAs), based >>on so-called Web 2.0 technologies. These applications bring both >>luscious eye-candy and convenient functionality, e.g. social networking, >>to their users, making them quite compelling. At the same time, we are >>seeing an increase in attacks against these applications and their >>underlying technologies. >> >>The list of attacks is long and includes Cross-Site-Request Forgery >>(CSRF)-based attacks, content-sniffing, cross-site-scripting (XSS) >>attacks, attacks against browsers supporting anti-XSS policies, >>clickjacking attacks, malvertising attacks, as well as man-in-the-middle >>(MITM) attacks against "secure" (e.g. Transport Layer Security >>(TLS/SSL)-based) web sites along with distribution of the tools to carry >>out such attacks (e.g. sslstrip). >> >>Objectives and Scope >> >>With the arrival of new attacks the introduction of new web security >>indicators, security techniques, and policy communication mechanisms >>have sprinkled throughout the various layers of the Web and HTTP. >> >>The goal of this working group is to compose an overall "problem >>statement and requirements" document derived from surveying the >>issues outlined in the above section ([1] provides a starting point). >>The requirements guiding the work will be taken from the Web >>application and Web security communities. The scope of this document >>is HTTP applications security, but does not include HTTP authentication, >>nor internals of transport security which are addressed by other working >>groups (although it may make reference to transport security as an >>available security "primitive"). See the "Out of Scope" section, below. >> >>Additionally, the WG will standardize a small number of selected >>specifications that have proven to improve security of Internet >>Web applications. Initial work will be the following topics: >> >> - Same origin policy, as discussed in draft-abarth-origin >> (see also Appendices A and B, below) >> >> - HTTP Strict transport security, as discussed in >> draft-hodges-strict-transport-sec >> >> - Media type sniffing, as discussed in draft-abarth-mime-sniff >> >>This working group will work closely with IETF Apps Area WGs (such as >>HYBI, HTTPstate, and HTTPbis), as well as appropriate W3C working >>group(s) (e.g. HTML, WebApps). >> >>Out of Scope >> >>As noted in the objectives and scope (above), this working group's >>scope does not include working on HTTP Authentication nor underlying >>transport (secure or not) topics. So, for example, these items are >>out-of-scope for this WG: >> >> - Replacements for BASIC and DIGEST authentication >> >> - New transports (e.g. SCTP and the like) >> >>Deliverables >> >>1. A document illustrating the security problems Web applications are >>facing and listing design requirements. This document shall be >>Informational. >> >>2. A selected set of technical specifications documenting deployed >>HTTP-based Web security solutions. These documents shall be Standards >>Track. >> >>Goals and Milestones >> >>Oct 2010 Submit "HTTP Application Security Problem Statement and >> Requirements" as initial WG item. >> >>Oct 2010 Submit "Media Type Sniffing" as initial WG item. >> >>Oct 2010 Submit "Web Origin Concept" as initial WG item. >> >>Oct 2010 Submit "Strict Transport Security" as initial WG item. >> >>Feb 2011 Submit "HTTP Application Security Problem Statement and >> Requirements" to the IESG for consideration as an >> Informational RFC. >> >>Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration >> as a Standards Track RFC. >> >>Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as >> a Standards Track RFC. >> >>Mar 2011 Submit "Strict Transport Security" to the IESG for >> consideration as a Standards Track RFC. >> >>Apr 2011 Possible re-chartering >> >>References >> >>[1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy >>Framework", W2SP position paper, 2010. >>http://w2spconf.com/2010/papers/p11.pdf >> >>Appendices >> >>A. Relationship between origin work in IETF WebSec and W3C HTML WG >> >>draft-abarth-origin defines the nuts-and-bolts of working with >>origins (computing them from URIs, comparing them to each other, etc). >>HTML5 defines HTML-specific usage of origins. For example, when >>making an HTTP request, HTML5 defines how to compute which origin >>among all the origins rendering HTML is the one responsible for making >>the request. draft-abarth-origin then takes that origin, serializes >>it to a string, and shoves it in a header. >> >>B. Origin work may yield two specifications >> >>There also seems to be demand for a document that describes the >>same-origin security model overall. However, it seems like that >>document ought to be more informative rather than normative. The >>working group may split draft-abarth-origin into separate informative >>and standards track specifications, the former describing same-origin >>security model, and the latter specifying the nuts-and-bolts of working >>with origins (computing them from URLs, comparing them to each other, >>etc). > >_______________________________________________ >keyassure mailing list >keyassure@ietf.org >https://www.ietf.org/mailman/listinfo/keyassure Regards, Jeffrey A. Williams "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com Phone: 214-244-4827
- [keyassure] Fwd: WG Review: Web Security (websec) Paul Hoffman
- Re: [keyassure] Fwd: WG Review: Web Security (web… Jeffrey A. Williams