[keyassure] Fwd: WG Review: Web Security (websec)
Paul Hoffman <paul.hoffman@vpnc.org> Tue, 28 September 2010 17:27 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 11BDD3A6CB9 for <keyassure@core3.amsl.com>; Tue, 28 Sep 2010 10:27:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.34
X-Spam-Level:
X-Spam-Status: No, score=-101.34 tagged_above=-999 required=5 tests=[AWL=0.706, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WTXpcadrMBqt for <keyassure@core3.amsl.com>; Tue, 28 Sep 2010 10:27:22 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 70FF63A6B6C for <keyassure@ietf.org>; Tue, 28 Sep 2010 10:27:22 -0700 (PDT)
Received: from [10.20.30.163] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o8SHS1da089308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <keyassure@ietf.org>; Tue, 28 Sep 2010 10:28:03 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240804c8c7d5abe4d3@[10.20.30.163]>
Date: Tue, 28 Sep 2010 10:28:00 -0700
To: keyassure@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Subject: [keyassure] Fwd: WG Review: Web Security (websec)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 17:27:24 -0000
This is of interest to this still-not-yet-a-Working-Group, including at least one of the three documents listed in the middle of the proposed charter. >A new IETF working group has been proposed in the Applications Area. The >IESG has not made any determination as yet. The following draft charter >was submitted, and is provided for informational purposes only. Please >send your comments to the IESG mailing list (iesg@ietf.org) by Tuesday, >October 5, 2010. > >Web Security (websec) >--------------------------------------------- >Status: Proposed Working Group >Last updated: 2010-09-23 > >Chairs(s) > Tobias Gondrom <tobias.gondrom@gondrom.org> > >Applications Area Directors: > Alexey Melnikov <alexey.melnikov@isode.com> > Peter Saint-Andre <stpeter@stpeter.im> > >Applications Area Advisor: > Peter Saint-Andre <stpeter@stpeter.im> > >Security Area Advisor: > Sean Turner <turners@ieca.com> > >Mailing Lists: > General Discussion: hasmat@ietf.org > To Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat> > Archive: <http://www.ietf.org/mail-archive/web/hasmat/> > [to be changed to websec@ietf.org if approved] > >Problem Statement > >Although modern Web applications are built on top of HTTP, they provide >rich functionality and have requirements beyond the original vision of >static web pages. HTTP, and the applications built on it, have evolved >organically. Over the past few years, we have seen a proliferation of >AJAX-based web applications (AJAX being shorthand for asynchronous >JavaScript and XML), as well as Rich Internet Applications (RIAs), based >on so-called Web 2.0 technologies. These applications bring both >luscious eye-candy and convenient functionality, e.g. social networking, >to their users, making them quite compelling. At the same time, we are >seeing an increase in attacks against these applications and their >underlying technologies. > >The list of attacks is long and includes Cross-Site-Request Forgery >(CSRF)-based attacks, content-sniffing, cross-site-scripting (XSS) >attacks, attacks against browsers supporting anti-XSS policies, >clickjacking attacks, malvertising attacks, as well as man-in-the-middle >(MITM) attacks against "secure" (e.g. Transport Layer Security >(TLS/SSL)-based) web sites along with distribution of the tools to carry >out such attacks (e.g. sslstrip). > >Objectives and Scope > >With the arrival of new attacks the introduction of new web security >indicators, security techniques, and policy communication mechanisms >have sprinkled throughout the various layers of the Web and HTTP. > >The goal of this working group is to compose an overall "problem >statement and requirements" document derived from surveying the >issues outlined in the above section ([1] provides a starting point). >The requirements guiding the work will be taken from the Web >application and Web security communities. The scope of this document >is HTTP applications security, but does not include HTTP authentication, >nor internals of transport security which are addressed by other working >groups (although it may make reference to transport security as an >available security "primitive"). See the "Out of Scope" section, below. > >Additionally, the WG will standardize a small number of selected >specifications that have proven to improve security of Internet >Web applications. Initial work will be the following topics: > > - Same origin policy, as discussed in draft-abarth-origin > (see also Appendices A and B, below) > > - HTTP Strict transport security, as discussed in > draft-hodges-strict-transport-sec > > - Media type sniffing, as discussed in draft-abarth-mime-sniff > >This working group will work closely with IETF Apps Area WGs (such as >HYBI, HTTPstate, and HTTPbis), as well as appropriate W3C working >group(s) (e.g. HTML, WebApps). > >Out of Scope > >As noted in the objectives and scope (above), this working group's >scope does not include working on HTTP Authentication nor underlying >transport (secure or not) topics. So, for example, these items are >out-of-scope for this WG: > > - Replacements for BASIC and DIGEST authentication > > - New transports (e.g. SCTP and the like) > >Deliverables > >1. A document illustrating the security problems Web applications are >facing and listing design requirements. This document shall be >Informational. > >2. A selected set of technical specifications documenting deployed >HTTP-based Web security solutions. These documents shall be Standards >Track. > >Goals and Milestones > >Oct 2010 Submit "HTTP Application Security Problem Statement and > Requirements" as initial WG item. > >Oct 2010 Submit "Media Type Sniffing" as initial WG item. > >Oct 2010 Submit "Web Origin Concept" as initial WG item. > >Oct 2010 Submit "Strict Transport Security" as initial WG item. > >Feb 2011 Submit "HTTP Application Security Problem Statement and > Requirements" to the IESG for consideration as an > Informational RFC. > >Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration > as a Standards Track RFC. > >Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as > a Standards Track RFC. > >Mar 2011 Submit "Strict Transport Security" to the IESG for > consideration as a Standards Track RFC. > >Apr 2011 Possible re-chartering > >References > >[1] Hodges and Steingruebl, "The Need for a Coherent Web Security Policy >Framework", W2SP position paper, 2010. >http://w2spconf.com/2010/papers/p11.pdf > >Appendices > >A. Relationship between origin work in IETF WebSec and W3C HTML WG > >draft-abarth-origin defines the nuts-and-bolts of working with >origins (computing them from URIs, comparing them to each other, etc). >HTML5 defines HTML-specific usage of origins. For example, when >making an HTTP request, HTML5 defines how to compute which origin >among all the origins rendering HTML is the one responsible for making >the request. draft-abarth-origin then takes that origin, serializes >it to a string, and shoves it in a header. > >B. Origin work may yield two specifications > >There also seems to be demand for a document that describes the >same-origin security model overall. However, it seems like that >document ought to be more informative rather than normative. The >working group may split draft-abarth-origin into separate informative >and standards track specifications, the former describing same-origin >security model, and the latter specifying the nuts-and-bolts of working >with origins (computing them from URLs, comparing them to each other, >etc).
- [keyassure] Fwd: WG Review: Web Security (websec) Paul Hoffman
- Re: [keyassure] Fwd: WG Review: Web Security (web… Jeffrey A. Williams