Re: [websec] Meeting minutes uploaded

=JeffH <> Wed, 14 November 2012 18:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AC9A121F852D for <>; Wed, 14 Nov 2012 10:33:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.265
X-Spam-Status: No, score=-102.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LJZFr6Acg1QN for <>; Wed, 14 Nov 2012 10:33:27 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id EA15521F87A6 for <>; Wed, 14 Nov 2012 10:33:26 -0800 (PST)
Received: (qmail 7592 invoked by uid 0); 14 Nov 2012 18:33:03 -0000
Received: from unknown (HELO ( by with SMTP; 14 Nov 2012 18:33:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=cX8VJ3QOspl+T84m6MyjF8xxJFWB2U+KNF2Il0YGq4I=; b=UND83RgvaCbts+Igc6vc2XT7ke7M5qXqvPpIUURYwDTfyzNgGQGF2AYpTZV2vXKdFhrIr2gK3jljYwGAZTOxAtsmBO82umfXk2UgF71vTUERCRAV6ftbq+IDRc40mR9X;
Received: from [] (port=14771 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1TYhlm-0001cd-Qg for; Wed, 14 Nov 2012 11:33:02 -0700
Message-ID: <>
Date: Wed, 14 Nov 2012 10:33:04 -0800
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: IETF WebSec WG <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [websec] Meeting minutes uploaded
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Nov 2012 18:33:27 -0000

 > I've uploaded the minutes. Please reply to this message for any corrections.
 > The minutes are here:
 > Thanks again to Cyrus for taking the notes.

thanks to Yoav & Cyrus doin' up the minutes.

For convenience, here they are directly and in plain text...


WebSec Minutes

IETF-85 Atlanta
The WebSec working group met on Thursday, November 8th at 17:30 for 1 hour.

Cyrus Daboo scribed on Jabber (thanks, Cyrus!)

HSTS is now in the RFC Editor's queue, and should be published soon.
The chairs also reminded the participants of X-Frame-Options that is
now in WGLC. We've had some good reviews, but more would be better.

Gordon Hemsley (not present) had taken on writing a mime-sniffing
document at  WHAT-WG. This has been a charter item in WebSec, but we
have not done any work on this for over a year. The W3C has documents
referencing the mime-­? sniffing document. Nobody in the group objected
to having this move to WHAT-WG, and according to Larry Manister, the
W3C is also fine with referencing the WHAT-­?WG document, so the work
item will be removed from our charter.

Similarly, the WebAppSec group at W3C has asked to have the
Frame-Options  document move to them as part of a UI-Safety document
which they are in the  process of writing. Brad Hill argued for moving
it, while Tobias Gondrom argued  against. While there are some
technical concerns about the solution in W3C,  those can also be
debated and resolved in W3C. As there was little objection to  the
move, this work item will also be removed from our charter after the
chairs  handle the move through the liaisons.

Jeff Hodges presented his security framework draft. This is part of our
charter, but no document has so far been adopted. The feeling in the
room was that there would be consensus to adopt this, and we will take
it to the list after Jeff submits the next revision. 4 people raised
their hands when asked who would be willing to review the draft. That
is not a lot, but I was not counting chairs / ADs.

Ryan Sleevi presented on the progress on cert-pinning. There are some
open issues that should be discussed on the list. The two most sticky
among them are  the issue of UA behavior in the face of a TLS proxy
(issue #53), and interaction  between this and HSTS (also in the face
of a TLS proxy). Ryan said that he and the authors had more time to
spend on this document now, so hopefully progress will be swifter.

Alexey announced that he would be stepping down as WG chair.