1 / 9

Update: Security Work at W3C

Thomas Roessler, W3C tlr@w3.org (channelled by: stephen.farrell@cs.tcd.ie ). Update: Security Work at W3C. Three + 1 things. Web security context Forms XML signature and encryption maintenance ++ Hopefully Thomas is listening and on jabber…. Web Security Context. Current state:

lcottrell
Download Presentation

Update: Security Work at W3C

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thomas Roessler, W3C tlr@w3.org (channelled by: stephen.farrell@cs.tcd.ie) Update: Security Work at W3C

  2. Three + 1 things • Web security context • Forms • XML signature and encryption maintenance ++ • Hopefully Thomas is listening and on jabber…

  3. Web Security Context • Current state: • TLS is undermined by web user interfaces • Few consistent security indicators • Indicators easily spoofable • What information should be presented to users? • How to do this robustly? • How to do this usably?

  4. Web Security Context • Current state of the work: Use Case Document published as First Public Working Draft • http://www.w3.org/TR/wsc-usecases/ • Comments welcome! • Next Step: What information, and how? • Schedule: Anticipate first public working drafts of RECs in June • http://www.w3.org/2006/WSC/ • W3C members + invited experts + public mail archive • Comments: public-usable-authentication@w3.org

  5. HTML Form Annotations • What if an HTML form field could say “I am a user name field”? • Currently, we only have obfuscation of information entered into password fields. • Think of coupling forms and HTTP authentication. Think of cryptographic algorithms. Think of clever user interactions. • Form WG charter includes task to look at this space of requirements • Work to be done in joint task force with HTML WG. Join through either HTML or Forms side. • Places to go: • http://www.w3.org/MarkUp/Forms/ • http://www.w3.org/html/wg/ (easier entrance point)

  6. The Plan for XML Signature and Friends • Fix the known minor problems quickly (next slide) • Document what other issues and desires are known, but don't resolve them • Then, follow-up work. • XML Security Specifications Maintenance WG • Chartered through 31 December 2007 • Workshop some time in late summer? • Lots of external input/review wanted • TLR will be @ IETF-69 (Chicago) • http://www.w3.org/2007/xmlsec/ • W3C members + invited experts (maybe IETF-liberal)

  7. XML Signature • http://www.w3.org/TR/xmldsig-core • ... same as RFC 3275 • (Inclusive) Canonical XML 1.0 is a MUST but has issues with namespaces (xml:id) • Transforms allow XPath deletion of elements; grandparent inheritance of namespaces • XML Core WG working on C14N 1.1 • Exclusive C14N untouched, but MUST will still be C14N 1.1 (inclusive) • Decryption transform for XML Signature has similar issues • We'd like to sort this out without reopening the whole thing immediately

  8. IETF Interaction • Publication of minor changes to dsig-core as RFC seems warranted. • Therefore, plan to submit updated version of the xmlsig spec (PER) as Internet-Draft for IETF review • I-D maybe in summer (IETF-69?) • PER = Proposed edit REC = REC + diffs => REC • Interop is planned before PER/I-D done • We might tell you that proposed changes are out of scope for this round • Algorithm-agility (sha-256) fits here most likely • Speak to us about future work!

  9. Contacts • Security Activity Lead: Thomas Roessler <tlr@w3.org> • Planning to attend IETF in Chicago. • WSC WG Chair: Mary Ellen Zurko <mzurko@us.ibm.com> • XML Sec WG Chair: Frederick Hirsch <frederick.hirsch@nokia.com>

More Related