update: security work at w3c thomas roessler, w3c [email protected] (channelled by:...
TRANSCRIPT
Three + 1 things
● Web security context● Forms● XML signature and encryption
maintenance ++
● Hopefully Thomas is listening and on jabber…
Web Security Context
● Current state:– TLS is undermined by web user interfaces– Few consistent security indicators– Indicators easily spoofable
● What information should be presented to users?
● How to do this robustly?● How to do this usably?
Web Security Context● Current state of the work: Use Case
Document published as First Public Working Draft– http://www.w3.org/TR/wsc-usecases/ – Comments welcome!
● Next Step: What information, and how?● Schedule: Anticipate first public working
drafts of RECs in June– http://www.w3.org/2006/WSC/
● W3C members + invited experts + public mail archive– Comments: public-usable-
HTML Form Annotations
● What if an HTML form field could say “I am a user name field”?– Currently, we only have obfuscation of information
entered into password fields.– Think of coupling forms and HTTP authentication.
Think of cryptographic algorithms. Think of clever user interactions.
● Form WG charter includes task to look at this space of requirements– Work to be done in joint task force with HTML WG.
Join through either HTML or Forms side.● Places to go:
– http://www.w3.org/MarkUp/Forms/– http://www.w3.org/html/wg/ (easier entrance point)
The Plan for XML Signature and Friends
● Fix the known minor problems quickly (next slide)
● Document what other issues and desires are known, but don't resolve them– Then, follow-up work.
● XML Security Specifications Maintenance WG– Chartered through 31 December 2007– Workshop some time in late summer?
● Lots of external input/review wanted● TLR will be @ IETF-69 (Chicago)
– http://www.w3.org/2007/xmlsec/● W3C members + invited experts (maybe IETF-
liberal)
XML Signature
● http://www.w3.org/TR/xmldsig-core ● ... same as RFC 3275● (Inclusive) Canonical XML 1.0 is a MUST but has
issues with namespaces (xml:id)– Transforms allow XPath deletion of elements;
grandparent inheritance of namespaces– XML Core WG working on C14N 1.1– Exclusive C14N untouched, but MUST will still be
C14N 1.1 (inclusive)– Decryption transform for XML Signature has similar
issues● We'd like to sort this out without reopening the
whole thing immediately
IETF Interaction
● Publication of minor changes to dsig-core as RFC seems warranted.
● Therefore, plan to submit updated version of the xmlsig spec (PER) as Internet-Draft for IETF review– I-D maybe in summer (IETF-69?)– PER = Proposed edit REC = REC + diffs =>
REC– Interop is planned before PER/I-D done
● We might tell you that proposed changes are out of scope for this round– Algorithm-agility (sha-256) fits here most
likely– Speak to us about future work!
Contacts
● Security Activity Lead: Thomas Roessler <[email protected]> – Planning to attend IETF in Chicago.
● WSC WG Chair: Mary Ellen Zurko <[email protected]>
● XML Sec WG Chair: Frederick Hirsch <[email protected]>