Update: Security Work at W3C

Thomas Roessler, W3Ctlr@w3.org

(channelled by: stephen.farrell@cs.tcd.ie)

Three + 1 things

● Web security context● Forms● XML signature and encryption

maintenance ++

● Hopefully Thomas is listening and on jabber…

Web Security Context

● Current state:– TLS is undermined by web user interfaces– Few consistent security indicators– Indicators easily spoofable

● What information should be presented to users?

● How to do this robustly?● How to do this usably?

Web Security Context● Current state of the work: Use Case

Document published as First Public Working Draft– http://www.w3.org/TR/wsc-usecases/ – Comments welcome!

● Next Step: What information, and how?● Schedule: Anticipate first public working

drafts of RECs in June– http://www.w3.org/2006/WSC/

● W3C members + invited experts + public mail archive– Comments: public-usable-

authentication@w3.org

HTML Form Annotations

● What if an HTML form field could say “I am a user name field”?– Currently, we only have obfuscation of information

entered into password fields.– Think of coupling forms and HTTP authentication.

Think of cryptographic algorithms. Think of clever user interactions.

● Form WG charter includes task to look at this space of requirements– Work to be done in joint task force with HTML WG.

Join through either HTML or Forms side.● Places to go:

– http://www.w3.org/MarkUp/Forms/– http://www.w3.org/html/wg/ (easier entrance point)

The Plan for XML Signature and Friends

● Fix the known minor problems quickly (next slide)

● Document what other issues and desires are known, but don't resolve them– Then, follow-up work.

● XML Security Specifications Maintenance WG– Chartered through 31 December 2007– Workshop some time in late summer?

● Lots of external input/review wanted● TLR will be @ IETF-69 (Chicago)

– http://www.w3.org/2007/xmlsec/● W3C members + invited experts (maybe IETF-

liberal)

XML Signature

● http://www.w3.org/TR/xmldsig-core ● ... same as RFC 3275● (Inclusive) Canonical XML 1.0 is a MUST but has

issues with namespaces (xml:id)– Transforms allow XPath deletion of elements;

grandparent inheritance of namespaces– XML Core WG working on C14N 1.1– Exclusive C14N untouched, but MUST will still be

C14N 1.1 (inclusive)– Decryption transform for XML Signature has similar

issues● We'd like to sort this out without reopening the

whole thing immediately

IETF Interaction

● Publication of minor changes to dsig-core as RFC seems warranted.

● Therefore, plan to submit updated version of the xmlsig spec (PER) as Internet-Draft for IETF review– I-D maybe in summer (IETF-69?)– PER = Proposed edit REC = REC + diffs =>

REC– Interop is planned before PER/I-D done

● We might tell you that proposed changes are out of scope for this round– Algorithm-agility (sha-256) fits here most

likely– Speak to us about future work!

Contacts

● Security Activity Lead: Thomas Roessler <tlr@w3.org> – Planning to attend IETF in Chicago.

● WSC WG Chair: Mary Ellen Zurko <mzurko@us.ibm.com>

● XML Sec WG Chair: Frederick Hirsch <frederick.hirsch@nokia.com>