Download presentation
Presentation is loading. Please wait.
Published byMonica Jones Modified over 9 years ago
1
Update: Security Work at W3C Thomas Roessler, W3C tlr@w3.org (channelled by: stephen.farrell@cs.tcd.ie)stephen.farrell@cs.tcd.ie
2
Three + 1 things ● Web security context ● Forms ● XML signature and encryption maintenance ++ ● Hopefully Thomas is listening and on jabber…
3
Web Security Context ● Current state: – TLS is undermined by web user interfaces – Few consistent security indicators – Indicators easily spoofable ● What information should be presented to users? ● How to do this robustly? ● How to do this usably?
4
Web Security Context ● Current state of the work: Use Case Document published as First Public Working Draft – http://www.w3.org/TR/wsc-usecases/ – Comments welcome! ● Next Step: What information, and how? ● Schedule: Anticipate first public working drafts of RECs in June – http://www.w3.org/2006/WSC/ http://www.w3.org/2006/WSC/ ● W3C members + invited experts + public mail archive – Comments: public-usable-authentication@w3.org
5
HTML Form Annotations ● What if an HTML form field could say “I am a user name field”? – Currently, we only have obfuscation of information entered into password fields. – Think of coupling forms and HTTP authentication. Think of cryptographic algorithms. Think of clever user interactions. ● Form WG charter includes task to look at this space of requirements – Work to be done in joint task force with HTML WG. Join through either HTML or Forms side. ● Places to go: – http://www.w3.org/MarkUp/Forms/ http://www.w3.org/MarkUp/Forms/ – http://www.w3.org/html/wg/ (easier entrance point) http://www.w3.org/html/wg/
6
The Plan for XML Signature and Friends ● Fix the known minor problems quickly (next slide) ● Document what other issues and desires are known, but don't resolve them – Then, follow-up work. ● XML Security Specifications Maintenance WG – Chartered through 31 December 2007 – Workshop some time in late summer? ● Lots of external input/review wanted ● TLR will be @ IETF-69 (Chicago) – http://www.w3.org/2007/xmlsec/ http://www.w3.org/2007/xmlsec/ ● W3C members + invited experts (maybe IETF-liberal)
7
XML Signature ● http://www.w3.org/TR/xmldsig-core ●... same as RFC 3275 ● (Inclusive) Canonical XML 1.0 is a MUST but has issues with namespaces (xml:id) – Transforms allow XPath deletion of elements; grandparent inheritance of namespaces – XML Core WG working on C14N 1.1 – Exclusive C14N untouched, but MUST will still be C14N 1.1 (inclusive) – Decryption transform for XML Signature has similar issues ● We'd like to sort this out without reopening the whole thing immediately
8
IETF Interaction ● Publication of minor changes to dsig-core as RFC seems warranted. ● Therefore, plan to submit updated version of the xmlsig spec (PER) as Internet-Draft for IETF review – I-D maybe in summer (IETF-69?) – PER = Proposed edit REC = REC + diffs => REC – Interop is planned before PER/I-D done ● We might tell you that proposed changes are out of scope for this round – Algorithm-agility (sha-256) fits here most likely – Speak to us about future work!
9
Contacts ● Security Activity Lead: Thomas Roessler – Planning to attend IETF in Chicago. ● WSC WG Chair: Mary Ellen Zurko ● XML Sec WG Chair: Frederick Hirsch
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.