Two weeks ago, W3C held its yearly event, named TPAC, gathering most W3C Working Groups, all official W3C members and most of the W3C team. This impressive stack of geeks, combined with the fact that the venue was great, and lunch and dinners were also organized by W3C, lead to an impressive density of interesting conversation. While having spied a lot, I am reporting here things related to security, which was one of my drivers to be there (in addition to friends, curiosity, and spending one week on the other side of the globe).
After IETF, it is W3C turn to discuss security
After the PRISM and NSA disclosure about massive monitoring, IETF opened some work with the idea to harden the web, and make it a more trusted place. Some declarations were made about future work. And, as IETF and W3C are sisters organizations, W3C had to address also this topic. But intrusion in the citizen and corporation privacy is not the only driver for discussing security. Web Payment and deployment of high value services are also other good reasons for discussing security.
Lets put everyone around the same table
W3C has this thing special that it is a place where communication, exchange and learning is actually happening during the meeting. One of the magic tool to achieve that is the free mindset in organization and talks. During the Technical Plenary session, in addition to traditional dashboard and status presentations, there are some open sessions, organized a la ‘unconference style’, where anyone could propose a topic, request a room and organize a conversation (see the program built by the participants). I already announced several weeks ago that I would lead a security related session. And it happened that it converged with session related to hardening the web organized by Tim Berners-Lee @timberners_lee and Mark Nottingham @mnot. In the end, the session gathered more then 50 people.
After presenting the existing security related effort in W3C, lead by Wendy Seltzer @wseltzer from W3C office, we open the floor to an open mic session in a intimate manner : everyone sat on a chair in circle, mic flying from one person to another thanks to Wendy, and accurate minutes taking by Manu Sporny @manusporny – to make sure this material would not be lost.
Security : we want more people, education, features
Around 20 people gave their opinion about what were their security problems and recommendations to move forward. The main ideas shared could be summarized as follow :
- we need more exchange, more expertise from the researchers and the browser makers, we need a security community;
- we need to educate the users and the developers;
- we need to make the web more robust, starting by securing the client side, re-inforcing the session management, favoring appropriate certificate usage;
- we must make sure we take into account the mobility, the new domains such as M2M or IoT (well web embedded in machines, with new models of services), and without forgetting the needs of specific industries such as financial and identity markets.
As a conclusion
The session was a good demonstration that there was a need to go further on the security area in W3C. As a quick action, Wendy from W3C, took this opportunity to draft a potential ambitious charter for a new WG dedicated to security. It is available here http://www.w3.org/Security/wiki/IG/new_work and is expecting your comment or endorsement, by commenting on the Web Security Interest Group email@example.com .
In addition, one should know that W3C is involved in an interesting European program, named STREWS, which has just issued a state of the art of security threat and attacks on the web platform, which will organize in 2014 a series of security workshop to help the web industry to find appropriate countermeasures.
If you wanna also be part of the effort, to improve the security in the open web platform, raise your hand now and contribute !
To go further, and read the details :– Minutes of W3C TPAC Security session http://www.w3.org/2013/11/13-security-minutes.html – Take away from W3C TPAC Security session [pdf] http://www.w3.org/wiki/images/e/e8/Security_Breakout_session_tpac2013.pdf
– W3C Web Security Interest Group http://www.w3.org/Security/wiki/IG