Tech, Web and Society in W3C

Blowball II - M.C. Escher

It has been several years I have been involved in W3C.The ten thousands of hours of discussions I had with some of my W3C colleagues, mates, folks, peers, were deadly interesting. We were covering the technical web, but all the stuff coming with it. The web and the society. The technology as a tool, that anyone can handle and use, following its own rules, follow its own goal. We discussed about the reliable and equal web. But. What does it mean to maintain a reliable web, for all ? What does it mean when a group of people decides to develop technologies to break it ? What does it mean to break the web ? You know, all those questions that do not directly fall in the basket of W3C – after all, it is only a technical standardization body ! Since one year, I was convinced that this was a missing dimension in W3C. And something happened. Slowly by slowly, this idea came on the table. Why not creating a place for the W3C members to exchange on the potential impact of the technology developed in W3C ? Why not keeping an eye on the way the web is used today, and debate on the potential impact on policies ?

The Advisory Board and the W3C team have been working on the creation of the Technology & Policy Interest Group. A group which will be open to W3C members, a group which will gather state of the art on topics such as deep linking (or can we forbid to reference a resource), DMCA-like challenges (or how to allow researcher to stay on the legal side, while researching on the web, and thus potentially hacking it) and Surveillance (you know, government and companies monitoring all and everything). And this is, as a starter. The Tech & Pol Interest Group, chaired by Jean François Abramatic, ex W3C CEO, will work in a W3C-member-only mode and will deliver some Analysis. Analysis is a new format, to avoid saying the group will deliver Note or normative Recommendation. First, those Analysis may be only a collection of problem, a list of solutions, and it will be up to the directors, with members consultation to do something from that.

That Interest Group is a fantastic chance to have a place to discuss those important topics, to have the craftsmen and craftswomen of the web, exchanging on technology impact, all together, and potentially raising the question on which type of web we want for all.

The creation of the Interest Group depends on the support it will gain in the W3C membership, and on the number of objection its review will collect. So, if you think this group is a good idea, and if your company is W3C member, I can only encourage you to ping your AC rep and tell him/her what you think…

Illustration: Blowball II – M.C. Escher

Ladies, go for cool networking !

In the series of actions I find key for addressing my constant wish to learn and have a rich professional life, I have been trying to keep an always ongoing activity which is about “meeting humans”. Working in tech is great, being productive is great, but having a drink with smart people is even cooler. And, going further, having a passionate discussion with someone you don’t know yet, sharing vision and skills, is gold. Among other additional things, I am encouraging women to do so, because this is a smooth way to learn a lot.

It has been several years that I am now canvassing locally, entering different networks, keeping contacts, attending after work sessions. This is not only because I have decided to test my resistance to alcohol. This is because I believe the people I meet there, help me to grow up and they can benefit from my own experience.

So what do I mean by cool networking ? I am not talking about networking for selling product and services. I am talking about something that would happen in addition to your normal work. A networking where your income does not rely on. A networking where you do not expect anything – yet, except enjoying sharing. This is what I call “cool networking”. There are different criteria that I have experienced, that do work quite well for that expectation.

Spirit. I have decided to invest my time in networks which I have respect for and no fear. I mean, leveraging values I appreciate, because there is nothing like having a conversation with people with whom you have some common important values. My criteria are collaborative, openness, and direct talks. You might have yours, this is just an example.

Location. Taking care of a network means being there, not just *thinking* about it. And to be pragmatic, for cost and time reasons, you should go local. Meetup, association, forum, specific events. Try all of these. And if there is no network around you, just create it ! There are always means to identify people in your location that seems to be creative and dynamic (I use Twitter a lot for that). Find them and just get organized !

Freedom. Entering a tribe is good if you don’t have to report every other morning why you were not here at the last meeting, and why is that you did not prepare a tomato tart for the recent joint dinner. Cool networking – as I suggest to maintain – is about being comfortable with others, and not being judged. So participating whenever I can, and just keeping track of the community remotely when I really can’t be there is what I call cool networking.

Gap. I want to meet people from whom I can learn something. Meeting people with the same-job-same-age-same-book-reading would be interesting, but not enough maybe that I spend an evening with this tribe rather then being with my friends and family.

In the end, my top list of tribes I belong to at the moment are Girls In Tech Marseille and #LittleFrenchTech, I am also ‘god-mothering’ for girls belonging to Duchess France, as I think it is a cool idea. All of this is taking few evening a month, but it is worth doing, as I met some fantastic people around it. Some are friends, now, some can help me in my job, some others I help … This has definitely enriched my social life.

It’s your turn now to experience cool networking and see how it goes…

Forum Safecity Frenchtech, le début d’un bel eco-système

safecity_fsc

Jeudi 10 Mars se tenait à l’Ecole Management EMD à Marseille, le premier forum baptisé Safecity Frenchtech, réunissant les acteurs économiques innovant de la région Aix Marseille et les professionnels de la sécurité informatique. A l’initiative de French Tech Aix Marseille et du Clusir PACA, cette manifestation a connu un beau succès par sa fréquentation (près de 300 personnes), mais également par la diversité et l’importance des points abordés.

Le sujet ? Notre monde économique, innovant, connecté peut-il être sécurisé ? Le forum a permis à des nombreuses associations ou entrepreneurs clés de partager leurs points de vue sur la cyber-sécurité. En vrac, les conversations cyber-sécurité portaient sur :

La mauvaise perception des entrepreneurs sur bonne protection de leur infrastructure ou leur fausse intuition que leur entreprise n’intéresse aucun hacker,
L’importance de prendre soin des utilisateurs et employés des entreprises pour les faire participer au développement et l’application des bonnes pratiques de la sécurité informatique,
L’obligation légale pour les entrepreneurs de connaître leurs responsabilités liées à la détention d’information sur leurs employés ou clients,
La nécessaire implication des développeurs d’application dans les objectifs de sécurité d’un produit, d’un service,
Les outils multiples d’accompagnement sur les processus, les audits, les méthodes pour délivrer des produits nickel (ou du moins résistants aux attaques basiques),
Les enjeux de la cyber-sécurité sur le territoire économique et citoyen.

Il faudra retenir de ce forum Safecity la capacité des acteurs de Provence à se mobiliser pour échanger sur l’intersection de la technologie et de la sécurité. Pour preuve, on a pu entendre sur scène plus d’une vingtaine d’industriels, d’association ou de représentant territoriaux. On y croisait des représentants du CLUSIR PACA (organisateur de l’événement), ainsi que le Club Informatique Provence, Syntec, l’ActeCil Sud Est (expert en gestion de patrimoine et sécurité), le W3C. Du côté des instances publiques, on pouvait côtoyer l’Institut des Hautes Études de Défense Nationale (IHEDN), la Gendarmerie Nationale, le Conseil Régional, la Mairie d’Aix en Provence, la Mairie de Nice. Du côté de entrepreneuriat, on pouvait croiser : La French Tech Aix Marseille (co-organisateur), Medinsoft, et des entrepreneurs tels que Jaguar Networks, Wooxo, Monext, Solucom. Enfin, les organismes accompagnant les startups étaient dignement représentés par NetAngels et Marseille Innovation. Cerise sur le gâteau, le club PolyHack, de l’école Polytech Marseille est venu présenter les nouvelles façons de hacker nos objets technologiques de tous les jours. Bref, du beau monde, l’intégralité du programme se trouve là.

Les pistes communes de travail entre toutes ces instances ne manquent certainement pas. La protection et la pérennité des innovations du territoire, le bien-vivre des citoyens sur nos villes et régions (en évitant la tentation du big brother technologique). On peut ainsi espérer que cette première édition du Forum Safecity French Tech permettra à chacun de tisser des liens plus forts, et de venir l’année prochaine présenter devant une foule au moins aussi nombreuse les avancées sur le sujet de la cyber-sécurité de notre territoire et nous raconter les croisements fertiles.

Super Forum Safecity #cybersecurité @CLUSIRPACA @AMFrenchTech bravo à @ElydeTravieso pic.twitter.com/zVe0gfu6CA

— Vincent RICHET (@VINCENTRICHET) March 10, 2016

Dispersez vous, ralliez-vous ! by Ph Djian (attention, roman intense)

dispersez vous ralliez vous

Encore un roman. Encore une famille tordue. Des mères insensibles, des époux dispersés, des histoires d’amour et de fesses, des amies précieuses, indéfectibles. Mais pour cette fois, Philippe Djian parle au nom d’une femme, Myriam. Autre nouveauté. Il fait un pas de plus dans le style allusif. La révélation à retardement. Le dialogue, la tempête, et plus tard, l’objet de tout cela. Le lecteur se trouve ainsi obligé de baisser les bras, de renoncer à ses propres schémas et stéréotypes, cesser toute résistance, faire taire son imagination pour disséquer le pourquoi du comment. Philippe Djian nous oblige à le suivre.

Le grand vide de son début de roman inquiète. Myriam, faible, abusée, sans aucun doute, mais sans détails, c’est effrayant. C’est la porte ouverte à nos peurs (de femme). Et puis cette Myriam ne s’en laisse plus compter, prend du poil de la bête (en visitant régulièrement un zoo, si, si). Mariage, maternité, aventures, le travail, la vie quoi. Nous observons cette femme-enfant, longtemps retirée au monde, grandir, prendre du poids. Philippe Djian nous sert tout cela par le biais des essentiels : les frictions de ses personnages, les moments de calme apaisés sur la terrasse, refuge dans la cigarette et alcool. Avec le temps, Myriam se pare de cette sagesse calme, ce sens de la formule directe que nous aimerions tous avoir. Les mots justes, dits avec assise, au bon moment (celui de la limite), repoussant le conflit à plus tard. Accueillant la haine et le mensonge avec philosophie, avec ce haussement d’épaules, qui nous dit que la nature est ce qu’elle est, que nous n’y pouvons rien, nous. Sauf à être cléments.

Et nous de tirer conclusion que. Un. Nos vies valent bien quelques combats – que nous gagnerons, assurément. Deux. Nos vies méritent aussi qu’on y aménage de précieuses oasis.

Web developers, you want to use Web Crypto ? let the world know !

Dear web developer, web technologist, web curious,

If you have a plan. And if you your plan is about integrating more security in your web development. And if you have been expecting an interoperable library in browsers for managing secret keys, ciphering your users sensitive data, signing a set of data.

This is your time ! This is the time for you to speak loud.

The W3C standardization work is in the last miles – despite our Cartesian principles, we all know those are usually the longest.

What do we have up to now ? We have :

1 specification 80 % stable
4 good but non-interoperable-yet-implementations (Chrome, WebKit, Firefox, IE 11)
1 set of basic tests
1 editor stepping down
Some early adopters (PKI.js, JSON Web Tokens (JWT) )

But we are still missing :

some bug review and resolutions on the implementer’s side,
Some decision making to clarify bug features in the specification,
Some complete set of tests.

So, if you want to have a chance to play with RSA or AES in your web app one day, and if you already have some pending development or experiment, just let us know.

Help to demonstrate some traction from the web developers community. This will definitely motivate browser makers to maintain their efforts on the development and maintenance of the W3C Web Crypto API.

Please, send reference to your projects, crypto wish list, or offer to support the WG operations to the W3C Web Crypto WG public mailing list:public-webcrypto@w3.org.

The open web platform will definitely need you !

Girls, be a man (for five seconds)

Still working on the idea of how it is to be a girl in tech – as opposed to a boy in tech. And I recently realized that one of my trick to find my way, and the right attitude in that ecosystem, dominated by men, was to actually ‘think like a man’. This is what I am doing when I am facing a decision making balancing private and professional life, or when I need to think my relation to the power, ask something to someone – specially when it is a man.

Let me explain, with a little exercise.

You have a agenda conflict, between an important meeting and the party of a relative. Whatever is your decision, before announcing it to the people you decided not to honour with your presence, put yourself in the shoes of a man you like. Let’s call that man, Roger. Roger has to be someone you respect, someone you believe has the right behavior at work or in private, someone you believe is balanced and fair with others. Note : if you feel that you are usually too sweet, you can try to find your Roger into the large fleet of assholes you meet everyday, but this is only recommended for benchmark purpose. So, you have your Roger. Now, try during 5 seconds to think the way he would handle the situation. And think what is the gap between your natural way to announce you will not be present to the party/meeting/wedding…

I don’t know how would react your Roger. But my Roger would say : “Look, I am sorry honey/boss/colleague/lover/grandma but I can’t make it. Another day would be more appropriate for me”. Dot. Dot. And not “I-am-telling-you-everything-about-my-woman-mother-life”. This trick is working very well in various situations. You are requested by MissesPerferctMother to prepare some cakes for you kid’s school party (and you can’t or you don’t want). You don’t want to have lunch with your colleagues, cause you wanna be alone. You want to go out and have several mojitos with your friends instead of staying at home (and now you love me, because your life is going to change)…

Disclaimer one. This trick is a trick. You should not become Roger (or marry him, or whatever). This is just a mimetic exercise to help you to change your mindset, try to endorse a man attitude. Measure the gap. But you will have to find your own style in the end.

Disclaimer two. This post is not about demonstrating how bad men are. This post is about demonstrating that you guys, have a terrific relaxing way to manage priorities and make your point. And that girls should learn from you.

Disclaimer three. Some men told me that they were actually heavy at work, claiming that they were proud to be father and put high priority on their family and leisure. Thus they felt my post was not relevant. I would say that only few of them can dare to do that, and bravo ! (maybe they had a female version of Roger…).

Disclaimer four. This post talks about ‘girl’ at work. Amy commented why she prefers to be named woman (or dame, or lady). And I think she is right. I can only encourage you to read her view below.

Now, ladies, choose your(s) Roger(s), and let me know how it feels..

Lettre à Philippe Djian

Cher Philippe, très cher Philippe,

je t’écoutais récemment dans le sombre d’une nuit jetlaggée, sous la lune californienne – vive le podcast. Tu discutais pour France Culture, tu racontais ta vie, avec des mots simples, des anecdotes, et une décontraction, qui me touchaient. Je retrouvais un peu de tes mots dans tes histoires. Philippe, peut être l’auras-tu déjà deviné, j’aime beaucoup ce que tu écris, et lorsque j’ai moins aimé tes ouvrages, j’ai aimé les risques que tu prenais. Récemment j’ai poussé des cris de joie en découvrant les liberté que tu prenais avec la ponctuation et la langue française, ainsi que ton talent à manier le non-dit. Bref, tu fais partie de la liste très privée de auteurs qui me touchent, me renversent, me font me découvrir.

Et dans cette interview, Philippe, tu disais que la politique ne t’intéressait pas. Que la politique n’était pas du domaine de ton écriture, que tu ne voulais pas avoir pour mission d’expliquer aux gens comment vivre, s’organiser… Je pausais un instant le podcast. Oui, c’est vrai. Tes ouvrages sont au dessus de la société, souvent dans des villes inconnues, tes personnages sont des humains en mouvements dans la société, mais ils ne prennent pas parti, ils ne votent pas, ne se battent pas, ne dissertent pas des heures, ne parlent pas des 35 heures, n’évoquent pas les pistes vers une société parfaite. Certes.

Ici, un chiffonnement. J’aime en général les auteurs engagés. J’aime Philippe Djian. Et il confesse un manque flagrant d’engagement. Je pèse. Je balance. Politique. Engagement. Leur rapport. Et puis il m’apparaît clairement qu’un argument pourra me réconcilier, m’expliquer pourquoi nous avons des vues différentes ici. L’argument que tout est politique. Nos choix sont politiques (pour faire court). Ils nous positionnent dans la société – à l’opposé du mollusque. Et par cette magie. Ton écriture est politique, Philippe, bien que tu t’en défendes. Décrire la vie de personnages, libres, qui se foutent des normes, qui font des choses hautement bizarres, qui sont à la limite du socialement correct. Disséquer les névroses humaines, actuelles, pour mettre à jour nos faiblesses, les ressorts qui nous poussent à perdre la tête, les mécaniques de la domination, les limites de nos humanités. Dénouer les fils machiavéliques des filiations, des familles et des héritages lourds, c’est un engagement. Bref (*). Tout ceci, Philippe, m’apparaît à moi hautement engagé. Une parole crue, sensible, intelligible et intelligente. Voici un engagement qui est souvent rare dans notre paysage littéraire (**). Ton écriture, racontais-tu était perçue comme ne ressemblant à rien de ce qui se pratiquait dans les années 70. Et tu as gardé ta ligne. Elle s’est même radicalisée ces derniers temps. C’est un engagement. Tu animes des ateliers d’écriture, tu accompagnes des talents naissant, et tu leur dit de bosser leur écriture, de bosser et bosser. C’est un engagement. Tu multiplies les supports d’écritures, les formes (paroles de musique, albums illustrés, …). Tu parles de toi simplement, de manière accessible, sans aucune trace d’élitisme dans ton attitude. C’est un engagement.

Mais il est tard, ici en Californie. Me voici réconciliée avec moi-même, Philippe. Et j’ai enfin pu te dire tout le bien que je pensais de toi.

Merci.

(*) Je laisse ici le lecteur relire toute la bibliographie de Philippe, magnifique presque du début à la fin, oui je suis une fan inconditionnelle.

(**) Lecteur, je suis preneuse de toute suggestion d’auteurs provenant de ta propre liste d’auteurs préférés.

Girls, promote your success

Dolores peacock costume

Few months ago I wrote some thoughts I felt important to share with girls in tech. It was about killing usual culture, that refrains some girls (but also boys), from being free and natural at work, like feeling miserable or sorry for no reason. I now realize that part of girls (and boys) success in tech, is also about promoting correctly their achievement, realization, contribution. This may be a general worker problem, not a gender problem, but it seems to me that girls tend to forget more that special part of our job : promoting our success. This stroke me when I heard a colleague of mine commenting after a presentation I gave on a successful project ‘Well, Virginie, wonderful, that was clear and understandable, as usual, thanks you so much’. I did not have the feeling that I was outstanding, I just made my job. But I just got from that remark that promoting my work was beneficial for me and for the project. But the key is to do it efficiently.

What does it mean to promote efficiently ? It means building a message, adapted to your audience. A message, that will not get them lost, and overload them with inappropriate details. Of course it depends on the context, audience, and topic. Working on technology innovation scouting, meeting lots of people and companies and having to report different aspects, from market to strategy and technology, I had to think about my own classification on what to say to whom, and when. That classification might not be universal, but you can get the principles, depending on the context. Here it is.

But first. Never ever. Whatever is the situation, never ever get into the direction of sexist joke and naked girls (or boys), footbalistic analogy, Apple and Google systematic reference. This is forbidden – if your plan is to stay credible. While this may be the easiest way to have people with you, this is simplistic. And by avoiding reproducing that simplistic view of the world, you do not really miss anything, you just show you worth more then that.

Jump on opportunities. You meet the right person in the corridor, you need her or his advice, don’t miss it. Target one sentence and one smile. That is teasing time. You’ll have to say what is stake, which solution you believe you should go and make your request. Then smile and be silent to get an answer. Note for weird people : I am not talking about hot seduction attitude here, but just staying tuned, kindly.

The people agreed to meet you and you have time. It’s serious stuff, here, you are consuming time from some people. They have to know why you are here, what you are talking about. And to do so, I recommend to stay high level, talk strategy, express the key notions, expose the frictions, list the market actors and suggest solutions. And, because, you need to keep them happy with you, you can make jokes (aka, be relax and smart, alright, not making bad bar jokes). You must keep some time for concluding, making sure everyone agrees on the solution (action plan, next steps, …). That is normal communication rule. But (and that is the key point). During all this interaction. You should say ‘we’, when it was a team work and say ‘I’, when it was your own work. Don’t dilute your contribution, be transparent-cristal-clear about it. That is key to value your work.

You are on stage, in a conference. You may not have anything to learn from me if you already made the decision to be on stage. The only recommendation I would give is : build your talk like a story. You need a ‘fil rouge’, you need little anecdotes, you need surprise (taddaaaaaa, here is my program, wouaou, here is my design…). For the others. And if you are just thinking about applying for a conference talk, I would say that you should not hesitate anymore. Conferences are key event to force you to be synthetic and clear. This will give positive visibility to your project. And conference organizer will make their best to help you to be good on stage (it is their interest). Finally, you will be able to re-use your talk elsewhere. You just need to find the right conference, with the right audience.

You need to talk about your work, but... I know you want everyone to know that while going go from SuperProduct v1.3 to HyperProduct v1.4, you made some choices, you managed some shit, you were about to be killed by 2 engineers, and had to dance with your enemy, but… lets admit that, sharing those details in a decision meeting, or while reporting about your project success will not help you. You are professional, you are managing correctly your tasks and making decisions. That is why you are getting paid. But the good news is that you will have to leave evidence of your work. Digital archive, for voluntary and curious colleagues, or to have it somewhere for later reference. In this archive, you can play with all the secret details of your work. You can use your every days professional life vocabulary and habits. Acronyms, architecture, references to geek literature, bugs number, product version, test suite, clickable urls, little stories of your battles, multi-bullet points slides, matrix (with titles), text with different policies for super cool effects, resource planning, exhaustive list of participants, detailed figures… And this is the only place where you should play that game of entering into the boring details. Right ? Unless someone weird ask you detailed questions about it…

My 2 cents, hoping it will make you going out and showing your technical work to the world…

W3C : TPAC week was also about fun and art

This post is the last one of a serie of 4 dedicated to the yearly W3C meeting. Previous ones were dealing with serious stuff such as W3C Advisory Board, the news in the tech area, and the particular topic of security in W3C.That one relates to the fun happening in W3C TPAC…

The ones who were there could not ignore that in addition to meet great and smart people, in addition to produce specification and work out on some resolutions, the mood in TPAC is about human and social interactions. Coffee breaks, special dinners and bar sessions are the place to be. All is provided to allow people to meet. And there were two remarkable activities during that TPAC week in Sapporo.

Werewolf game.

Werewolf is famous in W3C. It is most of the time orchestrated by Dom and Doug from W3C.The game is about guessing in an assembly of 20 people or more who are the werewolves killing simple villagers at night. Each player can be either a special character and get some special tips about werewolves identity. That game is happening in the evening, in one of the hotel where most TPACer were sleeping, and every night, you could see poeple joining the group at 21:30, jumping out from nowhere, to be here and have fun. That year, the new usage is that the werewolf game opened a twitter account (that I had fun managing during one night, at least).
During the night, the villagers sleep.

This is a village sleeping pic.twitter.com/QqiceANBXZ

— Simple Villager (@simple_villager) October 29, 2015

And in the morning, the players vote to decide who is a werewolf

Yes, random finger pointing is the most democratic voting system for killing the @w3ctag members 🙂 pic.twitter.com/zIGUwg2h4V

— Simple Villager (@simple_villager) October 29, 2015

The Haiku challenge.

That idea came from Maria Audey and David Rogers. The challenge was to make the TPACers writing an haiku (a 3 sentences poem, which constraint is that it has to be 5/7/5 syllables). Writers could either send the haiku anonymously or sign with their name. We received 35 haikus in less then 2 days. All are archived for ever on W3C servers, available here : https://www.w3.org/wiki/TPAC/2015/haiku

You can note the cross theme with werewolf game

Full moon

Doug, a simple villager,

when the moon is full,

smells of blood, bones and beard.

My favourite haiku was (by Ian) :

Ode to Scribes

RRSagent

I have been scribing so long

Zakim, close the queue

And the jury, composed of David, Maria and me voted for Yves one :

Shepherds

Web is where we live

TPAC is where we connect

Free Web for the world.

Again, that year TPAC was amazing, feeding people with tech, fun and art…

W3C : about security activities (gossips, new work and strategy)

This post is the third one, reporting about W3C TPAC activities. Previous ones were related to advisory board discussion and general technical topic. That one focus on my fav topic, security.

People following me know I am a promoter of security in W3C. And having done that in the last 4 years, I must confess I had some good surprise during last W3C TPAC week (which is the yearly big W3C party). Here is what I collected, going into official and unofficial meeting, coffee breaks and bars…

Oh, just TimBL, Vint Cerf and Jun Murai chewing the fat about history and future of the Internet and web. #TPAC2015 pic.twitter.com/xoWsLaIIf3

— olivier Thereaux (@olivierthereaux) October 28, 2015

When Vint Cerf, Jun Murai, and Tim Berners Lee advocate for security. W3C TPAC day started with a 3 stars raw on stage, exchanging with W3C CEO Jeff Jaffe. (Note for the youngest ones, Vint Cerf invented the internet and is working for Google, Jun Murai has been contributing on that eco-system, being one of the most powerful japanese representative in the internet, Tim Berners Lee, is Tim…). Reading the minutes of that conversation, one could realize that security was at the heart of the exchanges. About making security in everything, about security being transparent, about strong authentication, about making the web a trusted place… While those gentlemen did not draw the technical solutions on any white board, but rather exchanged on such needed effort, this gave an indication about their next challenge for the web.

W3C security strategy is here. In order to answer to W3C members request about having a security strategy, the security strategic plan for W3C has been issued. The Technology and Society domain considers two aspects for securing the open web platform : the user security (including web crypto API, web authentication and HTTPS migration), the web app security (including CSP, sandboxing and HTTPS, again). Another track is about making sure that the development of the open web platform takes care about the security, and this implies having security reviews, handling with care the migration to HTTPS, and liaising with the rest of the world thanks to liaison and wide communication. See more about that security strategic plan here : https://github.com/w3c/websec/blob/master/security-roadmap.md

The migration towards an HTTPS world. A very interesting session was held during TPAC about trying to find the best path to make the web an HTTPS place. HTTPS is good says the W3C Technical Architecture Group. We all know that (well, kind of). But the path from HTTP to HTTPS may raise some serious challenges that Brad Hill explained very well in that document. The problem is about mixed content. How to make sure, once your website is mandating HTTPS, to still get content from website only running in HTTP ? What security measure should be taken when this situation happens ? Would not that be the weakest link that would kill the entire security promise… No conclusion was drawn from that discussion, but some solutions were excluding (for instance a 2 steps migration path that would be highly insecure for all the web).

W3C seeks for a security geek. Based on that ambitious plan, W3C has opened a position for strengthening the team, on security aspects. For more information, you should contact wendy from W3C (wseltzer at w3 dot org).

Web App Sec business as usual. Working hard and quietly, the Web App Sec is rolling out its plan. I have already mentioned the main topics being dealt in this Working Group, made of best security experts of major browser vendors. One may note that little by little, Web App Sec is providing developers with a tool box allowing to check integrity of a ressource (SRI), filter or log access to external ressources (CSP), access to specific API only in secure context (privileged Context) … Nevertheless, some recent activities are worth (re)mentioning, completing this intention :

COWL : is about Confinement with Origin Web Labels. In other words, this is a mean to lable some code and execute it carefully (because you dont trust it, because you want to allocate him less permission…). That work is in first public working draft (early stage of a spec) and is available here : http://www.w3.org/TR/cowl
Clear site data : is about allowing web app to kindly ask browsers to delete data related to itself. The spec is available here : http://www.w3.org/TR/clear-site-data/
Upgrade unsecured data : is about allowing web app dev to instruct browser to upgrade all interactions between client and server on HTTPS. the spec is available here : http://www.w3.org/TR/upgrade-insecure-requests/

You can have a look at the complete status of the Working Group deliverables edited by its co-chair Brad Hill.

Last but not Least. Some new work is being introduced in W3C.

Web Authentication. Is about allowing strong authentication from a web app. That working group will certainly be the place holder for W3C receiving FIDO Alliance specifications which are defining an API for authentication, attestation of a authentication device and signature. The draft charter is under construction here https://w3c.github.io/websec/web-authentication-charter

Hardware Security. Is about allowing web app to access secure services made available thanks to hardware based token (like secure chips, smart card, trusted execution environement). the ones knowing my everydays job will definitely recognize the usual technology I am playing with, and may understand the reason why I have offered to chair that working group, together with David Rogers, a mobile security expert. The draft charter is available here : https://w3c.github.io/websec/hasec-charter.html

Those two new pieces in W3C still have to go through the W3C member review before being actually up and running. Again, here, I will keep you informed.

[better web] security #TPAC2015 session with all sec friends: on @FIDOAlliance authentication, hardware security 🙂 pic.twitter.com/2WFIEDmzbU

— virginie galindo (@poulpita) October 28, 2015