Update: Security Work at W3C

1
Update Security Work at W3C

• Thomas Roessler, W3C
• tlr_at_w3.org
• (channelled by stephen.farrell_at_cs.tcd.ie)

2
Three 1 things

• Web security context
• Forms
• XML signature and encryption maintenance
• Hopefully Thomas is listening and on jabber

3
Web Security Context

• Current state
• TLS is undermined by web user interfaces
• Few consistent security indicators
• Indicators easily spoofable
• What information should be presented to users?
• How to do this robustly?
• How to do this usably?

4
Web Security Context

• Current state of the work Use Case Document
  published as First Public Working Draft
• http//www.w3.org/TR/wsc-usecases/
• Comments welcome!
• Next Step What information, and how?
• Schedule Anticipate first public working drafts
  of RECs in June
• http//www.w3.org/2006/WSC/
• W3C members invited experts public mail
  archive
• Comments public-usable-authentication_at_w3.org

5
HTML Form Annotations

• What if an HTML form field could say I am a user
  name field?
• Currently, we only have obfuscation of
  information entered into password fields.
• Think of coupling forms and HTTP authentication.
  Think of cryptographic algorithms. Think of
  clever user interactions.
• Form WG charter includes task to look at this
  space of requirements
• Work to be done in joint task force with HTML WG.
  Join through either HTML or Forms side.
• Places to go
• http//www.w3.org/MarkUp/Forms/
• http//www.w3.org/html/wg/ (easier entrance
  point)

6
The Plan for XML Signature and Friends

• Fix the known minor problems quickly (next slide)
• Document what other issues and desires are known,
  but don't resolve them
• Then, follow-up work.
• XML Security Specifications Maintenance WG
• Chartered through 31 December 2007
• Workshop some time in late summer?
• Lots of external input/review wanted
• TLR will be _at_ IETF-69 (Chicago)
• http//www.w3.org/2007/xmlsec/
• W3C members invited experts (maybe
  IETF-liberal)

7
XML Signature

• http//www.w3.org/TR/xmldsig-core
• ... same as RFC 3275
• (Inclusive) Canonical XML 1.0 is a MUST but has
  issues with namespaces (xmlid)
• Transforms allow XPath deletion of elements
  grandparent inheritance of namespaces
• XML Core WG working on C14N 1.1
• Exclusive C14N untouched, but MUST will still be
  C14N 1.1 (inclusive)
• Decryption transform for XML Signature has
  similar issues
• We'd like to sort this out without reopening the
  whole thing immediately

8
IETF Interaction

• Publication of minor changes to dsig-core as RFC
  seems warranted.
• Therefore, plan to submit updated version of the
  xmlsig spec (PER) as Internet-Draft for IETF
  review
• I-D maybe in summer (IETF-69?)
• PER Proposed edit REC REC diffs gt REC
• Interop is planned before PER/I-D done
• We might tell you that proposed changes are out
  of scope for this round
• Algorithm-agility (sha-256) fits here most likely
• Speak to us about future work!

9
Contacts

• Security Activity Lead Thomas Roessler
  lttlr_at_w3.orggt
• Planning to attend IETF in Chicago.
• WSC WG Chair Mary Ellen Zurko ltmzurko_at_us.ibm.comgt
  
• XML Sec WG Chair Frederick Hirsch
  ltfrederick.hirsch_at_nokia.comgt