1. Administrativia, Blue sheets Tobias welcomes attendees 2. WG Status, draft status - Tobias origin-02 is in RFC editor's queue mime-sniff-03 issues are in the WG issue tracker 3. HSTS: draft-ietf-websec-strict-transport-sec-01 - Jeff addresses tracker issues incorporated feedback on HSTS header ABNF, Effective Request URI, IDNA2008 in -03 Paul Hoffman did discuss IDNA issues, not clear whether on the mailing list or private Current spec is implemented by FireFox and Chrome Jeef proposes in the light of recent DigiNotar and Comodo to focus on cert pinning Paul Hoffman: IDNA text MUST be fixed (IDNA2003 versa IDNA2008) Jeff: very complicated and nuanced Paul: you may be first spec that need to explain this. Tobias: involve external expert? Paul: impossible to keep them out ;-) Yoav Nir: when to close issues? Jeff: first need people to agree on resolution Tobias: let's not get into trenches about IDNA version 4. Certificate pinning https://datatracker.ietf.org/doc/draft-evans-palmer-hsts-pinning/ - Ian Fette presented Leif: how does this relate to DANE? Ian: is right ip-address, right? Paul Hoffman: DANE can say "this is my CA", "this is my cert" etc., in all overlap with DANE PHB via jabber: DANE should not monopolize this issue Paul: header field must be under TLS? Seems not to be in draft Ian: should be in the draft Richard Barnes: DANE looks at first connection problem Ian: very similar functionally Paul: to clarify, not suggesting to not do this work but instead DANE. DANE looks at TLS, this at HTTP, they may be complimentary. Ian: important is the type of policy that needs expression not the "transport" Ian: sort of watchdog that verifies, browser vendors don't like to invade privacy by going to third parties PHB: The big problem with DANE is that at present it cannot be used unless the domain wants to completely usurp PKIX and use DANE semantics for publishing the keys. Validation rules for intermediate CAs are changed. Yoav: max-age is in? Ian: seconds Jeff: perhaps this near-term, DANE long-term solution Hadriel Kaplan: problem if cert server and webserver are different Ian: solve in backend Alexander Mayrhofer: difference with DANE, pin comes through same channel as cert, so less secure Ian: you're wrong. In the non-bootstrapping case not applicable. In the bootstrapping problem it doesn't really matter, as the attacker can change DNS anyway. Paul: assumption is that bootstrapping has been done already in DNSSEC, and keys are in place, here you don't have that. Richard Barnes: cache poisoning attacks lurking? Ian: yes, potential, but serving over SSL means already compromise going on. Stephen: need to figure out relation with DANE Stephen: extension to HSTS? Ian: yes Stephen: you need to use HSTS? Ian: no Tobias: require 2 pins? what if one is broken, seems weaken security Tobias: need an escape close to prevent locking yourself out if one pinned certificate is compromised Ian: probably outside spec, but in considerations Leif: real problem is you get pinned to government box (thinking of intercepting proxies) Paul: MUST be in spec the ability to flush info Ian: not sure it is in cookie spec Paul: it IS in cache Jeff, Leif all agree Leif: proposal gives MitM possibility to control you for extended amounts of time, does not solve diginotar case Ian: does solve for new entrants into Iran Jeff: preloaded list approach can help here, this is a medium term solution, that not makes things worse Leif: what if browser suggests you are safer (by adding to the UI) EKR (jabber): I think it's most useful to think of this as not perfect security but rather as an early warning system. As long as any significant fraction of potential victims get imprinted correctly initially, you get to learn about attacks. PHB: The big problem with any security policy proposal is that it is powerful, quite likely more powerful than the administrators trying to configure. The number of attacks is vanishingly small and should be even smaller if browsers all implement policy. Thus violations are likely to be false positives. Hence the reason that using policy to detect violations may well need to be separate from policy enforcement and quite likely require a human decision maker in that loop. That is really not a problem for the rate at which CA breaches occur Paul: will it be WG document? Tobias: good timing, want to ask that now Stephen: link to different version document in agenda Ian: changes are insignificant Tobias: topic as wg item?: 22 favor, 1 against (Derek: unclear that it solves interesting problem): room consensus to adopt, subject to confirmation on the mailing list. 5. Mime-Sniffing - Larry Masinter Larry: try to fix draft and address what people did not like about it but were not able to express well Tobias: comments via list or tracker? Larry: up to chairs Tobias: (on sniffing PDF or not): need to be in registry? Barry Leiba: is a receiving software problem, not easy to deal with Larry: right Adam Barth (jabber): how about a new registry (other than MIME) for sniffing Larry: neutral Tobias (individual): fyi, work going on in the APPSAWG on updating Media Type registration procedure, unclear if and when that would complete Alexey: right people to discuss this are in the group Doc type? Tobias (personal): main goal is convergance of browser behavior, need probably proposed standard for that or perhaps BCP Barry: regardless of type, it is about to help browsers Pete Resnick: thank you for taking up the work, wrt standards vs informational, both are perfectly reasonable Barry: clarification: ok with applicability statement Tobias (individual): strong opinions about scope question? Barry: does algorithm work for all cases, if yes, fine to include all cases Adam Barth (jabber): There's some commonalities, but details are different Tobias: concern about low number of readers of draft Derek Atkins: would really like this to move on 6. Digest URI Scheme - Stephen (went before 5.) Alexey: not WG doc Stephen: not sure why on list Jeff: could be used for pinning PHB: The relevance to WebSEC is that this provides a means of fixing the problems that will occur in the pinning draft In particular bad things happen when trying to pass headers through proxies and they mash stuff up so that the digest alg will get separated from the value 7. draft-hodges-websec-framework-reqs-00 - Jeff (before 5.) Jeff: call to look at draft and send comments to list Tobias: provide feedback Peter StAndre: framework is important Tobias: not many readers, why? Peter: very drafty Jeff: can put in ascii art 8. Admin / open mike - Jeff volunteers for CSP header document Alexey: request pending until other docs finished Tobias closes the meeting.