We will be hosting the "HTTP Application Security Minus Authentication and
Transport (HASMAT)" Birds-of-a-Feather (BoF) session at IETF-78 in Maastricht
NL during the week of July 25-30, 2010 (see  for mailing list).
The purpose of IETF BoFs is to determine whether there is a problem worth
solving, and whether the IETF is the right group to solve it. To that end, the
problem statement is summarized below in the Draft HASMAT Working Group
Charter, and is drawn from this paper .
Various facets of this work are already underway, as outlined below in the
draft WG charter, e.g. Strict Transport Security (STS) .
Of course the scope of "HTTP application security" is quite broad (as outlined
in ), thus the intent is to coordinate this work closely with related work
likely to land in the W3C (and possibly other orgs), e.g. Content Security
Policy (CSP) .
We have created a public mailing list  for pre-BoF discussion --
[hidden email] -- to which you can freely subscribe here:
We encourage all interested parties to join the hasmat@ mailing list and engage
in the on-going discussion there.
=JeffH (current IETF HTTPstate WG chair)
Peter Saint-Andre (IETF Applications Area Director)
Hannes Tschofenig (IAB, IETF WG chair)
 HASMAT mailing list.
 Hodges and Steingruebl, "The Need for a Coherent Web Security Policy
Framework", W2SP position paper, 2010.
 Hodges, Jackson, and Barth, "Strict Transport Security (STS)",
see also: http://en.wikipedia.org/wiki/Strict_Transport_Security
 Sterne and Stamm, "Content Security Policy (CSP)".
see also: http://people.mozilla.org/~bsterne/content-security-policy/
Proposed HASMAT BoF agenda
Chairs: Hannes Tschofenig and Jeff Hodges
5 min Agenda bashing (Chairs)
10 min Description of the problem space (TBD)
20 min Motivation for standardizing (TBD)
15 min Presentation of charter text (TBD)
60 min Discussion of charter text and choice of the initial
10 min Conclusion (Chairs/ADs)
Draft Charter for HASMAT:
HTTP Application Security Minus Authentication and Transport WG
Although modern Web applications are built on top of HTTP, they provide
rich functionality and have requirements beyond the original vision of
static web pages. HTTP, and the applications built on it, have evolved
organically. Over the past few years, we have seen a proliferation of
AJAX-based web applications (AJAX being shorthand for asynchronous
on so-called Web 2.0 technologies. These applications bring both
luscious eye-candy and convenient functionality, e.g. social networking,
to their users, making them quite compelling. At the same time, we are
seeing an increase in attacks against these applications and their
The list of attacks is long and includes Cross-Site-Request Forgery
(CSRF)-based attacks, content-sniffing cross-site-scripting (XSS)
attacks, attacks against browsers supporting anti-XSS policies,
clickjacking attacks, malvertising attacks, as well as man-in-the-middle
(MITM) attacks against "secure" (e.g. Transport Layer Security
(TLS/SSL)-based) web sites along with distribution of the tools to carry
out such attacks (e.g. sslstrip).
Objectives and Scope
With the arrival of new attacks the introduction of new web security
indicators, security techniques, and policy communication mechanisms
have sprinkled throughout the various layers of the Web and HTTP.
The goal of this working group is to standardize a small number of
selected specifications that have proven to improve security of Internet
Web applications. The requirements guiding the work will be taken from
the Web application and Web security communities. Initial work will be
limited to the following topics:
- Same origin policy, as discussed in draft-abarth-origin
- Strict transport security, as discussed in
draft-hodges-stricttransportsec (to be submitted shortly)
- Media type sniffing, as discussed in draft-abarth-mime-sniff
In addition, this working group will consider the overall topic of HTTP
application security and compose a "problem statement and requirements"
document that can be used to guide further work.
This working group will work closely with IETF Apps Area WGs (such as
HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s).
Out of Scope
As noted in this working group's title, this working group's scope does
not include working on HTTP Authentication nor underlying transport
(secure or not) topics. So, for example, these items are out-of-scope
for this WG:
- Replacements for BASIC and DIGEST authentication
- New transports (e.g. SCTP and the like)
1. A document illustrating the security problems Web applications are
facing and listing design requirements. This document shall be
2. A selected set of technical specifications documenting deployed
HTTP-based Web security solutions.
These documents shall be Standards Track.
Goals and Milestones
Oct 2010 Submit "HTTP Application Security Problem Statement and
Requirements" as initial WG item.
Oct 2010 Submit "Media Type Sniffing" as initial WG item.
Oct 2010 Submit "Web Origin Concept" as initial WG item.
Oct 2010 Submit "Strict Transport Security" as initial WG item.
Feb 2011 Submit "HTTP Application Security Problem Statement and
Requirements" to the IESG for consideration as an
Mar 2011 Submit "Media Type Sniffing" to the IESG for consideration
as a Standards Track RFC.
Mar 2011 Submit "Web Origin Concept" to the IESG for consideration as
a Standards Track RFC.
Mar 2011 Submit "Strict Transport Security" to the IESG for
consideration as a Standards Track RFC.
Apr 2011 Possible re-chartering
|Free forum by Nabble||Edit this page|