[OpenAjaxSecurity] Minutes from phone call on 2007-06-29

Jon Ferraiolo jferrai at us.ibm.com
Tue Jul 3 17:08:13 PDT 2007 


Sorry, I forgot to upload the minutes until now. Thanks to Suresh for
taking minutes last week.


Security Minutes 2007-06-29


URL: http://www.openajax.org/member/wiki/Security_Minutes_2007-06-29




OpenAjax Alliance Security Task Force minutes 2007-06-29

Attendees
      Larry Koved <koved at us.ibm.com>
      Jon Ferraiolo <jferrai(at)us.ibm.com>
      Bertrand Le Roy <bleroy (at) microsoft.com>
      Gideon Lee <glee(at)openspot.com>
      David Boloker <boloker(at)us.ibm.com>
      Naohiko Uramoto <uramoto(at)jp.ibm.com>
      Sachiko Yoshihama <SACHIKOY(at)jp.ibm.com>
      Michael Steiner <msteiner(at)us.ibm.com>
      Yuecel Karabulut <yuecel.karabulut(at)sap.com>
      Suresh N. Chari <schari(at)us.ibm.com>
      Sumeer Bhola <sbhola(at)us.ibm.com>

Original Agenda
      Summary of the first meeting (consensus and open issues, action items
      for the group)
      Decide on how to proceed with an OpenAjax Alliance security white
      paper (including security best practices)
            If / how to bring in marketing into this discussion
            Building a list of links to materials (resources) on
            web/mashup/ajax security
      Discussion of recent publications (MashupOS, IBM Ajax security white
      paper)
      Discuss how to proceed in defining and documenting use cases that
      will drive the ongoing security discussion
            See http://www.openajax.org/member/wiki/Security_Use_Cases
      Any other business?
      Date/time for follow-up task force phone call
      Wrap up

Minutes


Larry reviewed the last call. Jon has updated the webpages. Started a wiki
page on use cases at http://www.openajax.org/member/wiki/Security_Use_Cases


Larry raised the issue of use cases and what we should document as use
cases. Secure mashups seem to be focus areas: both client side and server
side mashups. Also perhaps federated identity where we really need to get
use cases nailed down.


Other set of documentation could be best practices/security issues. Lots of
articles already exist. David Boloker pointed out that while many articles
exists there is a lot of FUD and contradictory information. We need to
decide on a few issues to focus on and put pointers to a select few
articles. This was also emphasized by Bertrand Le Roy who felt that even if
articles existed we could describe the issues and then point to the right
articles.


It was agreed that we need to write up use cases. Discussion on what the
purpose of these were: both an educational as well as a technical role.


Naohiko Uramoto asked about who we are targeting these use-cases. Currently
targeted to the developer. Discussion on whether we need to target the
end-user.


Jon pointed out that we need to have multiple use cases covering the
various entities in a mashup application.


Sachiko Yoshihama taked about covering the different trust models.


Yuecel talked about understnading what the trust infrastructure was for the
web2.0 applications i.e. for trust in the traditioal sense we need a PKI.
What's the equivalent for web2.0


Larry asked for volunteers for the use cases
      Larry volunteered to document a portal like use case
      Naohiko volunteered a scenario motivated by attacks
      Bertrand volunteered to a web services based use case
      Gideon Lee volunteered to document an use case based on a webtop
      application.


Larry asked if there were any thoughts on the various solutions proposed by
various parties for the secure mashup problem
      Jon expressed some misgivings about the MashupOS paper. Felt they
      were trying to adapt the desktop security model to the mashup
      applications.
      Michael Steiner felt that we should maybe have a wiki page on the
      various technologies and options and have a discussion on the wiki
      This was agreed to.
      Everyone felt that we need a social computing related scenario.
      Gideon pointed out that we need to discuss some related issues such
      as the case when spammers would put transparent iframe which would be
      on a legitimate content. A click would take user to spaammer site.
      Larry and Michael pointed out that there was work on addressing flaws
      in GUI logic. See paper:
      http://research.microsoft.com/research/pubs/view.aspx?tr_id=1228
      which was presented in IEEE S&P 2007


Todos from this call:


1. We need to document use cases pointing out the various stakeholders and
the security issues


Volunteers:
      Larry: portal based scenario
      Naohiko: scenario with code injection/csrf.. social networkng based
      scenario.
      Bertrand: web service based scenario
      Gideon: webtop related sandboxing
      Yuecel: alternative web service based scenario.



2. Wiki page with various alternative for mashup security
      Suresh Chari to make initial wiki page


3. Next meeting: 13th.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070703/87597eee/attachment.html

More information about the security mailing list