[OpenAjaxSecurity] Minutes from phone call on 2007-06-29
jferrai at us.ibm.com
Tue Jul 3 17:08:13 PDT 2007
Sorry, I forgot to upload the minutes until now. Thanks to Suresh for
taking minutes last week.
Security Minutes 2007-06-29
OpenAjax Alliance Security Task Force minutes 2007-06-29
Larry Koved <koved at us.ibm.com>
Jon Ferraiolo <jferrai(at)us.ibm.com>
Bertrand Le Roy <bleroy (at) microsoft.com>
Gideon Lee <glee(at)openspot.com>
David Boloker <boloker(at)us.ibm.com>
Naohiko Uramoto <uramoto(at)jp.ibm.com>
Sachiko Yoshihama <SACHIKOY(at)jp.ibm.com>
Michael Steiner <msteiner(at)us.ibm.com>
Yuecel Karabulut <yuecel.karabulut(at)sap.com>
Suresh N. Chari <schari(at)us.ibm.com>
Sumeer Bhola <sbhola(at)us.ibm.com>
Summary of the first meeting (consensus and open issues, action items
for the group)
Decide on how to proceed with an OpenAjax Alliance security white
paper (including security best practices)
If / how to bring in marketing into this discussion
Building a list of links to materials (resources) on
Discussion of recent publications (MashupOS, IBM Ajax security white
Discuss how to proceed in defining and documenting use cases that
will drive the ongoing security discussion
Any other business?
Date/time for follow-up task force phone call
Larry reviewed the last call. Jon has updated the webpages. Started a wiki
page on use cases at http://www.openajax.org/member/wiki/Security_Use_Cases
Larry raised the issue of use cases and what we should document as use
cases. Secure mashups seem to be focus areas: both client side and server
side mashups. Also perhaps federated identity where we really need to get
use cases nailed down.
Other set of documentation could be best practices/security issues. Lots of
articles already exist. David Boloker pointed out that while many articles
exists there is a lot of FUD and contradictory information. We need to
decide on a few issues to focus on and put pointers to a select few
articles. This was also emphasized by Bertrand Le Roy who felt that even if
articles existed we could describe the issues and then point to the right
It was agreed that we need to write up use cases. Discussion on what the
purpose of these were: both an educational as well as a technical role.
Naohiko Uramoto asked about who we are targeting these use-cases. Currently
targeted to the developer. Discussion on whether we need to target the
Jon pointed out that we need to have multiple use cases covering the
various entities in a mashup application.
Sachiko Yoshihama taked about covering the different trust models.
Yuecel talked about understnading what the trust infrastructure was for the
web2.0 applications i.e. for trust in the traditioal sense we need a PKI.
What's the equivalent for web2.0
Larry asked for volunteers for the use cases
Larry volunteered to document a portal like use case
Naohiko volunteered a scenario motivated by attacks
Bertrand volunteered to a web services based use case
Gideon Lee volunteered to document an use case based on a webtop
Larry asked if there were any thoughts on the various solutions proposed by
various parties for the secure mashup problem
Jon expressed some misgivings about the MashupOS paper. Felt they
were trying to adapt the desktop security model to the mashup
Michael Steiner felt that we should maybe have a wiki page on the
various technologies and options and have a discussion on the wiki
This was agreed to.
Everyone felt that we need a social computing related scenario.
Gideon pointed out that we need to discuss some related issues such
as the case when spammers would put transparent iframe which would be
on a legitimate content. A click would take user to spaammer site.
Larry and Michael pointed out that there was work on addressing flaws
in GUI logic. See paper:
which was presented in IEEE S&P 2007
Todos from this call:
1. We need to document use cases pointing out the various stakeholders and
the security issues
Larry: portal based scenario
Naohiko: scenario with code injection/csrf.. social networkng based
Bertrand: web service based scenario
Gideon: webtop related sandboxing
Yuecel: alternative web service based scenario.
2. Wiki page with various alternative for mashup security
Suresh Chari to make initial wiki page
3. Next meeting: 13th.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security