[OpenAjaxSecurity] Minutes phone call today 2007-08-10

Jon Ferraiolo jferrai at us.ibm.com
Fri Aug 10 14:29:50 PDT 2007

Security Minutes 2007-08-10

URL: http://www.openajax.org/member/wiki/Security_Minutes_2007-08-10

OpenAjax Alliance Security Task Force minutes 2007-08-10

      Yuecel Karabulut <yuecel.karabulut(at)sap.com>
      Larry Koved <koved(at)us.ibm.com>, chair
      Jon Ferraiolo <jferrai(at)us.ibm.com>
      Xiaofeng Fan <xiaoffan(at)microsoft.com>
      Todd Kaplinger <todkap(at)us.ibm.com>
      Michael Steiner <msteiner(at)us.ibm.com>
      Naohiko Uramoto <uramoto(at)jp.ibm.com>
      David Boloker <boloker(at)us.ibm.com>
      Frederik De Keukelaere <eb41704(at)jp.ibm.com>
      Suresh N. Chari <schari(at)us.ibm.com>
      Sumeer Bhola <sbhola(at)us.ibm.com>

Original Agenda
      Wrap up the white paper
      resources wiki pages
      comm/interop/security convergence
      server/proxy security issues
      Wrap up

      White paper -- Jon
            Minor editing on the wiki from about 10 people. Mostly security
            Full editorial pass by marketing (SAP).
            Close to the end
            A couple of minor editorial items identified by Shel.
            Marketing is ready to go publish
            Xiaofeng: can links, such as www.abc.com (understanding the
            same origin policy section of the paper)?
                  Jon: once pulled out of the wiki, it will no longer be a
                  live link.
      Resources wiki -- started by Sachiko
            Naohiki: had discussion with the Microsoft team. Have initial
            Jon: Is the set of topics the right topics? Best
            breakdown?  ???
                  Good break down for the first pass. May need to add some
                  sections, such as XSS and CSRF, and DoS.
            Jon: For each topic, e.g., testing tools, do we want to give an
            overview and put into context the purpose of the content/links?
            IBM TRL (Sachiko/Naohiko) to contribute more to this page. Does
            Microsoft have some resource reference to contribute? Others on
            the Security TF?
                  Xiaofeng: Watchfire which has testing tools
                  Resume discussion next time.
      Communication TF & Interop Working Group
            Jon report status
            Comm TF: how to move forward? What working groups needed?
                  Disband the task force, and move the work to the Interop
                  WG, which includes Comet.
            Hub 1.1 features is off and running and will be done within the
            Interop WG.
            Consensus appears to be to move this into open source
                  Implement and then write the spec.
                  Michael Steiner: Don't we need test cases if we were to
                  implement & then specify.
                  Jon: Agree. Not sure how to make this happen. Would need
                  something like a mini-mashup app. that doesn't do much,
                  but would validate the ideas.
                  Michael: For Hub 1.0, can we use some of the test cases
                  from that exercise?
                  Jon: Mini-mashup or interop demos?
                  Larry: How to get some code for testing?
                  Jon: Create a branch/tree in the repository and bring it
                  up in the interop working group. Propose how to move into
                  the main line.
                  Jon: Had written the interop test code template, with
                  some help. 12 companies took those template and then
                  refined them to build out.
                  Jon: We have the use cases on the security page.
                  Jon: Comm has use cases. However, the security use cases
                  are better fleshed out.
                  Jon: will send out setup process details. Explain where
                  to put your sandbox efforts.
      Server / proxy side security issues
            Michael: Server side only, as well as server side issues which
            impact the client.
            Larry: start to add these issues to the use cases web pages.
            Then follow up with additions to the security approaches pages.
            Xiaofeng: Trust issues when logic moves from server to client.
            Will contribute some text for the wiki's use cases.
      Next meeting: September.
      OpenAjax Alliance meeting September 27 in Mountainview. Hosted by
      Microsoft. (Friday will be a mobile workshop) Security TF meeting on
      Friday? At SAP in Palo Alto on Page Mill? Or in Menlo Park, which can
      hold 20-25 people.
            Maybe have a security item on the agenda on September 27 since
            there will be greater participation.
            Need to decide on an agenda for a f2f meeting
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070810/58a28f62/attachment.html 

More information about the security mailing list