[OpenAjaxSecurity] Minutes phone call today 2007-08-10
jferrai at us.ibm.com
Fri Aug 10 14:29:50 PDT 2007
Security Minutes 2007-08-10
OpenAjax Alliance Security Task Force minutes 2007-08-10
Yuecel Karabulut <yuecel.karabulut(at)sap.com>
Larry Koved <koved(at)us.ibm.com>, chair
Jon Ferraiolo <jferrai(at)us.ibm.com>
Xiaofeng Fan <xiaoffan(at)microsoft.com>
Todd Kaplinger <todkap(at)us.ibm.com>
Michael Steiner <msteiner(at)us.ibm.com>
Naohiko Uramoto <uramoto(at)jp.ibm.com>
David Boloker <boloker(at)us.ibm.com>
Frederik De Keukelaere <eb41704(at)jp.ibm.com>
Suresh N. Chari <schari(at)us.ibm.com>
Sumeer Bhola <sbhola(at)us.ibm.com>
Wrap up the white paper
resources wiki pages
server/proxy security issues
White paper -- Jon
Minor editing on the wiki from about 10 people. Mostly security
Full editorial pass by marketing (SAP).
Close to the end
A couple of minor editorial items identified by Shel.
Marketing is ready to go publish
Xiaofeng: can links, such as www.abc.com (understanding the
same origin policy section of the paper)?
Jon: once pulled out of the wiki, it will no longer be a
Resources wiki -- started by Sachiko
Naohiki: had discussion with the Microsoft team. Have initial
Jon: Is the set of topics the right topics? Best
Good break down for the first pass. May need to add some
sections, such as XSS and CSRF, and DoS.
Jon: For each topic, e.g., testing tools, do we want to give an
overview and put into context the purpose of the content/links?
IBM TRL (Sachiko/Naohiko) to contribute more to this page. Does
Microsoft have some resource reference to contribute? Others on
the Security TF?
Xiaofeng: Watchfire which has testing tools
Resume discussion next time.
Communication TF & Interop Working Group
Jon report status
Comm TF: how to move forward? What working groups needed?
Disband the task force, and move the work to the Interop
WG, which includes Comet.
Hub 1.1 features is off and running and will be done within the
Consensus appears to be to move this into open source
Implement and then write the spec.
Michael Steiner: Don't we need test cases if we were to
implement & then specify.
Jon: Agree. Not sure how to make this happen. Would need
something like a mini-mashup app. that doesn't do much,
but would validate the ideas.
Michael: For Hub 1.0, can we use some of the test cases
from that exercise?
Jon: Mini-mashup or interop demos?
Larry: How to get some code for testing?
Jon: Create a branch/tree in the repository and bring it
up in the interop working group. Propose how to move into
the main line.
Jon: Had written the interop test code template, with
some help. 12 companies took those template and then
refined them to build out.
Jon: We have the use cases on the security page.
Jon: Comm has use cases. However, the security use cases
are better fleshed out.
Jon: will send out setup process details. Explain where
to put your sandbox efforts.
Server / proxy side security issues
Michael: Server side only, as well as server side issues which
impact the client.
Larry: start to add these issues to the use cases web pages.
Then follow up with additions to the security approaches pages.
Xiaofeng: Trust issues when logic moves from server to client.
Will contribute some text for the wiki's use cases.
Next meeting: September.
OpenAjax Alliance meeting September 27 in Mountainview. Hosted by
Microsoft. (Friday will be a mobile workshop) Security TF meeting on
Friday? At SAP in Palo Alto on Page Mill? Or in Menlo Park, which can
hold 20-25 people.
Maybe have a security item on the agenda on September 27 since
there will be greater participation.
Need to decide on an agenda for a f2f meeting
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security