TAG Update
23 September 2015
Daniel Appelquist (@torgo)
Independent Consultant &
Co-Chair, Technical Architecture Group
What is the TAG?
Special group in W3C chartered to:
- document and build consensus around principles of Web architecture and to interpret and clarify these principles when necessary;
- resolve issues involving general Web architecture brought to the TAG;
- help coordinate cross-technology architecture developments inside and outside W3C.
5 elected, 3 appointed, 1 chair (Tim), 1 staff contact (Yves)
The TAG
Tim Berners-Lee (W3C, Chair)
Daniel Appelquist (Invited Expert, Chair)
Yves Lafon (W3C, staff contact)
Travis Leithead (Microsoft)
Peter Linss (HP, Chair)
Mark Nottingham (Akamai)
Alex Russell (Google)
Yan Zhu (Yahoo!)
Hadley Beeman (W3C Invited Expert)
David Baron (Mozilla, not shown)
Current work of the TAG
- Pondering deep questions about the web
- Writing stuff: findings and other output
- Spec reviews
- Joint work with other groups
- Play a role in cross-organization liaisons
- Community engagement
Spec Reviews
The TAG's “Heartbeat”
WebRTC IP Address Leakage
https://github.com/w3ctag/spec-reviews/issues/14
- WebRTC feature being used for tracking
- TAG took this up at Berlin F2f in July
- Promoted our “unsanctioned tracking” finding
- Issue taken up by WebRTC group
(http://www.w3.org/2015/09/09-webrtc-minutes.html#item06)
Finding: Securing the Web
- Moving the Web to https
- Motivations thereof
- Coordinating with the web community
Finding: End-to-End Encryption
- A follow-up to “securing the web”
- Adding our voice to advocates of e2e encryption
- Wading slightly into policy territory – intentionally and (we think) appropriately
Finding: Unsanctioned Web Tracking
- Explicitly calling out inappropriate use of web technology for tracking purposes as harmful and against web architecture
Advocate Our Position
Joint work: Secure Contexts
- Née “Privileged Contexts,” née “Powerful Features”
- Joint work with the Web Application Security Group
What's a Powerful Feature?
- The feature provides access to sensitive data
- The feature provides access to sensor data on a user’s device
- The feature provides access to or information about other devices a user has access to
- The feature exposes temporary or persistent identifiers
- The feature introduces some state for an origin which persists across browsing sessions
- The feature manipulates a user agent’s native UI in some way which could trick the user
- The feature requests user permission
…and the web is adding more and more of these, all the time.
Joint Work: Security & Privacy Self-Review
Ongoing Work: That “s”…
- Tim Berners-Lee challenged the web security community: could we move towards a TLS-encrypted http world? http://www.w3.org/DesignIssues/Security-NotTheS.html
- Dovetails with work in the http wg on opportunistic encryption
- Issues such as: would a https TLS-negotiated session be semantically equivalent to a http TLS-negotiated session?
- What about when full TLS cannot be negotiated?
- cf http://discourse.wicg.io/t/is-https-everywhere-harmful/821, http://discourse.wicg.io/t/getting-a-little-bit-formal-about-securing-all-the-web/835
- At last TAG f2f we agreed to try to set up a session on this topic at W3C TPAC meeting in Sapporo
We're on github: https://github.com/w3ctag
Follow @w3ctag on Twitter
TAG Update for GSMA WWG
By Daniel Appelquist
TAG Update for GSMA WWG
TAG Update for September 2015 GSMA WWG Meeting
