IETF
websec@jabber.ietf.org
Monday, July 29, 2013< ^ >
nico has set the subject to: http://ietf86streaming.dnsalias.net/ietf/ietf864.m3u
Room Configuration
Room Occupants

GMT+0
[12:53:59] Ryan Sleevi joins the room
[12:54:12] Ryan Sleevi leaves the room
[12:55:04] Ryan Sleevi joins the room
[12:59:53] andrey.uzunov joins the room
[13:00:54] andrey.uzunov leaves the room
[13:02:57] palmerwebsec joins the room
[13:02:58] yuioku.yj joins the room
[13:03:13] palmerwebsec leaves the room
[13:04:09] Julian joins the room
[13:10:01] jtrentadams joins the room
[13:10:44] andrey.uzunov joins the room
[13:11:10] palmerwebsec joins the room
[13:11:28] andrey.uzunov leaves the room
[13:12:03] roessler joins the room
[13:12:32] PHB joins the room
[13:12:33] <palmerwebsec> Hello everyone
[13:12:38] <PHB> hello
[13:12:49] andrey.uzunov joins the room
[13:14:00] <PHB> audio is clipping , over amplified
[13:15:17] <PHB> i am using jabber
[13:15:26] <jtrentadams> I will be the voice of the Jabber room
[13:15:33] <Ryan Sleevi> Thanks jtrentadams
[13:15:38] <palmerwebsec> thanks
[13:15:45] barryleiba joins the room
[13:15:51] <palmerwebsec> can we get less distortion on the mic? :)
[13:15:58] tony.l.hansen joins the room
[13:15:58] <jtrentadams> Make sure you flag your comment you want to the room with something like "MIC:"
[13:16:32] Franck Martin joins the room
[13:17:27] <Ryan Sleevi> Both of us are here on jabber
[13:20:08] lef_jp joins the room
[13:20:41] <PHB> Me!
[13:20:56] <palmerwebsec> Thanks, everyone who read it. :)
[13:20:58] alfredo@pironti.eu joins the room
[13:21:51] <PHB> me
[13:22:05] <PHB> Raising hands is easier on the list
[13:22:15] <PHB> I think both should be supported.
[13:22:45] <jtrentadams> PHP - Do you want to comment on the mic?
[13:22:47] <palmerwebsec> sounds like Jeremy is about to agree with you
[13:23:23] semery joins the room
[13:23:35] <PHB> [mic]As a practical matter pinning is dependent on trust anchor management (if the CA was revoked the pins MUST be] This is something that is going to need to be tracked anyway. CABForum can do that type of thing
[13:24:39] <PHB> in favor of using names
[13:24:42] <jtrentadams> phb in favor of using pins?
[13:24:54] andrey.uzunov leaves the room
[13:25:25] <jtrentadams> PHB - Read into room, thanks.
[13:27:07] andrey.uzunov joins the room
[13:28:02] JeffH joins the room
[13:28:55] <palmerwebsec> MIC: It would have to be SHOULD, not MUST.
[13:29:35] <jtrentadams> Palmer: Overcome by events now that we've moved on to the URI vs Header question?  Or should I queue to make your comment in the room?
[13:29:52] <palmerwebsec> It's OK, we'll discuss it on the mailing list.
[13:29:56] <palmerwebsec> Thanks
[13:30:00] <jtrentadams> Ack
[13:30:48] strohi joins the room
[13:31:14] <palmerwebsec> MIC: I agree with Jeff.
[13:31:28] <Ryan Sleevi> As the next slide shows
[13:35:46] Phil Hunt joins the room
[13:36:50] JeffH leaves the room
[13:36:55] <palmerwebsec> thank you everyone!
[13:36:57] JeffH joins the room
[13:37:03] <palmerwebsec> MIC: −09 coming this week.
[13:37:25] <palmerwebsec> OK, I am going to go back to sleep. See you on the mailing list. :)
[13:37:43] <roessler> session continuation is starting
[13:39:30] barryleiba leaves the room
[13:40:34] Wendy Seltzer joins the room
[13:41:23] palmerwebsec leaves the room
[13:41:52] hillbrad joins the room
[13:43:49] <PHB> [mic] The context for this work is that SSL/TLS in the Web browser has been broken twice (BEAST/CRIME) there are two papers at Black Hat presenting purported extensions of that scheme. Relying on bearer tokens (cookies) for authentication is a terrible idea. In the browser the attacker can insert data into the same message in ways that mean bearer tokens will always be vulnerable.
[13:44:43] Phil Hunt leaves the room
[13:46:15] <jtrentadams> PHB: Read to the room.
[13:47:31] g.e.montenegro joins the room
[13:47:53] JeffH leaves the room
[13:48:01] JeffH joins the room
[13:52:23] <hillbrad> balfanz channelID is already in Chrome...
[13:53:11] <PHB> [mic] Browser vendors have disregarded security for years. That is why I designed a proposal that has immediate value in Web Services even though the eventual objective is the browser.
[13:56:22] <PHB> [mic] Browser vendors will often implement a security spec and very quickly when there is a breach. I don't think this is the last Black Hat that will be open season on cookie stealing.
[13:57:14] <jtrentadams> PHB: Read both to the room.
[13:57:48] Ryan Sleevi leaves the room
[13:59:09] <PHB> I have engineers.
[13:59:29] <PHB> [mic] can do an experiment on 2 million browsers deployed
[14:00:05] <PHB> Problem though is that just doing the client does not add a great deal.
[14:00:41] <PHB> yes
[14:00:46] <PHB> mostly outside the us
[14:00:48] <jtrentadams> PHB: Read to the room
[14:01:14] <jtrentadams> 3 people raised hands in the room
[14:01:41] <jtrentadams> Would people read all proposals (assuming 3)?
[14:01:52] JeffH leaves the room
[14:01:55] <jtrentadams> 6 people raised hands
[14:02:00] JeffH joins the room
[14:02:10] <PHB> I am not sure we will continue to have three proposals, can collapse them
[14:04:26] <PHB> sure, will do
[14:04:41] <roessler> (and I’ll be happy to send a note to the webappsec WG to ask for interest.)
[14:04:43] <jtrentadams> PHB: You've been asked in the room whether you'd be willing to leverage your connections via CABForum...
[14:05:01] <PHB> yes, will talk to cabforum
[14:05:08] <jtrentadams> … Is the chat transcript good enough, or would you like me to stand at the MIC?
[14:05:20] <PHB> was planing to do that after we know what the latest BH meltdown is
[14:05:57] <PHB> chat transcript is OK I think
[14:09:35] <PHB> [mic] alternative is for the three proposers to merge into one and publish as experimental then wait for the next breach
[14:10:27] <jtrentadams> PHB: Read into the room.
[14:10:50] andrey.uzunov leaves the room
[14:10:58] <PHB> yes that is what I am saying
[14:11:05] <jtrentadams> PHB: Jeff took a stab at a clarification
[14:11:24] <jtrentadams> Good. Thanks
[14:11:39] <JeffH> welcome
[14:11:41] alfredo@pironti.eu leaves the room
[14:11:42] semery leaves the room
[14:11:43] <jtrentadams> Session is done.  Thanks all.
[14:11:47] Franck Martin leaves the room
[14:12:22] roessler leaves the room
[14:12:23] jtrentadams leaves the room
[14:12:23] lef_jp leaves the room
[14:12:24] PHB leaves the room
[14:14:53] Wendy Seltzer leaves the room
[14:15:43] g.e.montenegro leaves the room
[14:17:41] JeffH leaves the room
[14:19:10] andrey.uzunov joins the room
[14:19:36] andrey.uzunov leaves the room
[14:20:01] barryleiba joins the room
[14:20:03] barryleiba leaves the room
[14:20:30] Wendy Seltzer joins the room
[14:20:54] Wendy Seltzer leaves the room
[14:22:51] yuioku.yj leaves the room
[14:24:26] roessler joins the room
[14:25:01] roessler leaves the room
[14:25:04] roessler joins the room
[14:27:06] strohi leaves the room
[14:46:30] wseltzer joins the room
[15:00:17] wseltzer leaves the room
[15:17:57] roessler leaves the room
[15:18:23] hillbrad leaves the room
[15:32:25] Julian leaves the room
[17:24:22] roessler joins the room
[17:45:50] roessler leaves the room
[17:46:06] tony.l.hansen leaves the room
[20:12:56] roessler joins the room
[21:20:40] roessler leaves the room
[21:21:23] roessler joins the room
[21:41:59] roessler leaves the room
[22:04:59] roessler joins the room
[22:05:45] roessler leaves the room
[22:06:10] Phil Hunt joins the room
[22:13:20] Phil Hunt leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!