From MemberWiki

URL: http://www.openajax.org/member/wiki/Security_Minutes_2007-07-27

Contents 1 OpenAjax Alliance Security Task Force minutes 2007-07-27 1.1 Attendees 1.2 Original Agenda 2 Minutes 2.1 Topic: Security white paper: Jon F 2.2 Topic: Comm Hub TF -- Jon F 2.3 Topic: Next meeting in 2 weeks.

OpenAjax Alliance Security Task Force minutes 2007-07-27

Attendees

• Larry Koved <koved(at)us.ibm.com>, chair
• Jon Ferraiolo <jferrai(at)us.ibm.com>
• Xiaofeng Fan <xiaoffan(at)microsoft.com> -- @ MSR working with Helen Wang
• Naohiko Uramoto <uramoto(at)jp.ibm.com>
• Sachiko Yoshihama <SACHIKOY(at)jp.ibm.com>
• Yuecel Karabulut <yuecel.karabulut(at)sap.com>
• David Boloker <boloker(at)us.ibm.com>
• Frederik De Keukelaere <eb41704(at)jp.ibm.com>
• Suresh N. Chari <schari(at)us.ibm.com>
• Sumeer Bhola <sbhola(at)us.ibm.com>

Original Agenda

• Summary of the third meeting (consensus and open issues, action items for the group)
• WP3 - Ajax and Mashup Security security white paper
  • See work in progress: http://www.openajax.org/member/wiki/WP3_-_Ajax_and_Mashup_Security
• Mashup Security Approaches (work in progress)
  • See work in progress: http://www.openajax.org/member/wiki/Mashup_Security_Approaches
• Date/time for follow-up task force phone call
• Wrap up

Minutes

Reviewed minutes

Topic: Security white paper: Jon F

• Took IBM DeveloperWorks article and updated some sections that were just overviews. They are now completed. Need to do reviewing and editing. A section was also added on innerHTML.
• Question remains on the GreaseMonkey section, as well as the "resources" section.
• So, it is now time to review & edit it. These are a Marketing activity.
• What to do with GreaseMonkey section? Recommend taking it out. It is more for fringe developers. Sachiko and Naohiko agree the section should be removed. Perhaps make some general comments about plug-ins. Jon agrees.
• Uramoto -- need some more discussion on browser-specific behavior. However, that may be for another paper.
• Section 2.3 is about attack scenarios. Jon: add 2.3.3 which discusses browser extensions. Basically, browsers go to great lengths to provide security. Extensions may allow attackers to do bad things. Often these extensions don't have the same attention to security as the browser itself. Jon will fill this in.
• Suresh: Section 2.5.2 mentions vulnerability checking tools. However, we don't point to specific tools. This seems like an ineffective recommendation without recommendations. Xiaofeng will see what tools will be in Visual Studio. He will try to get info. There is Watchfire. There are other commercial services / tools. These will be listed in the resources.
• Jon F. --
  • Resource section. Remove it? Put it on the Wiki page? So, the paper ends with the Conclusion. The resource section would be a link to the new Resources wiki page.
  • On the Resource page, categorize the resources.
  • Sachiko will set up the resource page. Jon will create the page and let Sachiko know where it is.
• Xiaofeng -- different use cases result in different attack scenarios. Proposed: new section 2.2 and 2.3 that examine existing use cases? He will create a draft and mail it the white paper authors. Will send a draft by next Monday.
• The author list? Other OAA papers do not have names. Remove the names from the Wiki, but keep the reference to DeveloperWorks.
• Some organization discussion on section 2.3 and the section titles. Some consistence needs to be applied here.
• Suresh: Xiaofeng had suggested techniques for creating mashups. As such, there are unsafe practices that can result in vulnerabilities.
• Yuecel: found new paper, which may not be included. Another IBM DeveloperWorks article. He will update the wiki with a summary of this article.

Topic: Comm Hub TF -- Jon F

• F2F recently
• 4 participants - WIlkins, Wei, Jon, Howard (Tibco)
• Most proposal were coming from these 4
• Nominal agreement on what to propose for next steps
• Comm TF next week and talk with the other members.
• The following week joint meeting between: Security, Comm Hub & Interop
• Comm guys mostly interested in Comet -- server push
  • Sensitive to other use cases, as well as security.
• General approach to support iframes for sandboxing. OA Hub for cross frame communication.
• Fred: how to enable SMash in the hub? Should Fred join the comm TF meeting?
  • Jon: Don't worry about the spec yet. Work on the general approaches. Once working, then work out the issues. Hub TF excited about working w/security
  • Xiaofeng: will ask Bertrand on how MS will work w/Hub, particularly with security
    • Jon: MS will not look at and/or contribute to the open source aspects. Will focus on standards / specs.
• *Jon: Go into the SVN project, create a fork. E.g., create a subdirectory in the sandbox area and work there.

Topic: Next meeting in 2 weeks.

• Possible joint meeting w/communication and interop task forces
• Resume discussion re: white paper
• Discuss SMash and MashupOS

Adjourn