Security Minutes 2007-08-10
From MemberWiki
URL: http://www.openajax.org/member/wiki/Security_Minutes_2007-08-10
Contents |
OpenAjax Alliance Security Task Force minutes 2007-08-10
Attendees
- Yuecel Karabulut <yuecel.karabulut(at)sap.com>
- Larry Koved <koved(at)us.ibm.com>, chair
- Jon Ferraiolo <jferrai(at)us.ibm.com>
- Xiaofeng Fan <xiaoffan(at)microsoft.com>
- Todd Kaplinger <todkap(at)us.ibm.com>
- Michael Steiner <msteiner(at)us.ibm.com>
- Naohiko Uramoto <uramoto(at)jp.ibm.com>
- David Boloker <boloker(at)us.ibm.com>
- Frederik De Keukelaere <eb41704(at)jp.ibm.com>
- Suresh N. Chari <schari(at)us.ibm.com>
- Sumeer Bhola <sbhola(at)us.ibm.com>
Original Agenda
- Wrap up the white paper
- resources wiki pages
- comm/interop/security convergence
- server/proxy security issues
- Wrap up
Minutes
- White paper -- Jon
- Minor editing on the wiki from about 10 people. Mostly security folks.
- Full editorial pass by marketing (SAP).
- Close to the end
- A couple of minor editorial items identified by Shel.
- Marketing is ready to go publish
- Xiaofeng: can links, such as www.abc.com (understanding the same origin policy section of the paper)?
- Jon: once pulled out of the wiki, it will no longer be a live link.
- Resources wiki -- started by Sachiko
- Naohiki: had discussion with the Microsoft team. Have initial agreement.
- Jon: Is the set of topics the right topics? Best breakdown? ???
- Good break down for the first pass. May need to add some sections, such as XSS and CSRF, and DoS.
- Jon: For each topic, e.g., testing tools, do we want to give an overview and put into context the purpose of the content/links?
- IBM TRL (Sachiko/Naohiko) to contribute more to this page. Does Microsoft have some resource reference to contribute? Others on the Security TF?
- Xiaofeng: Watchfire which has testing tools
- Resume discussion next time.
- Communication TF & Interop Working Group
- Jon report status
- Comm TF: how to move forward? What working groups needed?
- Disband the task force, and move the work to the Interop WG, which includes Comet.
- Hub 1.1 features is off and running and will be done within the Interop WG.
- Consensus appears to be to move this into open source
- Implement and then write the spec.
- Michael Steiner: Don't we need test cases if we were to implement & then specify.
- Jon: Agree. Not sure how to make this happen. Would need something like a mini-mashup app. that doesn't do much, but would validate the ideas.
- Michael: For Hub 1.0, can we use some of the test cases from that exercise?
- Jon: Mini-mashup or interop demos?
- Larry: How to get some code for testing?
- Jon: Create a branch/tree in the repository and bring it up in the interop working group. Propose how to move into the main line.
- Jon: Had written the interop test code template, with some help. 12 companies took those template and then refined them to build out.
- Jon: We have the use cases on the security page.
- Jon: Comm has use cases. However, the security use cases are better fleshed out.
- Jon: will send out setup process details. Explain where to put your sandbox efforts.
- Server / proxy side security issues
- Michael: Server side only, as well as server side issues which impact the client.
- Larry: start to add these issues to the use cases web pages. Then follow up with additions to the security approaches pages.
- Xiaofeng: Trust issues when logic moves from server to client. Will contribute some text for the wiki's use cases.
- Next meeting: September.
- OpenAjax Alliance meeting September 27 in Mountainview. Hosted by Microsoft. (Friday will be a mobile workshop) Security TF meeting on Friday? At SAP in Palo Alto on Page Mill? Or in Menlo Park, which can hold 20-25 people.
- Maybe have a security item on the agenda on September 27 since there will be greater participation.
- Need to decide on an agenda for a f2f meeting
