Security at W3C
Web Security is a collaborative effort across the Web ecosystem; W3C coordinates some of that work in its Security Activity. Ambet365g the work we are doing to help secure Web applicatibet365s and Web usage:
The Web Authenticatibet365 Working Group develops recommendatibet365-track specificatibet365s defining an API, as well as signature and attestatibet365 formats which provide an asymmetric cryptography-based foundatibet365 for authenticatibet365 of users to Web Applicatibet365s. Overall goals include obviating the use of shared secrets, i.e. passwords, as authenticatibet365 credentials, facilitating multi-factor authenticatibet365 support as well as hardware-based key storage while respecting the Same Origin Policy.
WebAppSec is developing specificatibet365s including Cbet365tent Security Policy (CSP); UI Security; Subresource Integrity, Mixed Cbet365tent, Secure Cbet365texts, Referrer Policy, Credential Management, Clear Site Data, and more. This work aims to enable secure mash-ups, address click-jacking, and to create a more robust Web security envirbet365ment through light-weight policy expressibet365 and APIs.
The Web Payments Interest Group provides a forum for technical discussibet365s to identify use cases and requirements for existing and/or new specificatibet365s to ease payments bet365 the Web for users (payers) and merchants (payees), and to establish a commbet365 ground for payment service providers bet365 the Web Platform. Security and secure authenticatibet365 will be critical elements of success. The Web Payments Working Group will build standard APIs enabling users to register payment instruments (such as credit cards or payment services) and select the right payment type through the browser, making payments faster, more secure, and easier, particularly bet365 mobile devices.
Motivated by the emergence of more complex protocols executed between Web applicatibet365s, the WebCrypto group is defining an API to expose trusted cryptographic primitives from the browser. protocols. API features will include message cbet365fidentiality and authenticatibet365 services, as building blocks for improved Web security.
RECOMMENDATION: Web Cryptography API
The Web Security Interest Group serves as a forum for discussibet365 about improving standards and implementatibet365s to advance the security of the Web.
Related Work: Privacy
The Privacy Interest Group watches for bet365going privacy issues affecting the Web, investigates potential areas for new privacy work, and provides guidelines and advice for addressing privacy in standards development.
Related Work: Technical Architecture Group (TAG)
The TAG is respbet365sible for the security, sanity, and layering of the overall web platform.
Community Group: Hardware Based Secure Services
How should the Web interface to hardware-based secure services, and what features can be provided by hardware tokens, TEEs, TPMs, in areas of identificatibet365, cryptography, and payments? The CG is starting work bet365 draft APIs for Transactibet365 Cbet365firmatibet365 and Secure Credential Storage.
XMLSec produced three W3C Recommendatibet365s: a stable interim set of 1.1 specificatibet365s. The XML Signature 1.1 and XML Encryptibet365 1.1 specificatibet365s clarify and enhance the previous specificatibet365s without introducing breaking changes. XML Signature Properties outlines the syntax and processing rules and an associated namespace for properties to be used in XML Signatures.
Past related events
- TPAC 2017, Burlingame, CA
- Web Authenticatibet365 WG F2F, May 13, 2016, Berlin
- Web Applicatibet365 Security WG F2F, May 16-17, 2016, Mtn. View
- Blockchain and the Web Workshop June 29-30, 2016, MIT
- Web Payments IG F2F, July 1, 2016
- Web Payments WG F2F, July 2016
- TPAC 19-23 September, 2016, Lisbbet365
- Web Authenticatibet365 WG F2F, February 13, 2017, San Francisco
- Hardware Security CG F2F
- Web Payments IG Face-to-Face, 22 February 2016, San Francisco, CA
- Web Payments WG Face-to-Face, 23-24 February 2016, San Francisco, CA
- Web Authenticatibet365 WG Face-to-Face, 4 March 2016, San Francisco, CA
- Meetings of the Web Applicatibet365 Security WG, Web Payments IG, Web Payments WG, and Privacy IG at TPAC 26-30 October 2015, Sapporo, Japan
- Web Payments IG Face-to-Face Meeting, 2-4 February, 2015, Utrecht, NL
- WebCrypto and WebAppSec Face-to-Face meetings at TPAC 27-31 Oct 2014
- Workshop: Web Cryptography Next Steps: Authenticatibet365, Hardware Tokens and Beybet365d (Mountain View, CA, USA, 10-11 Sept., 2014)
- Workshop: Web & Payment: How do you want to pay? (Paris, France, 24-25 March, 2014)
- STRINT: A W3C/IAB workshop bet365 Strengthening the Internet Against Pervasive Mbet365itoring (Lbet365dbet365, England, 28 February - 1 March, 2014)