Archive for the ‘Security’ Category

Tuesday, December 5th, 2017

Web Authentication Working Draft rev 7 (WD-07) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20171205/

NOTE: the latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/ (so this presently yields WD-07)

Please also note that this spec is a _Working DRAFT_ and will change, possibly in “breaking” ways.

WebAuthn WD-07 features many changes from the prior version, here’s a selected list (for details, see the diffs linked-to below):

Updated terminology to match and leverage the Credential Management spec.
Matching recent changes to Credential Management, the WebAuthn API may be utilized from non-top-level documents if and only if it is same-origin with its ancestors.
Updated [[Create]] and [[DiscoverFromExternalSource]] internal methods to match arguments with those supplied by Credential Management. Note: Credman PR w3c/webappsec-credential-management#100 is related and not completed at this time.
Updated [[Create]] and [[DiscoverFromExternalSource]] underlying algorithms in various ways:
- Explicitly facilitate roaming/external authenticator “hot-plugging” during registration and authentication operations.
- Further refined RP ID handling.
- added a type field to CollectedClientData to avoid potential signature confusion issues.
- added abort signal processing.
- refined `requireResidentKey` handling.
- added notion of “effective user verification requirement for assertion“
- added notion of RP-asserted “Attestation Conveyance Preference“.
- added “user handle” notion. The “user handle” is “plumbed-through” from the RP, to the authenticator, and back to the RP. This is useful for some RP use cases.
- Facilitate discovery of “Availability of User-Verifying Platform Authenticators“. This is useful for some RP use cases.

authenticator operations clarifications/polishing:
- added or refined various features to match those listed above, e.g., requiring resident private key, user presence test, and user verification requirement.
- added detailed signature counter considerations.
Clarified attestation object generation.
Refined relying party operations.
Refined signing procedures for Packed Attestation Statement Format and FIDO U2F Attestation Statement Format.

Diffs of WebAuthn WD-07 from WD-06:

WD-07 Release Page at github

Average Rating: 4.8 out of 5 based on 267 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:Authentication, W3C, Web Security
Posted in Security, W3C, Web Security | No Comments »

Sunday, May 7th, 2017

Web Authentication Working Draft rev 5 (WD-05) is officially published here: https://www.w3.org/TR/2017/WD-webauthn-20170505/

The latest official WebAuthn spec release is always available here: https://www.w3.org/TR/webauthn/

Please note that this spec is only a Working DRAFT and will change, possibly in “breaking” ways. While not a candidate recommendation, this version is informally intended by the working group to be an Implementerâ€™s Draft, which will be used for experimenting with implementations of the API.

WebAuthn WD-05 features many significant changes from the prior version:
* Alignment with Credential Management (CredMan): https://w3c.github.io/webappsec-credential-management/
* Using the term Public Key Credentials rather than Scoped Credentials
* Algorithms updated to more precisely define their operations and to be CredMan compatible
* Expanded and more explicit specification of the extensions framework
* Terminology expansion and polishing
* and more…

HTML “inline” Diff: http://www.kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-dda3e24-WD-05–from–index-master-tr-ce7925c-WD-04.html

PDF side-by-side text-only Diff: http://kingsmountain.com/doc/diff/diff-webauthn-index-master-tr-dda3e24-WD-05–from–index-master-tr-ce7925c-WD-04.pdf

Wd-05 Release Page at github: https://github.com/w3c/webauthn/releases/tag/WD-05-20170505

Average Rating: 4.8 out of 5 based on 182 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Draft Specs, Protocols, Web Security | No Comments »

Wednesday, November 21st, 2012

RFC6797 “HTTP Strict Transport Security (HSTS)” is now available.

It’s been a long haul to get to this point, and I thank all the folks who have contributed along the way, i.e. Collin Jackson and Adam Barth who had the original idea [ForceHTTPS] and co-authored the spec, and all the other folks who contributed to its gestation (from the Acknowledgements appendix):

The authors thank Devdatta Akhawe, Michael Barrett, Ben Campbell,
Tobias Gondrom, Paul Hoffman, Murray Kucherawy, Barry Leiba, James
Manger, Alexey Melnikov, Haevard Molland, Yoav Nir, Yngve N.
Pettersen, Laksh Raghavan, Marsh Ray, Julian Reschke, Eric Rescorla,
Tom Ritter, Peter Saint-Andre, Brian Smith, Robert Sparks, Maciej
Stachowiak, Sid Stamm, Andy Steingrubl, Brandon Sterne, Martin
Thomson, Daniel Veditz, and Jan Wrobel, as well as all the websec
working group participants and others for their various reviews and
helpful contributions.

Thanks to Julian Reschke for his elegant rewriting of the effective
request URI text, which he did when incorporating the ERU notion into
the updates to HTTP/1.1 [HTTP1_1-UPD]. Subsequently, the ERU text in
this spec was lifted from Julian’s work in the updated HTTP/1.1
(part 1) specification and adapted to the [RFC2616] ABNF.

See also the Wikipedia HSTS article for various other information about HSTS and deploying it.

=JeffH sez check it out 🙂

Average Rating: 5 out of 5 based on 259 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:HSTS, HTTPS, Security Policy, SSL, TLS, TLS/SSL, Web Security
Posted in IETF, Protocols, Security, Web Security | No Comments »

Tuesday, October 2nd, 2012

As I’d noted back in July, the draft HSTS spec was in IETF-wide last call, from which we exited in August with various helpful comments. We applied summore elbow grease to the ol’spec and shipped it to the IESG (Internet Engineering Steering Group) for further inspection, received more good comments, subsequently applied more tweaks and polish, and voila(!), this morning we have this little missive in our email…

[websec] Protocol Action: ‘HTTP Strict Transport Security (HSTS)’ to Proposed Standard (draft-ietf-websec-strict-transport-sec-14.txt)

At this point, the draft HSTS spec will be placed on the RFC Editor’s queue (which is fairly large & diverse) and will emerge in several weeks as an RFC with a proper RFC number and all.

Many thanks to all who’ve contributed, especially to Collin Jackson & Adam Barth for originally inventing this approach (which they dubbed “ForceHTTPS“).

=JeffH

PS: The Wikipedia HSTS entry has a consolidated specification history as well as information regarding implementation and deployment.

Average Rating: 4.8 out of 5 based on 228 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:Browser Security, IETF, Security, Security Policy, Web Security
Posted in Draft Specs, IETF, Protocols, Security, Web Security | No Comments »

Wednesday, July 11th, 2012

We’re in the near-final push here on getting the HTTP Strict Transport Security (HSTS) draft spec to be published as an RFC.

The most recent draft version (revision -11 as of this writing) is here..

https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec

And the IESG‘s announcement for IETF-wide Last Call is here..

https://www.ietf.org/mail-archive/web/ietf-announce/current/msg10470.html

We’re coming around the last corner and the finish line is in sight!

See also the Wikipedia entry for HSTS — it has info on the spec’s history, applicability, deployment, and implementations.

Average Rating: 5 out of 5 based on 234 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in IETF, Security, Web Security | 1 Comment »

Saturday, December 17th, 2011

For illustrations of potential end-user downsides of SOPA and ProtectIP/PIPA, and to do something about them (yes, you), see..

GetYourCensorOn
http://getyourcensoron.com/

Stop American Censorship
http://americancensorship.org/

For what a bunch of folks involved in engineering the Internet think, see..

An Open Letter From Internet Engineers to the U.S. Congress
December 15, 2011 | By Parker Higgins and Peter Eckersley
https://www.eff.org/deeplinks/2011/12/internet-inventors-warn-against-sopa-and-pipa

For some further commentary, see the below (this is just some highlights, you don’t have to look far to find a bunch more out there)..

Some Data On How Much The Big Media Firms Are Donating To SOPA/PIPA Sponsors
http://www.techdirt.com/articles/20111203/00494716961/some-data-how-much-big-media-firms-are-donating-to-sopapipa-sponsors.shtml

YouTube rejects UMG demand – Megaupload Mega Song returns
http://www.nnsquad.org/archives/nnsquad/msg06203.html

SOPA-Rope-a-dope (by Stewart Baker)
http://volokh.com/2011/12/14/sopa-rope-a-dope/

Technical Comments on Mandated DNS Filtering Requirements of H. R. 3261 (“SOPA”)
http://www.circleid.com/posts/20111211_technical_comments_on_mandated_dns_filtering_requirements_sopa/

Average Rating: 4.7 out of 5 based on 191 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Legislation, Public Policy, Security | No Comments »

Sunday, May 8th, 2011

My colleagues Michael Barrett, Andy Steingruebl, and Bill Smith recently authored a whitepaper..

Combating Cybercrime: Principles, Policies, and Programs

..and Michael blogged an executive summary here.

The executive executive summary is:

Technical measures alone cannot significantly address the cybercrime trends, we believe action is needed, and are proposing a multi-faceted regulatory approach. We’re occasionally asked to â€œlist the three things you want us to do.â€ And while weâ€™re hesitant to say any of these initiatives is more important than any other, in general, we list:

Increase investment in cybercrime law enforcement.

Start the Internetâ€™s version of the National Transportation Safety Board.

Fix the Cybercrime Convention to include both extradition and trying cases in the country in which alleged criminals reside.

Also, Dave Piscitello, ‘The Security Skeptic’, reviewed the whitepaper here.

=JeffH sez check it out 🙂

Average Rating: 4.8 out of 5 based on 285 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in Legislation, Public Policy, Security | No Comments »

Friday, May 6th, 2011

This is sorta old news at this point, the publication was announced on 27 April 2011. Bil Corry and I wrote about the spec in early March (acknowledging the many contributors) when it was approved as ‘proposed standard’ and en-queued to the RFC Editor, and others have written about it (in detail) now that the RFC is actually published, so I’ll just point to ’em here…

Daniel Stenberg – The cookie RFC 6265 (english)
http://daniel.haxx.se/blog/2011/04/28/the-cookie-rfc-6265/

StÃ©phane Bortzmeyer – RFC 6265: HTTP State Management Mechanism (french)
http://www.bortzmeyer.org/6265.html

Joachim StrÃ¶mbergson – Cookie-RFCn 6265 (swedish)
http://secworks.se/2011/04/cookie-rfcn-6265/

It feels good to get that out the door!

Average Rating: 5 out of 5 based on 265 user reviews.

[ | | | from fda approved pharmacy | ]

Posted in IETF, Protocols, Security, Web Security | No Comments »

Tuesday, April 5th, 2011

RFC6125 “TLS/SSL Server Identity Check” (aka “TLS Server ID Check“, “SSL Server ID
Check“, “TLS/SSL Server ID Check“, “SSL Server ID“) is now available:

Representation and Verification of Domain-Based Application Service
Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)

http://tools.ietf.org/html/rfc6125

Alas, we messed up by not including this “short form” title directly in the spec:

TLS/SSL Server Identity Check

But hopefully people will know what spec is meant if someone uses that short-form title.

I’ve written about the spec and its background before:

of TLS/SSL Server Identity Checking

Although we produced the spec without a formal working group, many people contributed to it one way or another. From the Contributors and Acknowledgments sections:

The following individuals made important contributions to the text of this document: Shumon Huque, RL ‘Bob’ Morgan, and Kurt Zeilenga.

The editors and contributors wish to thank the following individuals for their feedback and suggestions: Bernard Aboba, Richard Barnes, Uri Blumenthal, Nelson Bolyard, Kaspar Brand, Anthony Bryan, Scott Cantor, Wan-Teh Chang, Bil Corry, Dave Cridland, Dave Crocker, Cyrus Daboo, Charles Gardiner, Philip Guenther, Phillip Hallam-Baker, Bruno Harbulot, Wes Hardaker, David Harrington, Paul Hoffman, Love Hornquist Astrand, Henry Hotz, Russ Housley, Jeffrey Hutzelman, Cullen Jennings, Simon Josefsson, Geoff Keating, John Klensin, Scott Lawrence, Matt McCutchen, Alexey Melnikov, Subramanian Moonesamy, Eddy Nigg, Ludwig Nussel, Joe Orton, Tom Petch, Yngve N. Pettersen, Tim Polk, Robert Relyea, Eric Rescorla, Pete Resnick, Martin Rex, Joe Salowey, Stefan Santesson, Jim Schaad, Rob Stradling, Michael Stroeder, Andrew Sullivan, Peter Sylvester, Martin Thomson, Paul Tiemann, Sean Turner, Nicolas Williams, Dan Wing, Dan Winship, and Stefan Winter.

Thanks also to Barry Leiba and Ben Campbell for their reviews on behalf of the Security Directorate and the General Area Review Team, respectively.

The responsible Area Director was Alexey Melnikov.

(i.e. 59 people besides PeterSA and myself (wow))

Average Rating: 4.9 out of 5 based on 284 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:certificates, PKIX, server identity, SSL, TLS, TLS/SSL
Posted in IETF, Protocols, Security, Trust, Web Security | No Comments »

Tuesday, March 15th, 2011

As I’ve previously mentioned, I’ve been working on a specification for “TLS/SSL Server Identity Checking” along with Peter Saint-Andre.

We’ve now heard back from the RFC Editor, and we’re in the so-called “AUTH48 state” where we, the spec’s authors/editors, work with the RFC Editor folks to turn the Internet-Draft into a RFC.

At this point we know the RFC number-to-be: 6125.

So, we’re close to getting this thing out the door, whew. 🙂

Average Rating: 4.4 out of 5 based on 240 user reviews.

[ | | | from fda approved pharmacy | ]

Tags:certificates, PKIX, server identity, SSL, TLS, TLS/SSL
Posted in IETF, Protocols, Security, Trust, Web Security | No Comments »

Archive for the ‘Security’ Category

Pages

Archives

Categories