See also: Security Activity Statement
Web Security is a collaborative effort; W3C coordinates some of that work in its Security Activity, within the Technology & Society Domain.
The Web Security Wiki serves as a place for interested parties in the Web security community to collect information about security aspects of specifications and implementations of Web technologies.
The security needs of modern Web applications are a major focus area of the Security Activity.
The Web Application Security Working Group has taken up work on the Content Security Policy specification, and is progressing the Cross-Origin Resource Sharing specification toward Recommendation. The goal of this work is to enable secure mash-ups, and to create a more robust Web security environment through light-weight policy expression that meshes with HTML5's built-in security policies. The group additionally aims to address clickjacking issues.
The Web Cryptography Working Group is motivated by the emergence of more complex protocols executed between Web applications. The group is chartered to develop a Recommendation-track document defining an API that enables the development of such protocols. API features will include message confidentiality and authentication services, and exposing trusted cryptographic primitives from the browser. This will promote higher security on the Web as developers will no longer have to create their own or use untrusted third-party libraries for cryptographic primitives.
The XML Signature Working Group was a successful joint effort of W3C and IETF to develop an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages, and procedures for computing and verifying such signatures. The Working Group has concluded successfully. Its mailing list continues to operate.
Its deliverables included the Canonical XML 1.0 ("C14N")specification which was subsequently found incompatible with xml:id version 1.0 and XML Base. The XML Core Working Group (part of the XML Activity) has published Canonical XML 1.1 as a Proposed Recommendation which is currently under Advisory Committee Review.
For a more detailed discussion see Known Issues with Canonical XML 1.0. A proposal for propagating these changes to XML Signature Syntax and Processing is outlined in Using XML Digital Signatures in the 2006 XML Environment.
The XML Encryption Working Group was a successful effort to develop a process for encrypting/decrypting digital content (including XML documents and portions thereof) and an XML syntax used to represent the (1) encrypted content and (2) information that enables an intended recipient to decrypt it.
The XML Key Management Working Group developed a specification of XML application/protocol that allows a simple client to obtain key information (values, certificates, management or trust data) from a web service. The Working Group concluded successfully.
The XML Security Working Group is chartered to take next steps with the XML Security specifications, based on the results from the September 2007 Workshop on Next Steps for the XML Security Specifications (report).
While not formally part of the Security Activity, the Device APIs and Policy Working Group is chartered to specify a set of APIs for web applications and widgets that grant these applications access to security and privacy sensitive information and services. The group will also consider appropriate security frameworks and policies.
Wendy Seltzer, Security Activity Lead