SecurityEngineering/MeetingNotes/10-25-12: Difference between revisions
Jump to navigation
Jump to search
(Created page with "=== Standing Agenda === * Q4 Goals Recap - * Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + [[Priv...") |
|||
| Line 1: | Line 1: | ||
=== Standing Agenda === | === Standing Agenda === | ||
* Q4 Goals Recap | * Q4 Goals Recap | ||
* | * Review currently active (P1) features against their established milestones, identify any blockers - [[Security/Roadmap]] + [[Privacy/Roadmap]] | ||
* Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities | * Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities | ||
* Suggest additions or changes to roadmaps | * Suggest additions or changes to roadmaps | ||
| Line 7: | Line 7: | ||
* Additional Items | * Additional Items | ||
* Upcoming events, OOO/travel, etc. | * Upcoming events, OOO/travel, etc. | ||
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/10- | Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/10-18-12 | ||
=Q4 Goals= | =Q4 Goals= | ||
* Land CSP 1.0 | * Land CSP 1.0 | ||
Revision as of 22:04, 1 November 2012
Standing Agenda
- Q4 Goals Recap
- Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Additional Items
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/10-18-12
Q4 Goals
- Land CSP 1.0
- Deliver integrated Payments and ID for B2G
- Host security community event
Roundtable
Tanvi
- Working on list of and tests for protocol handlers that should be accepted on HTTPS pages (things that don't cause mix content warnings/blockings)
dkeeler
- c2p - worked out what we're gonna block, couple of follow ups, but nothing huge
- bug for permissions thing (bug 746374)
- Info page on why each thing is blocked -- already info in the question mark in c2p UI
- (for certain plugin overlays (e.g. blocked, unsupported, etc.), there is a question mark you can click - we just have to hook this up to c2p overlays)
- next up: working on certificate blocklisting
ddahl
- b2g permissions stuff landed
- working on contributors to help implement web crypto stuff in gecko
- making progress on getRandomValues()
- leading session segment at TPAC about new ideas for web crypto API stuff
lucas
- nothing super exciting
kathleen
- Working on updating mozilla CA certificate policy around intermediate certificates
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html
- unconstrained/unaudited subordinates need better control, getting close
- OCSP stapling is making progress (in NSS)
- TLS 1.1 is in NSS 3.14 - https://wiki.mozilla.org/TLS_1.1_/_1.2_Support
- TLS 1.2 is not being worked on yet.
sid
- talks in Indiana.
- CSP to academic researchers
- Privacy/Data collection and what tools you can use to protect yourself.
bsmith
- while working on refactoring code, wanted to break APIs and checked to see what types of extensions use the APIs.
- Things add-ons are doing to hook in the cert validation/exception APIs:
- rewriting the cert error page (by detecting if the current URL is the cert error page)
- nsICertOverrideService -- adding exceptions
- used bluntly to solve a problem with a cert and not always appropriately
- many add permanent exceptions, but these persist after the add-on is removed which is weird