See also: Security Activity Statement
Security online is a vast field that is being worked on by a number of organizations, including W3C. Mapping the entire field would be a huge endeavor; hence, this page focuses on work that W3C is involved in.
The traditional W3C Security Resources page is no longer maintained, but remains online for archival purposes.
The Web Security Context Working Group (part of the Security Activity) is chartered to specify a baseline set of security context information that should be accessible to Web users, and practices for the secure and usable presentation of this information, to enable users to come to a better understanding of the context that they are operating in when making trust decisions on the Web.
This working group follows up on the March 2006 W3C Workshop on Transparency and Usability of Web Authentication (report).
The group has finished work on its use case and requirements note, and is aiming for a Last Call in June 2008 for its recommendation track deliverable.
The XML Signature Working Group was a successful joint effort of W3C and IETF to develop an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages, and procedures for computing and verifying such signatures. The Working Group has concluded successfully. Its mailing list continues to operate.
Its deliverables included the Canonical XML 1.0 ("C14N")specification which was subsequently found incompatible with xml:id version 1.0 and XML Base. The XML Core Working Group (part of the XML Activity) has published Canonical XML 1.1 as a Proposed Recommendation which is currently under Advisory Committee Review.
For a more detailed discussion see Known Issues with Canonical XML 1.0. A proposal for propagating these changes to XML Signature Syntax and Processing is outlined in Using XML Digital Signatures in the 2006 XML Environment.
The XML Encryption Working Group was a successful effort to develop a process for encrypting/decrypting digital content (including XML documents and portions thereof) and an XML syntax used to represent the (1) encrypted content and (2) information that enables an intended recipient to decrypt it.
The XML Key Management Working Group developed a specification of XML application/protocol that allows a simple client to obtain key information (values, certificates, management or trust data) from a web service. The Working Group concluded successfully.
The XML Security Specifications Maintenance Working Group is chartered to address the specific issues surrounding Canonical XML, XML Signature, and the Decryption Transform for XML Signature with respect to interactions with the current XML environment. The Working Group has mostly finished work on its main deliverables: A charter for follow-up work is under Advisory Committee review; that charter is based on the results from the September 2007 Workshop on Next Steps for the XML Security Specifications (report) that was organized by the Working Group. The Working Group contributed to the XML Core Working Group's efforts toward Canonical XML 1.1, and has published XML Signature 2nd Edition as a Proposed Edited Recommendation, currently under Advisory Committee review.
Much of the power of Web applications comes from their ability to direct clients to access resources elsewhere on the net. At the same time, these abilities create risks: They might enable the use of Web applications to access controlled resources using the client's privileges; they might enable web applications to steal clients' credentials; they might enable the use of clients as attack platforms against third parties; and so on. The more flexible and powerful these interfaces are, the higher the related risks. At this point of time, there is no comprehensive answer to the trade-offs involved.
Thomas Roessler, Security Activity Lead