Agenda and Notes 2014-06-30

CHAIR: Sid

• Q2 Goals recap + status updates
• tuesday engineering meeting (grobinson)
  • topic: new CSP backend active on nightly
  • bug 1029781: enabled safebrowsing classification for image loads, may increase phishing/malware coverage and could have performance implications, watch http://people.mozilla.org/~mchew/safebrowsing_dashboard/ to see
  • Please update the wiki directly as well - https://wiki.mozilla.org/Platform/2014-07-01
  • Read Only? If not, who is going? GARRETT
• Q3 Goals (finish brainstorm & prune above)
  • Remember: Implement, Consult, Research, Evangelize [1]

Goal Brainstorming

Core/DOM

revamp gecko security hooks continued - next steps?  What are they?
T** Finish code and debugging for New Channel API, start getting reviews and fixing the issues brought up
C *** Get New Channel API landed (we should be able to do that, perhaps without moving content policy check)
T*** Figure out the addon compatibility story
** Bonus - start architecting and implementing new observer service
csp
SC** get rid of old implementation entirely
GC** CSP 1.1 compliance (finish things needed to line up with draft)
* Subresource Integrity (SRI)? implement or plan out implementation?  evaluate?
** once upon a time, this was implemented - Link fingerprints: bug 377245 (and dependencies)
Referrer control
S ** <meta> referrer control
** CSP referrer directive
** <a rel=noreferrer
** Make progress on referrer= attribute for other DOM elements

Communications Security

C* hpkp - implement pinning http header
GD* finish ssl error reporting project
R* WebCrypto - next steps? What are they?
K* 2048 bit (rsa) keys required for built-in root anchored certs (policy work)
RC* Enforcing more Baseline Requirements in code
* mozilla::pkix Next Steps -- Documentation, pkix::next bugs. Figure out NSS plan
K* [stretch goal] Get CA Program data into one database, maybe using salesforce.com
RD* Certificate revocation plan -- Need to handle intermediate cert   revocations (CRLset-like mechanism -- can use the same mechanism for   blocking intermediate certs as needed?)
* Provide tool for checking CA compliance to Mozilla policy and EV-readiness
* Ability to more easily constrain root certificates (name constrain roots)

Tracking Control

GM* Lightbeam/tracking protection in FF (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1029886)">https://bugzilla.mozilla.org/show_bug.cgi?id=1029886)</a> Land a feature in FF33 and FF34 that's off by default to prevent users from connecting to domains that are in a list that we serve
** PR push for 33 around tracking protection

Evangelism

CS * security outreach  - Security Open Mic presentation + blog post about new CSP, maybe again as brown bag. 
* talk at (web dev) conference?  Be more visible?
B* Knock down TOR browser bundle bugs
** Tor dev conf at Mozilla Paris