The W3C Technical Architecture Group (TAG)
issued a set of guidelines for W3C's standardisation efforts in a
statement called Securing the Web.
The statement is partly in response to
the STRINT workshop by
STREWS, which it explicitly mentions as a source in the
acknowledgements.
The IAB issued a similar
statement in November, called the IAB Statement on Internet Confidentiality,
which the W3C
TAG mentions as another source for its own statement.
The W3C TAG stresses that the Web needs to be trustworthy to succeed, which includes authentication (knowing who you're talking to), integrity (information isn't tampered with by third parties) and confidentiality (no eavesdropping). It therefore proposes three guidelines:
- The Web platform should be designed to actively prefer
secure communication — typically, by encouraging use of
https://
URLs instead ofhttp://
ones (although exceptions likelocalhost
do exist). - Barriers to adopting
https://
should be removed where feasible. - The end-to-end nature of TLS encryption must not be compromised on the Web, in order to preserve trust.
The statement also describes how these recommendations can be applied in various areas of Web standardisation, inside and outside W3C.
One subtle difference between the statements from the W3C TAG and
the IAB is that the former considers authentication inseparable from
encryption, while the latter says that, if authentication is not
possible, it is still useful to encrypt. (It doesn't stop an active
attacker, but does help against a passive one, i.e., one that does not
attempt to modify the communication, but only listens in.) This
so-called Opportunistic Security
was one of the recommendations from
the STRINT workshop.
This difference may be due to the fact that the W3C TAG considers only the Web, where by far the most used protocol is HTTP, whose encrypted version, HTTPS, includes authentication; while the IAB considers all Internet protocols, many of which have no encrypted variant at all yet. The W3C TAG does, however, mention that the authentication provided by HTTPS needs improvements and that there is work underway in that area.