WSCWG face-to-face
15 Nov 2006

See also: IRC log


See 14 November minutes
tlr, PHB, billd


intro for the day

MEZ: not quite there to talk about rec-track stuff; would like to recap some stuff from yesterday's discussion ...

IRC log from yesterday: http://www.w3.org/2006/11/14-wsc-irc.html

(There will be a more readable HTML rendering of that.)

<stephenF> is there a keyword in yesterday's log we can search on?

MEZ: Goals ...
... non-goals ...
... assumptions ...
... use cases/secenarios ...
... user test / verification ...
... sec ctx avail ...
... browsers / UAs ...
... content practices ...

<stephenF> (this is the TOC for the note? if so, good)

MEZ: attacks ...
... non-attacks ...

(this is what MEZ is scribbling on the whiteboard)

??: Add in-scope to "goals", out-of-scope to "non-goals"

MEZ: ... flesh out some of the discussion more ...
... good start on avaiable context ...
... some stuff on use cases ...
... got tyler as editor ...

<stephenF> I'd be interested in knowing if any non-goals were agreed yesterday (anytime, not necessarily now)

<stephenF> ok, good

MEZ: what are the stages we plan on doing? How do we validate and/or convince ourselves that we come up with useful recommendations?
... kinds of things I can think of ...
... expert review by HCI community ...
... can do those on paper goods ...
... example scenarios ...
... try to gather expert feed-back ...
... other end is user testing ...
... could be paper-based or code/mockup based testing ...
... some HCI folks actually prefer paper-based since people feel their feed-back is more useful ...
... all this will require example scenarios ...
... and then there's Phil's early direction: theories and principles ...
... that can range from 7+-2 short-term memory ...
... through "dialogue boxes are evil" ...
... through safe staging ...
... related to idiot boxes ...
... might need to pull in basic theories as basis for discussions ...

hal: maybe proposed mechanisms, mock up alternatives ...
... rapid prototyping common in UI development, showing stuff to users ...

(more discussion about usability testing)

<stephenF> (I'm getting more from the IRC than the audio, so I'm going to IRC-only mode now)

MEZ: as standards body hard-pressed to do better than industry or researchers ...

<malware> concise definition of "safe staging" anywhere?

MEZ: there is substantive amount of reserach papers ...
... getting test subjects is hard ...

<Yakov> I am also having problems with the audio

<stephenF> it wasn't so much problems, but lack of added-value compared t the excellent scribing

malware: good definition of safe staging?

mez: don't make users make security decisions when they're not ready to
... if you make them make a decision, it'll be a bad one ...

phb: idiot boxes are problem for many reasons ...
... instead of providing good and usable interface, press liability to user ...

billd: dilutes further information that might be important

tlr: use cases ought to be useful for usability testing

mez: yeah, they'll probably be useful
... worry that sometimes security engineering is targeted towards defending stuff against unknown attacks ...

hal: there might be unknown attacks in the use cases

maritza: Would like use cases feed into scenario-based user testing ...
... one of the thing have been thinking about a lot is how to present use cases to user ...
... "decide if site is secure using whatever information you get" ...
... or test some kind of task and then look how securely they do them ...
... if you do it the first well and they fail, that's good information ...
... but if the first one succeeds, it doesn't tell you the mechanism works ...

mez: that comes up a lot in usability testing ...
... lab vs in-the-wild bias ...
... comes back much more strongly when testing for security ...
... security by itself is never main goal ...

maritza: if someone is watching you, you'll always want to be seen paying attention ...

Scribe misses some remarks from MEZ.

tjh: besides published headlines about people walking around streets and giving passwords up for a candy -- is there reliable research?

mez: there is a lot of data out there

<stephenF> "out there" == "where?"

mez: attitudes and what they mean ...

<scribe> out there == research literature

<Pau1> Angela who? I couldn't hear the last name of the researcher.

<stephenF> good if better literature pointers are done, better on the list

<scribe> ACTION: Zurko to put together set of background references [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action02]

<trackbot> Created ACTION-20 - Put together set of background references [on Mary Ellen Zurko - due 2006-11-22].

<scribe> ACTION: maritza to help MEZ with ACTION-20 [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action03]

<trackbot> Created ACTION-21 - Help MEZ with ACTION-20 [on Maritza Johnson - due 2006-11-22].

<Pau1> http://www.cs.ucl.ac.uk/staff/a.sasse/

(discussion about relevant literature)

mez: Need to do some of the usability testing, we'll see how much we can.

Hal: There's issue around recs working on every platform ..
... sipmle example: Things that you click on are in different places on different platforms ...

mez: good point

phb: stuff that I've been reading on usability is all on testing ...
... have yet to find a book about usability engineering ...
... books say "you design thing, then you test it" ...
... would like to see design principles ...

mez: the design for usability discpline is called: ...
... DESIGN ...
... there's always testing in the life cycle ...
... there's usability design discpline ...
... roles and personas come from that end of spectrum ...
... UI design part craft, part art ...

phb: lots of stuff on the "craft" level?
... what's the model of the user, the mental facilities, etc

mez: design doesn't happen that way
... people aren't like code ...

phb: maximum cap not definable, but you can do a good model of the minimum user ...

tlr: there's a difference between what level we should recommend stuff on, and what level things get tested on

tyler: recommend specific widgets?

hal: there's a level of detail we're probably not going below of ...
... part of the process ought to be how specific we can afford to be ...
... we need to find the point where we ought to specify things ...

malware: one example we had is very simple -- see EV certificates ...
... CA browser forum work ...
... in that case, didn't evolve from spec, but evolved from MS saying we'll implement in a certain way ..
... instead of lock icon and address bar, green background ...
... decided before spec came along ...
... don't remember whether it's in the spec ...
... there's agreement between browser vendors to have certain level of consistency ...
... in MS case, it's white around address bar, changing to light green ...
... in Opera's case, outline around the screen?

hal: do sth like that for SSL?

malware: yellow
... think it's not totally inappropriate to do things kind of high-level -- say things about colors ...
... but don't go into too much of a detail ...
... there's room for specific recommendations, in particular when based on solid usability insights ...
... in that case, can get accepted by browser vendors ...
... stuff that needs to be consistent ...
... high-level spec to ensure that things are consistent ...
... if there's no spec, will just talk to each other to see what to do ...

phb: IE decided to adopt same icon as Firefox for RSS/Atom feeds ...
... people do recognize that there's interest in standardization & using similar cues ...
... if that's better done offline (private agreement) or better done from center ...
... don't know ...
... when you do anything like logotype, at least define increments ...
... for logotype, might give range of specific sizes, e.g. ...
... menu of possible sizes ...
... reduce space of possibilities ...

billd: cues are important to standardize on ...
... cues back are really important -- "this is a shaky certificate" ...
... don't have the cues on your own computer, general sense ...

mez: There's research on attention and security -> reading list

maritza: firefox does URL bar thing, but nobody knows what to look for
... assuming that we do decide on some standard -- when or how is it introduced to the user ...
... users knowning what is going on is important for effectiveness ...

tjh: it's word of mouth or folklore

mez: for standards, it's product uptake

tlr: consistency might help user education

<stephenF> gotta go lecture back in ~1 hr

maritza: didn't know what yellow bar was for, hadn't made connection

tjh: certainly won't work things from release notes

hal: if you've got a standard, then you can advertise

tyler: use this WG to have browser makers agree
... is opera going to discuss results from this WG with development process?

Malware: we'll need to get the guy who implements security stuff involved ...
... Yngve ...
... opportunity to get back to product people ...

<Zakim> malware, you wanted to talk about how to make users aware of security features through UI and to talk about feed icon

malware: how do you make users aware?
... came up with regard to security stuff ...
... users often don't know what something means ...
... one of solutions that have been used ...
... paper clip isn't liked by users -- anti-pattern? ...
... hard to put sth into applicaiton to alert users ...
... brilliant ideas around? ...
... user education about products without relying on online help ...
... users don't go out of their way to educate themselves ...
... feed icon is actually trademarked by mozilla ...
... they tried to exercise control over its use ...
... things that are intended for widespread use shouldn't be under control of one entity ...

<Yakov> out for 15min

discussion betw malware and tjh about feed icon

tjh: other forms of cueing?

mez: lots of research on this problem
... but there's a lot of reasons why not in products ...

maritza: commenting on clippy ..
... people want to learn about security according to surveys ...
... but don't really buy it ...

tjh: there are ways to get things out

tyler: we might find out that if you need documentation, then it's moot
... studies show that things need to get into interaction ...
... in order to work ...

<Zakim> tlr, you wanted to suggest we come back to the "create something"

tlr, billd: if standard works and is adopted, then user education won't be our problem

mez: goals/non-goals better as summary step?


<scribe> ACTION: bwporter to produce voice browser use case? [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action04]

<trackbot> Sorry, couldn't find user - bwporter

<scribe> ACTION: porter to produce voice browser use case [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action05]

<trackbot> Created ACTION-22 - Produce voice browser use case [on Brandon Porter - due 2006-11-22].

mez: break early ...
... talk about next deliverables ...
... half-hour break now ...

reconvene at 10:42

<scribe> hi george, welcome

<staikos> hello

<staikos> :)

<scribe> ScribeNick: PHB

PHB appointed scribe by royal appointment

Second face-to-face meeting

Thomas: Answers from most participants in the group but 5...
... Answers that we do have: Jan 30th and 31st is best, only 2 conflicts ...

Proposed: Jan 30th to 31st on West coast.

<Pau1> Oh well, I'll be in Provo at a meeting at Novell.

... We checked the APWG and there is no conflict, no meeting that month ...
... Thanks to Hal for the invite. ...

RESOLUTION: next face-to-face 30/31 January in San Jose, hosted by BEA

<tlr> thanks to BEA.

chartered deliverable #2

<staikos> The phone is much clearer today

MEZ: should note be before the rec

Mez: need to talk about all three since have a heartbeat on all of them in the charter
... Discuss best practices for usable auth ...
... Touched a bit yesterday ...
... range of potential outcomes in tersm of specificty of best practices
... Thomas made bes attempt at formulating ewhat they might looo like
... Principles, worked examples for verifying, reusable assets

Hal: what do you mean by these (RSS icon)

Mez colours for signalling etc

Thomas: shouldn't look for colors at only signalling mechanism -- be clear about what we address

Mez: as a worked problem ...
... people have looked at use of colour
... CHI Computer human interface - put the computer first

Hal: MAN machine interface
... So now its called HCI

Are practices like patterns?

Hal: have heard people rant about how awful a web page is without giving reasons why it is awful

MEZ Earliest guidelines on menu placement were an inch thick.
... but once you have toolkit no need for those
... toolkits ensure conformity

<maritza> http://www.useit.com/papers/heuristic/heuristic_list.html

Maritza points us to Jacob Nielsen's at URL above

Mez: Nielsen is good,
... I may take litterature with poetic license
... got some usefule(?) data points
... no place for that in note appropriately, may be spot in the recomendations

Mez writeth: REC #1 Security Context List / Best Practice Principles

Thomas: Secuirty context information, how is that context information displayed today if at all
... where are we? is presentation effective/ineffective
... certs are particularly bad... whagt is in dire need
... mapping that information into a level that can be understood

Thomas admist he cannot do 128 bit key fingerprints in his head

Hal: its not for that

Thomas: look at what is in the wild and what starting point is

Tim: look at the minimal set of context to discuss

<staikos> and we have no useful means to send fingerprints out-of-band

<tlr> tyler, can you send me your list?

Mez: there will be a minimal set, and other stuff

<Zakim> tjh, you wanted to ask if we have a security context list and what is a MINIMAL list of security context information (per the charter).

PHB also need the user context, what is the user trying to achieve here?

scribe: their problem is'am i safe', 'is this the same party I saw in the past', the objectives are user centered

Tim: agrees user perspective is important
... need to be able to express construcxts
... like don't send password over unencrypted link

<stephenF> +1 to phb's "same party as before" point

Hal: we can't say what the user really wants to know 'am I secure'

Bill: some of the time the link can be presented as protection but there is no protection
... have this black and white presentation that does not match reality
... things say 'its good' when its not

Hal: this is easy to solve, if servers turn off encryption then client does not present as secure
... IE now ships with SSL 2.0 turned off

Tim: How do I define safe

<staikos> KDE4 has SSL 2.0 removed completely in SVN

<hal> need to recognize that we cant really give the user the information they want: Am I safe?

<hal> we can inform them about various properties which can lead to being safe, but the browser does not have all the necessary data

<tjh> phb: we may not be able to answer "am I safe" - but perhaps we could answer "you're configured safe according to what A, B, or C thinks is safe"

<Pau1> PHP - so it sounds like you are recommending a set of best practices in this area that will be consistent across all the browser vendors.

PHB said something he will add later

Mez: We can't not a good starting point

Hal: I am not saying we can't give good info
... people don't want to be told about the minutiae ... data going unencrypted over the network

PHB earlier: People can't be told 'I am safe' but we can tell them 'Bruce Schnier thinks you are safe, or PHB, or...'

Mez: Users don't have a security experts model but they do have a model

<stephenF> If we could tell them "you're as safe as yesterday" that'd be something

bill just going back into the protocol

scribe: certs are useless to the user 9today). wanta go to a site
... information could be presented in much beeter format
... all user sees is dialog boxes they ignore, dilutes the user experience

Rob from IE: is it fair to say users dont have an acceptable security baseline

Bill yeah

Tyler: At hp we think in terms of users current expectations

<rfranco> Correction to PHBs note above

Tyler: anything they dsee as an exception is a problem
... exception is the password field using star characters when link is not encrypted.l

<rfranco> "is it fair to say that users don't know when they are at an acceptable security baseline"

<staikos> very nice observation

<staikos> rfranco: I think so

Tyler: phrasing it in terms of use
... expectations

<Zakim> PHB, you wanted to wife tech admin issue

Thomas: Throw usability and usefulness

PHB: also the issue of third party
... too many requests for expert advice when the web breaks for someone

Thomas: best practices
... Current practice: show the whole URL
... HTTP response headers what is done now
... nothing

Hal need to check IANA

Thomas: Cookie information

Mez dialogiue boxes

Hal unless you have policies says nothing

Rob Franco: what?

<staikos> Cookies are prompt-by-default in KDE

Hal: Nothing vcisible these days to say cookie has arrived

Chris: mysterious to user

PHB info is there but not useful

malware: there is a setting you can pu on to get a dialogue box

Thomas: I don't think thats the aspect we need to look at

Thomas: cookies are used for authentication, trigger display of a shared secret, user is at their bank again

Mez there are restrictions on cookie interchange

<staikos> The cookie interchange algorithms are getting very complex (and thus error-prone) too

all kind of useful cookie context indicators and ways they might be used as indicators

Hal: There are some specific cases where the cookie could be useful if it could be interpreted but they are opaque to the user so not useful

Mez: On to the next one
... Refering page

Hal: not displayed, is on the history of the back button
... how do things get in history

<Mez> +me says sorry George, that's phil taking notes

Hal: see everything

<Yakov> exiting... will re-join the meeting at 2pm

PHB back button should not cause redirects forward

<staikos> The back button is actually a very challenging issue

tim how do you explain to your wife

PHB: I tell her thats the way the web is,

<tlr> Starting to edit list at: http://www.w3.org/2006/WSC/contextinfo.html

<staikos> PHB: In fact I think we should not put pages that cause redirect into the history at all

Mez going to make recomendations that stand up to attack

<malware> staikos, about loud typing, probably you are hearing phb, who's scribing (brother sort of seems to attack his keyboard...)

Mez: will get some wrong
... but we don't have to expect to get 100% right

Thomas: there is life after recomendation, can track errata, issue edited recommendations

Mez: something to consider

Thomas: might have extended maintenance mode

Hal: much more likely is recomendations will be overtaken by events, people change attacks
... sendmail has lots of code to deal with ancient
... needs

PHB we have a dialectic system


Tyler: realy long urls to defeat attacks

Hal right justification, not left

<malware> PHB: a browser that has better security features is at a competitive advantage

<malware> (I think that's what he said)

Mez character set defensive mechanisms?

Thomas: techniques against equal looking IDNs?

Mez yes thats one

Hal hope most people have changed their access system...
... problems on server side by parsing URLs ...
... construct a policy that matches something and people then create strings

Thomas: i was talking about Paypal with a cyrilic a

<staikos> why use a cyrillic a when www.paqypal.com" is probably sufficient?

Thomas: dealt with today with restrictions on TLDs for which IDNs will be displayed

PHB problem is not just IDNs

Thomas: people read domain names the way they read text, they don't look for errors
... anything that depends on proof reader skills is going to fail

<Paul> exiting...will be back between 2:30-3:00pm

PHB fixes the projection screen using his degree in nuclear physics

Mez there is the s in https: the yellow thing people do

Bill no real binding of SSL to a certificate

Hal: all the properties of the session
... separate out SSL on or off and other properties of the session

SSL on/off the PADLOCK !!

<Mez> Mez wants to know why George puts good ideasin a place the notes won't carrry forward

Maritza colours

<staikos> not a good idea yet :)

Tyler: the dialog boxes you get

Hal that goes in the next box

Bill can enable doesn't tell you its off

Tyler warning when not on an sssl site

mez this other dialog box that tells you when you are going secure and everyone disables

Mez beginning of the validity period I don't get that one

PHB: there is an operational reason for not validbefore -- fielding of up-to-date CRL

Bill: in ssl so there is no interface or mechanism that says what is the level of encryption I am usi ng

Mez you are right, should be logging

Mez is there if you dig

Bill needs to be there

Tyler phill got lost showing a cert property

PHB the Danny Weitzner test, if UI is not usable by DJW in quarter of an hour then reject

Hal: session properties in that box
... definitely want to know what type of crypt

Bill these are not necessarily certificate properties

Hal: reason I proposed the split i did is that you propbaly need a binary split and then detail

tyler: info on cipher not presented sould be down one, firfox reveals this

<Zakim> PHB, you wanted to suggest a box split

<staikos> would like to agree with PHB but no need to take phone time for that :)

<Zakim> malware, you wanted to about testing across browsers

PHB Merge the boxes so we don't conclude we need to represent SSL on off when the question is am I safe

malware: Need to teswt on more than just the browser you are familiar with
... best current practices needs to be any widely used/available browser

Hal: point was to identify that which there is at least one example of

Bill: get back to the box in the breaqkout there is stuff from certificates currently bundled with SSL

Mez this is not the last pass

Hal/Bill discuss trust

Mez: you going anywhere?

Hal its up there

Mez take it away

<Zakim> PHB, you wanted to point out presenting base64 attribute does not communicate much

PHB trust level is displayed in IE7, address bar shows the issuer

malware: we have a three level indicator, but don't remember the details

<tlr> ACTION: msmith9 to find out more about Opera's numeric trust indicator [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action06]

<trackbot> Created ACTION-23 - Find out more about Opera\'s numeric trust indicator [on Michael Smith - due 2006-11-22].

PHB there are several add on plugins display trust

Tyler: fiefox does strange things with the lock icon, greyed out states and such.

<staikos> phone went dead?

<staikos> hm well my comments: the n padlocks attempts proved disastrous (for KDE too) and going back to simple indicators is best in our experience.

<staikos> I'll dial back in after lunch

Thomas mismatch betwen domain name and subjectaltname is displayed

<Zakim> PHB, you wanted to need for debugger interface

PHB we got here because people needed a debugging caqpability flor their own sites. Should peobably have explict mode for this

Mez may be puchin bounds of the charter

Thomas: key into bookmarks with petnames as existing practice?

Mez its research, big field...
... protoypes? where is the line? ...
.. even if have colum need to fill it in ...
... widely available addons? ...

thomas maybe no experimental things...
... but let's put down our collected knowledge

mez no we are not i have a lot we are not putting down

Tyler: need experimental things to inform working draft
... can easily list addons for firefox

Tyler overridable warning, in IE7 this is not completrely overridable

<scribe> ACTION: tyler give the URL of the antiphishing category for Mozilla/Firefox extensions [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action07]

See ACTION-30.

Need to state that we have thought of the debugging mode requirement and explicitly put it out of scope.

Bill classification of certs in three classes

Hal: these classes are not currently agreed

PHB thats why we have CABrowser forum

<hal> I believe that tyler proposed "did not come from the site" as a general criterion for all the infomation, not as a specific row of the table

Thomas edits configured trust roots box

<hal> since he steped out, I cant ask him right now

<hal> btw, I disagrre with using this as a criterion, untrustworthy info should also be considered at least at this stage

Mez there is a place you can go to look at them

Maritza the user does not know who is pre-trusted

PHB: additional ones can be added without user asking

tyler: there are no policies even
... these are accidents of history

hal: while you were out...
... thought that you wanted to provide a general criteria rather than something that applies to specific row
... row about additional data on site that dis not come from the site deleted

tim bookmarks,

mez have a way to display

tim does any browser tell you the last time you visited

tyler don't know any browser that will tell you that you are at a previously bookmarked page

mez more info, can I look at my cache?

malware: if you open a console window...

tyler: your password manager

phb you can do that

tyler i can...
... you can get a list of all your cookies...

hal lots of incomprehensible details

tyler history gets updated as you browse

maritza: list of sites you have already filled in form information for

haql: you can see this locally?

maritza: one of the tabs is saved forms

mez reputaion

phb there are lots of antiphishing toolbars

mez not production

tyler IE7 and fireforx have these built in

malware: opera also has this feature

thomas adds to the matrix

mez past introductions from friends

hal nothing....

rob franco: wanted to detail the phishing filter...
... for benefit of posterity does not check every url. ...

phb thats still reputation data

robfranco wanted to make sure privacy community got the full picture and we do protect privacy

hal: do you check agains for different url on the same domain name

rob yes for geocities!

scribe: maybe not for other properties, don't need to check bofa

mez redirection path

hal flashes in the address bar

tyler; we are doing potential? now only looking at what is curently being used

mez: we are just filling in the first collum...
... was encouraging us to take a strict columnar approach so we can complete before 430

hal: would suggest not even takling col 2 without the use cases

mez html page: spam filter like techniques ????

tyler: some phishing managers do this type of thing.

rob that is right if a site is unknown and has suspicious

mez target uri?

tyler the action uri for a form you are going to submit

thomas: mouse over hyperlink gives some this info

hal: javascript can override this behaviour for evil intent

PHB IP address...
... sometimes see ths come up.
... more thinkig in terms of reputation data keyed off IP

tyler: IE has long had a feature that classifies sites nby if its on your intranet internet...

rob IE has a security zone based on a set of client heuristics, (describes) ...
... urls without a dot always come up as intranet ...
... home joined systems dont have intranet

<tlr> ACTION: Thomas to set up Wiki for group use [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action08]

<trackbot> Created ACTION-24 - Set up Wiki for group use [on Thomas Roessler - due 2006-11-22].

<tlr> ACTION: Thomas to set up CVS access for Tyler [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action09]

<trackbot> Created ACTION-25 - Set up CVS access for Tyler [on Thomas Roessler - due 2006-11-22].

mez notes need editor context pulls the contributon together.

mez notes charter of two recomendations and that they may be combined

2nd rec -- anti-spoofing techniques

user interface, trusted path (shared secret) credentials, passwords, question - web user agent to user?

<tjh> question on clarifying Recommendation two example of saying securing path from web user agent to user.

<tjh> maritza: yes, between browser and user.

browser personalization, the practices to setup a "secure" session...
... examples limitations to scripting capabilities, dynamic, active content to manipulate user interfaces. Security information presented on the screen

<Tyler> https://addons.mozilla.org/search.php?q=phishing&type=E&app=firefox

<Tyler> That's a search for all anti-phishing addons for Firefox

mez personalization of the chrome, visual that provides a "secure" handshake

tlr notes action with browser that provides feedback to the user in a user friendly form

tjh notes network monitors security context information and use of seperate tools. seperate channel

<tjh> create some form of monitor that watches such security context information for connections and displays in some separated way.

mez notes that out of channel would not work SSL

tlr make the information available and in the right place

mez notes security context of personalization, "shared" secret. discussion on what is a secret. passwords, keys

tlr one deployed mechanism: secret where first layer is based on cookies, tls and cookies that authenticates the user to the sight and then stronger authentication applied...
... avoid site that looks like banking site, and replay attack

<tlr> ACTION: zurko to dig out papers about authenticating browser password entry dialogues to users [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action10]

<trackbot> Created ACTION-26 - Dig out papers about authenticating browser password entry dialogues to users [on Mary Ellen Zurko - due 2006-11-22].

<stephenF> breaking off now, will rejoin irc before end

Issue comes up about portablity of shared secret

if shared secret is tied to a browser on a particular machine

<tlr> ACTION: Hal to review requirements from workshop record - due 2006-12-05 [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action11]

<trackbot> Created ACTION-27 - review requirements from workshop record [on Hal Lockhart - due 2006-12-05].

tjh asks about the use of a proxy to help the user to stay in safe internet areas

hal notes the desire to standardize data provided by white / black list providers

hal suggestion, overhaul cookies and cookie management, since cookies contain a lot of security data.

scribe: cookies can be used to set up attacks

tlr client authentication - exchange credentials and then get cookie. support deployed base of credentials opposed to useing something like SAML and the benefits that a SAML token can provide

tyler trust of site based on usage of the site, refering page and site that you use all the time your bank, site that "trusted" agent gave to you

mez previous idea was securty stuff to show that the user had security - moving to stuff to show security

tjh build up the security level not useing shared secret - site puts up something to spoof shared secret

tlr classes of shared secrets

<tjh> tlr draws a picture showing communication from server to human/user, from server to browser/user-agent, and from user-agent to human/user

tjh techniques to render information securely 1 - shown, 2 not spoofed...
... notes "secure" information should not be spoofed ...

tlr notes interactive ceremonies as security handshakes that take place as a form or secure form is brought up

tyler information that only comes from particular areas on the screen or reserved areas that are not available to web content

<tjh> tyler use a second or other device to give feedback to user IF site contacted is one that was expected. Lack of that other device giving feedback would indicate a

<tjh> ... possible problem.

how to use two factor or out of band single factor, cell phone, email

hal better support and integration of different forms of credentials and management

mez - don't get to the web site in the first place

<Tyler> secure password based cipher suite for TLS

scribe: go to online mail, if the remote side cannot demonstrate knowledge of the shared key then the handshake progresses

Tlr address and shared secret because you have done business with this site before. expect that the site has knowledge of the shared secret and is used to complete the TLS session

tlr trusted path from user agent to user is also required in this case.

next steps

<tlr> ACTION: Thomas to clean up minutes [recorded in http://www.w3.org/2006/11/15-wsc-minutes.html#action12]

<trackbot> Created ACTION-28 - Clean up minutes [on Thomas Roessler - due 2006-11-22].

Summary of Action Items

See tracker.

Minutes formatted by David Booth's scribe.perl version 1.127 (CVS log)
$Date: 2006/11/21 15:12:02 $