WSC WG weekly
5 Dec 2006


See also: IRC log


Thomas Roessler
Maritza Johnson
Stephen Farrell
Yakov Sverdlov
Tyler Close
Paul Hill
Phillip Hallam-Baker
Rishikesh A Pande
George Staikos (IRC only)
Michael Smith (IRC only)
Mark Little
Rob Franco (guest)
Mary-Ellen Zurko
Tyler Close




<tlr> "zakim, unmute me"

<stephenF> ta

<tlr> tyler: it just goes into normal text?

<tlr> ... and this continues ...

<tlr> Scribe: tyler

approve minutes

<tlr> http://www.w3.org/2006/11/21-wsc-minutes

<tlr> RESOLVED: minutes approved

Wiki -- how to use, etc

<tlr> http://www.w3.org/2006/WSC/wiki/

mez: Encourage everyone to submit action item text to wiki
... Solicits questions on wiki use

PHB: Can't find the draft note on the wiki

Tyler: says he will put the form of the note into the wiki

<tlr> ACTION: tyler to add note's structure to wiki [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action01]

<trackbot> Created ACTION-36 - Add note\'s structure to wiki [on Tyler Close - due 2006-12-12].

MEZ: Confirms that MoinMoin does versioning

Use Cases/Scenarios Action Items updates

MEZ: No more questions on wiki
... Documenting the scope and the goals are the top priorities

<tlr> The joys of multipart/alternative...

MEZ: Hope everyone hits their ACTION item goals for the next meetings

<tlr> http://www.w3.org/2006/WSC/Group/track/actions/4

MEZ: What's our vanilla attack scenario

<tlr> http://www.w3.org/2006/WSC/drafts/note/

E-Mail lure scenario

MEZ: Is ACTION-4 our vanilla attack?

<tlr> http://www.w3.org/2006/WSC/drafts/note/#email-lure

PHB: Distinguish between use cases and abuse cases
... Some banks have given up sending email

MEZ: Is this a legal remedy?

PHB: No bank is still liable

MEZ: Concrete scenario followed by discussion is preferred format for use cases

PHB: Helps make the use case succinct

MEZ: Should we close ACTION-4
... Moving on to next action item, ACTION-8

re-direction / federation use case

<tlr> http://www.w3.org/2006/WSC/Group/track/actions/8

<tlr> http://www.w3.org/mid/D0C847B2BD75414090045D8C7EA3D59402B2D656@repbex01.amer.bea.com

MEZ: Hal not on call

TLR: Draft of text in email archive

MEZ: Hal's email incorrectly cited ACTION-11
... ACTION-8 needs to be more concrete

<Mez> http://www.w3.org/2006/WSC/Group/track/actions/9

<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2006Nov/0056

ACTION-9 misuse / misappropriation of padlock

MEZ: ACTION-9 is more an enumeration of issues with the chrome, than a use case

<tlr> carry over to next call

MEZ: ACTION-9 is thorough and excellent, but want a concrete scenario

<Mez> http://www.w3.org/2006/WSC/Group/track/actions/13

ACTION-13, Elaborate on multiple certificates & domains for session servers case

Do you want me to use a real use case, or a fictitious use case

TLR: Don't use a real use case, for trademark issues.
... Use example.com in specification examples
... For example, use http://www.example.com/ as a URL

<tlr> example.{com,info,org} ...

<Mez> http://www.w3.org/2006/WSC/Group/track/actions/22

ACTION-22, voice browsers

<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2006Dec/0003

MEZ: Want a concrete voice browser use case for the note
... Solicits any other participants for voice browser use case

<Mez> http://www.w3.org/2006/WSC/Group/track/actions/19

MEZ: Want to get to the scope next
... Might not get to the use cases for a couple weeks
... Need the note for the next face2face

ACTION-19, WS-Security

<malware> sorry for being late

<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2006Nov/0105

MEZ: The desktop decoration use case used a good format, like ACTION-4
... Any issues with putting future looking features out of scope?

<tlr> Since the visual cues are not controlled by a browser, but rather the application program which is painting the transparent window information on the desktop, there is no browser chrome to define, protect, or for Alice to rely upon.

<stephenF> when will our REC be done? Presumably "future" applies from then on, or from now on?

tlr, could you summarize your point for the minutes?

<tlr> tlr: one key property seems to be the one mentioned above; sounds similar to widgets spec work in WAF WG.

Yakov: WS-Security might provide a concrete use case. Need to work on one

Stephen: Is the future tomorrow, or the day after the Rec comes out?
... Vista is coming out while we're working. Might be some changes in usage.

TLR: Should abstract from any particular product

MEZ: Should look at any product that gets lots of usage

<Paul> If spec has been approved by a relevant standards body, isn't it in scope, even if deployments might be several months in the future?

MEZ: Our goals will be shaped by things we can make use-cases for today

<Zakim> stephenF, you wanted to ask when "future" starts, if out of scope

Stephen: Tha's fine, but want to have flexibility as we move forward

??: What about stuff that is standardized, but not yet deployed

MEZ: Remember the days when standards standardized existing use

TLR: Just being a standard doesn't put in scope. We have to believe the deployment story

<stephenF> offering a tricky case for scoping here: IEFT EAI (email i18n), i dunno whether that should or should not be in scope

MEZ: We have to put a high bar on that. We need to believe it will be deployed, not it might be deployed.

<stephenF> EAI stuff: fine for later

<Zakim> malware, you wanted to ask for clarification of difference between "deployed" and "implemented"

<tlr> maware, we can't hear you

<tlr> malware

<malware> I'm not on the bridge

<malware> I just wanted to ask what exactly is meant by deployment

TLR: channelling malware, Is it deployed, or implemented?

MEZ: implemented is existing, also needs to be running

<malware> I think we usually talk about implementations of a particular spec, right?

<malware> Is same thing meant by "deployment" as it's been discussed here?

<tlr> malware, basically, yes.

<Paul> I think it depends. If "implemented" with intent to deploy then it is relevant. If it is implemented but not intended for deployment the it should not be considered.

<malware> OK

<tlr> the point was that there should be some reality check

MEZ: Action-19 looks future looking

<Paul> Argh, my phone just decided to reboot. It will take me a few minutes to rejoin the call.

<malware> has there been any discussion about not moving to REC without implementations?

TLR: It exposes an important property of non-browser, but possible web based that has security context
... The commonality is use of web-ish tech
... Have a look at the widget spec to determine whether in scope or out of scope

<tlr> ACTION: tlr to review widget spec [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action02]

<trackbot> Sorry, couldn't find user - tlr

<tlr> ACTION: thomas to review widget spec [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action03]

<trackbot> Created ACTION-37 - Review widget spec [on Thomas Roessler - due 2006-12-12].

rfranco: Joining discussion as a guest.

rfranco: Use case involving futuristic hardware is out of scope?

TLR: Are we talking about trusted computing base?

rfranco: I don't think of it as heavily deployed
... It's not the mainstream case today

MEZ: Agreed

rfranco: It's on the bubble. I am happy deferring it to a later working group

PHB: Need to consider trustworthy computing as a solution to a problem we're not going to solve

TLR: The non-goal would be ensuring a trusted computing base

<tlr> ACTION: zurko to include trusted computing base with scope and/or goals/non-goals [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action04]

<trackbot> Created ACTION-38 - Include trusted computing base with scope and/or goals/non-goals [on Mary Ellen Zurko - due 2006-12-12].

next meeting; proposed: 12 December

<PHB> PHB: We should be able to consider the existence of Trustworthy computing for the purposes of deciding not to solve a problem that others are attempting to solve/deploy with a high probability of success. That is we should not decide that the whole problem is impossible because a keystroke logger could be dropped onto a machine.

MEZ: Will put scope out by next friday

<PHB> PHB: Trusted computing exists, we all trust the computer to an enormous degree.The question is if they will be trustworthy

MEZ: Want to do the goals next

<Paul> BTW, action-38 should have some current estimates of timeline for deployment. How long will it be before trusted computing platforms can be assumed to be present in the home/retial market?

MEZ: Remember to register for the face2face in January

<stephenF> bye all

MEZ: Attacks on trusted computing are out of scope regardless

MEZ: Next meeting is December 12th

<Paul> thanks , bye

Summary of Action Items

[NEW] ACTION: thomas to review widget spec [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action03]
[NEW] ACTION: tlr to review widget spec [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action02]
[NEW] ACTION: tyler to add note's structure to wiki [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action01]
[NEW] ACTION: zurko to include trusted computing base with scope and/or goals/non-goals [recorded in http://www.w3.org/2006/12/05-wsc-minutes.html#action04]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.127 (CVS log)
$Date: 2006/12/12 19:14:30 $