W3C

WSC WG Weekly
2 Jan 2007

Agenda

See also: IRC log

Attendees

Present
Thomas Roessler
Mary Ellen Zurko
Tyler Close
Sunil Agrawal
Hal Lockhart
Yakov Sverdlov
Tim Hahn
Maritza Johnson
Bill Doyle
Phillip Hallam-Baker
Rob Franco
Chair
Mary Ellen Zurko
Scribes
maritza
Thomas Roessler

Contents


Approve previous meeting's minutes

<tlr> http://lists.w3.org/Archives/Member/member-wsc-wg/2006Nov/0017.html

<tlr> RESOLVED: Previous meeting's minutes accepted, see http://www.w3.org/2006/12/19-wsc-minutes

close open action items

<tlr> approved as proposed in agenda

Goals

<Mez> http://www.w3.org/2006/WSC/wiki/GoalsNonGoals

scribe: (the url where Phil drafted goals and non-goals)

<Mez> http://www.w3.org/2006/WSC/wiki/NoteGoals

<Mez> http://www.w3.org/2006/WSC/wiki/NoteNonGoals

mez: does the note section include all goals and non-goals?

tyler: I haven't updated it

mez: let's talk about goals/non-goals, starting with the goals the Phil drafted followed by the note index goals

<tlr> http://www.w3.org/2006/WSC/wiki/GoalsNonGoals

<tlr> http://www.w3.org/2006/WSC/wiki/NoteGoals

mez: anything else about the goals at this stage?

tlr: the one goal I'm concerned about is the way the best practice one is phrased

mez: I agree with Thomas, we haven't gotten around to it before the meeting, how do other forms of communication fit

scribe: tlr asks this be put in the wiki

tlr: how other forms of communication are used for security context information

mez: any other commentary on goals and non-goals?

<tlr> ACTION: zurko to propose re-wording of "Best Practices Recommendation for Site-to-User Communication" text in NoteGoals, post to list [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action01]

<trackbot> Created ACTION-61 - Propose re-wording of \"Best Practices Recommendation for Site-to-User Communication\" text in NoteGoals, post to list [on Mary Ellen Zurko - due 2007-01-09].

hal: I posted on ACTION-56, an attempt to start a thread about a standard way of presenting the results of unspecified protocols
... I'm satisfied with the last item on this page covering what I meant by this action

<tlr> I think Hal is speaking about this: http://www.w3.org/mid/D0C847B2BD75414090045D8C7EA3D59402E1469E@repbex01.amer.bea.com

hal: my feeling is the last item on this page is something I'd like to see in the scope, I don't think we are missing anything
... browsers may use algorithms that make use of historical information
... while we don't want to specify how they do this, we may want to say what they display given the security info they want to display

action-56 http://www.w3.org/2006/WSC/Group/track/actions/56

hal: there should be a standardized indicator to indicate an unstandard protocol

tlr: the discussion we had last time might say people wouldn't read this
... maybe we should pull your message into the text for the particular goal

mez: the note and the recommendation are two different things

hal: just to clarify, we have four bullets followed by four sections, my understanding is we eventually want nothing but titles and text

Action-56 will extend into a drafting of this section for the note

<tlr> ACTION: hal to re-draft "Recommendation for Consistent Presentation of Security Information" to reflect discussion about http://www.w3.org/mid/D0C847B2BD75414090045D8C7EA3D59402E1469E@repbex01.amer.bea.com [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action02]

<trackbot> Created ACTION-62 - Re-draft \"Recommendation for Consistent Presentation of Security Information\" to reflect discussion about http://www.w3.org/mid/D0C847B2BD75414090045D8C7EA3D59402E1469E@repbex01.amer.bea.com [on Hal Lockhart - due 2007-01-09].

mez: anymore commentary on the goals/non-goals
... phil can you merge the two pages on the wiki for goals/non-goals on the wiki

<tlr> ACTION: Hallam-Baker to merge the Goals and Non-Goals related Wiki items into English text. [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action03]

<trackbot> Created ACTION-63 - Merge the Goals and Non-Goals related Wiki items into English text. [on Phillip Hallam-Baker - due 2007-01-09].

<tlr> ACTION-56 to be closed.

Non-Goals part

mez suggests we continue and talk about the non-goals section

mez: anyone want to add any non-goals?

hal: Do we need to specifically say cryptographic algorithm?

mez: algorithms can be used to combine security context info the user
... how far do you want to take the meaning of algorithm?

hal: i thought there was a discussion about browsers using various history information to make decisions about pages "risk-assessment"

<tlr> tlr: out of scope or non-goal?

<tlr> hal: out of scope, oops

tlr: is the a non-goal or is it out-of-scope?

mez: out of scope

phil: the thing about the non-goals, it's technically an infinite list
... i wanted to focus on things that might come up and we might want to rely on, but things we won't do ourselves

mez: phil is there a place in non-goals that should point to a list of prior work

phil: it's things that people might think are goals but aren't

mez: really good guidance, we should stay sensitive to this
... anything else for the current version

tim: I suggest we say that educating users is a non-goal
... i think that we're going to empower users but i don't think we'll be successful in saying we'll educate users or increase their level of understanding

mez: i think that's a good point. At one time we had a talk about the difference between users learning and understanding things
... and it's not necessarily in our charter

tlr: If this was a goal, what would we not be doing. I'm having a hard time seeing what educating users would look like as a goal

mez: a pro-active campaign to educate users

tim: example, we're not going to go take out ads on city busses

tlr: I'm not saying we should take bus ads, but I don't think we need to say this explicitly as a non-goal

tyler: does this include short tutorials to show how an anti-phishing toolbar is used

tim: i agree with mez. I was trying to say that we shouldn't be construed as a group the is trying to educate the world on how to use the web securely
... I wasn't sure how to answer tyler's question, about whether we should condone or not the various help for tools
... I didn't think this group would go out and publish a user's guide for tools

tyler: I just wanted to see if there was a dividing line on these two

tlr: I would like to keep the note focused
... what tyler mentioned strikes me as a non-goal of our group
... maybe we shouldn't say at this point that we won't be doing outreach
... how do we distinguish outreach to users and outreach to developers

phil: i agree with tlr, our results may be different than what we might expect, anti-phishing working groups have done outreach to users. If they want to promote our work and we're collaborating with them and we find ourselves with funding, then where does the line fall for what we're doing and not doing. Maybe this shouldn't be a non-goal

tlr: I think we're saying this note isn't about what types of communication efforts will be made

<Tyler> I like TLR's distinction of non-goals of the Recommendation versus non-goals of the group. I think the Note should contain *only* non-goals for the Recommendation

<tlr> tyler, +1

mez: i expect something about user education in the design principles or assumptions section

<tlr> maritza, mind minuting yourself? ;)

mez asked maritza if she included anything about user education in design principles

maritza: I haven't written anything specifically about user education in the design principles section, but I made a few notes about the results from previous user studies about what users do and do not know

mez: so the note should only contain non-goals for the recommendation, not non-goals for the group
... that's reasonable. If anything creeps in about user education it should fall in either design principles or in assumptions

tlr: something about user education would be something about how much is necessary

mez: I'm still drafting the assumptions section

<tlr> ACTION: zurko to make sure role of user education is addressed in assumptions section of note [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action04]

<trackbot> Created ACTION-64 - Make sure role of user education is addressed in assumptions section of note [on Mary Ellen Zurko - due 2007-01-09].

mez: the only thing we have left on our agenda is the next meeting Jan 9th, two days before the drafts are due of the note sections

<Zakim> Thomas, you wanted to ask about use cases

mez: don't forget I've asked for examples on the wiki for our recommendation

tlr: I'm wondering if we should be thinking about mapping the use-cases to the goals section. To see if the things we have in mind are captured accurately.
... just to ask what we will be doing with the use-cases

tyler: should examples of spoofing be made into a use-case
... how are these normally described?

<tlr> http://www.w3.org/mid/08CA2245AFCF444DB3AC415E47CC40AF592896@G3W0072.americas.hpqcorp.net

tyler: should things that are considered attacks be use-cases
... I was going to put them in the section for note problems in the current interface

tlr: I could see these as useful use-cases
... I would encourage you to write these with this is what we'd like to happen, this is what happens

hal: I'd like to comment on where the use-cases fall in. We should make sure we get the obvious use cases instead of focusing on the smaller ones

AOB

mez: anything left in the next 5 minutes

hal: I'd like to go through workshop proceedings and match these against our in scop out of scope for the recommendations

<tlr> hal: would like to map proposals from workshop to scope / out-of-scope; goals / non-goals

<tlr> workshop -> http://www.w3.org/2005/Security/usability-ws/

hal: I'd like to consider the things people have recommended we do. I think we should say we started with this list of recomendations from other people and after clarifying our goals, we know which are applicable

<tlr> ACTION-27, way overdue, hal reinforces commitment to that

hal: We should clarify who will and will not attend the F2F

<tlr> ACTION: Roessler to add "phone" option to registration form, and fix some responses [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action05]

<trackbot> Created ACTION-65 - Add \"phone\" option to registration form, and fix some responses [on Thomas Roessler - due 2007-01-09].

hal: I'm hoping the people who fill out the form will show who will be in CA in person

<tlr> ACTION-65 due on 15 Jan

Summary of Action Items

[NEW] ACTION: hal to re-draft "Recommendation for Consistent Presentation of Security Information" to reflect discussion about http://www.w3.org/mid/D0C847B2BD75414090045D8C7EA3D59402E1469E@repbex01.amer.bea.com [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action02]
[NEW] ACTION: Hallam-Baker to merge the Goals and Non-Goals related Wiki items into English text. [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action03]
[NEW] ACTION: Roessler to add "phone" option to registration form, and fix some responses [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action05]
[NEW] ACTION: zurko to make sure role of user education is addressed in assumptions section of note [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action04]
[NEW] ACTION: zurko to propose re-wording of "Best Practices Recommendation for Site-to-User Communication" text in NoteGoals, post to list [recorded in http://www.w3.org/2007/01/02-wsc-minutes.html#action01]
 
[End of minutes]