W3C

WSC WG face-to-face San Jose

30 Jan 2007

Agenda

See also: IRC log

Attendees

Chair
Mez
Scribe
Nadalin, tlr, Bob, staikos

Contents


Intro

Introductions around the table.

Agenda

<tlr> http://www.w3.org/2006/WSC/drafts/note/

<Tyler> http://www.w3.org/2006/WSC/drafts/note/Overview.html

We are lucky as we are going to get a "word" from the editor on the note

We will get through the note by end of aternoon break

We will then have some lovely demos

Will talk about a safe browsing mode proposal

Tomorrow we will "swing" around and talk about recomendations

<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0206.html

<beltzner> proposed revised schedule for the Note: http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0190

Disscussions on document time line

When to do first public working drafts

<tlr> editor's draft just means that there hasn't been a decision of the group to publish the thing

need to get a date for public working draft, target April ?

full editor's draft "may" posible in April, working draft may be a out a little

a separate mailing list is setup for comments on Working Draft

With working draft a patent call for exclusions is done

3rd F2F in June, is this the correct timing ?

3rd F2F maybe Dublin, is that too far ?

Will we have a 4th F2F ?

target November for LC

<staikos> Note: travel from Toronto to Dublin gets much easier after June 17

Discussions on testing

hal: Can this be done remote ?

need a facility that can handle inviting prople and the process, need some useability folks

November is a traget for testing, so need to start now

Rachna will lead the testing phase

So what will be the population of the testing?

are we going to document results or are we going to put that into best practice

So maybe both ?

George: has been "hacking" a brain dead browser, so no legacy, very basic
... this may be a great bed for testing

<staikos> also this browser is portable to Windows, Mac OS, and Linux

What kind os scenarios we will test aginst ?

<tlr> http://www.w3.org/2005/10/Process-20051014/tr.html#cfr

Question over testing, so do we need add an addtional testing cycle ? as we are doing testing early and we may learn things that may make us go back

Do we have "wiggle" room if we have issues durring LC ?

Stuart: What happens if the charter gets in our way, couls we address this?

Thomas: yes there is room and ways to do this

Note

tyler: a "word" (or maybe open doc) from the editor
... if you can't see your chnages in the doc, please contact me

tyler: please look at the wiki to see if there are any questions
... sections 2-8 seem to be in good shae, please read this over
... section 9 still has open issues and need s more work

tyler: once section 9 is complete this would be a good editor's draft

mez: please document your changes on the wiki

thomas: issue tracking through tracker

<tlr> ACTION: thomas explain issue raising process on public mailing list [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action01]

<trackbot> Created ACTION-93 - Explain issue raising process on public mailing list [on Thomas Roessler - due 2007-02-06].

tyler: done

mez: do folks have a real understanding of tje "note"

thomas: this is what we are going to address/do so need to make that very clear to public

Section 8

mez: tyler did most of content to this section

<tlr> http://www.w3.org/2006/WSC/drafts/note/#problems

thomas: wants to change the title ...
... maybe change section into what is working and what is not working ...

hal: section is all about chrome, and thus no problems with anything else but chrome

thomas: maybe "review of status quo" would be a better title

tyler: if there is anything that is true about the 'staus quo" that is not there already please input

phb: thinks that crypto is stable in status quo

<tlr> ACTION: hallam-baker to draft subsections for 8 about "compelling user interface", crypto [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action02]

<trackbot> Created ACTION-94 - Draft subsections for 8 about \"compelling user interface\", crypto [on Phillip Hallam-Baker - due 2007-02-06].

tyler: please point out opinion vs. fact vs. fiction

stuart: what is the "status quo" section really about ? user interface ?

tyler: section prior describes the scope
... we have in/out of scope sections

stuart: I'm really confused
... what is the basic goal of the user ?

tyler: look at the use case section

hal: there is more to user interface than the chrome so need to have that info

thomas: some of the use cases need a clearer question, example 6.14
... need to add addtional questions in section 6

mez: are we up to 8.1 YET ?

<tlr> ACTION: stuart to review use cases, suggest reorganization, ... [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action03]

<trackbot> Created ACTION-95 - Review use cases, suggest reorganization, ... [on Stuart Schechter - due 2007-02-06].

please everyone work on use cases !!!

tyler: overview of section 8
... describes the problems with section 7
... split into 4 areas
... section 8 is about different levels of attacks
... 8.2 is about the indicators in the chrome
... 8.1 is about the spoofing the chrome

hal: need some definitions here

<bwporter> I'm noting that everything is focused on user->site trust... but there are other issues like user personal information... cookies, password management, form auto-fill

<bwporter> there is also the problem that user->site isn't sufficient as certain web pages show content from other sites embedded (ads primarily)

<bwporter> not sure where the right point in the agenda to bring this up?

thomas: need a glossary

mez: Tim main goal in life is to define a glossary

<tlr> ACTION: hahn to draft initial outline of glossary [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action04]

<trackbot> Created ACTION-96 - Draft initial outline of glossary [on Tim Hahn - due 2007-02-06].

mez: can we notify folks of actions ?

thomas: send email

hal: lets use the RFC 2828 Internet Security Glossary as the base

tyler: 8.3 is about the folks don't understand the indicator's
... the current chrome is not chrome...
... need definition of chrome ASAP ...

phb: if we don't know what chrome how can we explain this to users
... it's poorly defined
... confused on the indicators meanings

<beltzner> definition of "chrome" from Wikipedia: "The visible graphical interface features of an application are sometimes referred to as "chrome". They include graphical elements (widgets) that may be used to interact with the program. Common widgets are: windows, buttons, menus, and scroll bars. Larger widgets, such as windows, usually provide a frame or container for the main presentation content such as a web page, email message or drawing. Smaller ones usually act

thomas: folks here seems to have a misunderstanding of section 8

<staikos> Do I understand that we have a "poor understanding of the poor understanding portion" of the document?

<staikos> haha

thomas: part of what is meant is a separation of what is under the contol of the user and what is under the control of the attackers

mez: let's suggest real wording chnages

thomas: proposed restructure of section 8

<tlr> http://www.w3.org/2006/WSC/drafts/note/#problems

mez: call to order

tyler: section 8.4 is about where the chrome never gets noticed by the user

<bwporter> Recommendation: Rename section 8 to "Analysis of problems with browser chrome"

hal: there may be other things besides the chrome so maybe add a new section

phb: too focused on technology, and need to focus on how to focus the user interaction/tasks
... need new section for user interactions/tasks

tyler: add new subsections to 9.1 to cover phb's issues

<yngve> phillip has a very good point about how intrusive a security or a non-security indicator can be.

<yngve> Example: how quickly do people turn off the "you are now entering/leaving a secure site" dialog? My opinion: very quickly.

thomas: 8 is focued on the visual desktop, and we need to get folks on useability issues
... other user agents besides the desktop

tyler: anyone use a agnet besides desktop, like a mobile browers ?

thomas: no mobile folks here...
... maybe other small/mobile browsers ...

<yngve> I do not usually work with/on a phone, but security informayion usability on phones is a problem due to less area for the chrome, currently not solved.

break

<bwporter> Recommendation: It may be helpful to restruction section 8 to organize the information as follows

<bwporter> a) Content<->chrome boundary

<bwporter> b) User perceptions of chrome

<bwporter> c) Analysis of individual chrome elements

<beltzner> tjh: the chaos you're hearing is that we're on break

<tjh> ok, thanks.

<beltzner> Recommendation: building on what PHB suggested, we might wish to either add a section or a subsection which illustrates the user's mental model as they walk through a common, generalized case of accomplishing a task. Perhaps that goes in S9?

<tjh> unfortunately, after all that - I must drop to take another call.

mez: any other issues with section 8 ?

<staikos> http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors <--- flow chart for our algorithm

<beltzner> staikos, I changed your document so that the screenshot is actually shown inline

Note should call out stuff that is the chrome that really should not show user and what stuff the user really needs to see

mez: any proposal to restructure section 8 needs to be concrete

<tlr> PROPOSED: Content-Chrome boundary; User perception of Chrome; Usability of individual elements

<beltzner> http://pastebin.mozilla.org/3341

<scribe> new outline proposed

<beltzner> http://pastebin.mozilla.org/3341 updated

thomas: seems to make it more clear
... so an issue is what the user understands and what user thinks is controlled by the chrome and what is controlled by the browser

<beltzner> * (8.1.2)

<beltzner> boo

<beltzner> http://pastebin.mozilla.org/3344 updated

thomas: modification to proposal
... first talk about how things work today and then focus on the problems that this has caused

tyler: does not want us to focus on the controls but focus on the high level problem

tyler: explains current

beltzner: problem -- padlock contributes to more
... express the theme, give a single example, then break out control by control ...
... people suggest the latter might be an easier way to read the document ...

stuart: maybe some controls aren't repeated the way they should be
... like having a whole load of examples under certain things; makes it clearer that problem is endemic ...
... if you break it down by control, it's control-centric, and you lose the three problems that are universal ...

brad: works pretty well for some of the things, but if you want "supposed to do, perception, gaps", you don'T want to separate these

stuart: there's another view of the world in which you take a user example ...
... first look at this, then at that ...
... process-centric view of the world ...
... what are we supposed to be telling users?
... if they want to have an expectation ...
... process-centric view is lost in both ways to present the thing ...
... not necessarily a defect ...
... can't do three perspectives at once ...
... that's there ...

mez: think that somebody needs to volunteer to restructure the information in this section, if it's to be restructured

tyler: maybe defer until we are through the actual content?

agreed

tyler: <summarizes 8.1>

rob: is the "outer chrome off screen" attack feasible with current browsers?
... note should reflect what state of the world of first-generation browsers is ...
... second generation browsers also susceptible ...
... there's first vs. second gen attacks ...
... particularly because consumed more broadly ...
... want to understand size of the gap ...
... not presenting realistic picture ...

brad: negative coordinates seem to work with IE6

beltzner: if you can, it's a security bug
... should be fixed everywhere except in linux/gtk ...

staikos: we spent an entire week on this

<staikos> (in 2002)

<staikos> 5 years ahead!!

<scribe> ACTION: beltzner to seed and drive process to document current-generation undocumented safeguards in wiki [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action05]

<trackbot> Created ACTION-97 - Seed and drive process to document current-generation undocumented safeguards in wiki [on Mike Beltzner - due 2007-02-06].

tyler: mention names?

tlr: I think documenting is fine as long as it's factual; also, we've got the affected parties in the room

mez: 8.1.2, then lunch

<scribe> ACTION: Thomas to track Rachna adding references for 8.1.2 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action06]

<trackbot> Created ACTION-98 - Track Rachna adding references for 8.1.2 [on Thomas Roessler - due 2007-02-06].

beltzner: issue with pop-ups that mimic chrome

tyler: 8.1.3?

rachna: definition of chrome -- relationship to security information delivered inside page?

franco: (explains IE practice -- somebody else please fill in)

tyler: the user agent could display information within the same coordinates ...
... visually extending the chrome that way might be a problem ...

rachna: block page

tyleR: different problem

<scribe> ACTION: thomas to track Rachna to draft text for section 8, covering "block pages" [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action07]

<trackbot> Created ACTION-99 - Track Rachna to draft text for section 8, covering \"block pages\" [on Thomas Roessler - due 2007-02-06].

tyler: 8.1.3 is about pop-up windows which don't show the usual chrome; visited web site can render content that can behave exactly like chrome, but with site-chosen behavior

brad: is that allowed in modern browsers?

tyler: yes, I tested it

rob: remove which pieces of chrome?

tyler: yeah

rachna: umh

tyler: none of the usual things under the window title

rachna: that's not "no chrome"

rob: create popup method that lets you paint window inside window ...
... but what you're looking for is a popup window that's just the title bar ...
... could have address bar and stuff ...
... situation in which v2 browsers hvae done some things ...
... know that gerve did work in firefox ...

tyler: that doesn't actually work
... at least in firefox 2 ...

rob: ie7 ...

beltzner: ... does the right thing

yngve: if pop-up is opened without address bar, you have collapsed one, possibly yellow indicating that it's secure ...
... case with Opera as of at least version 8 ...
... don't remember exact version ...
... but problem is that collapsed address bar may be a little bit too small and easy to ignore ...
... not permitting a collapsed address bar at all? ...
... at the moment not getting everybody to agree on that ...
... finely tuned pop-ups ...
... precise pixel-size pop-ups ...
... that don't get displayed properly ...

tyler: to verify on IE7, all chrome indicators present?

rob: windows from the internet zone always have status and address bars ...

rob: title bar is another one ...

tyler: so some address bar widget is on every window?

rob: some yes, including lock icon in the address bar ..
... if you are at confirmed phishing site, red, and page becomes error page ...
... yellow for suspicious ...
... typically get the lock icon in the status bar as well, not sure why you don't get it in the demo ...
... information bar about things that were stopped ...

stuart: why is it in the page area?

rachna: it's more visually distinct in IE7 than in Firefox ...

tyler: indicator slightly better in IE7 ...

rob: thing to keep in mind, I'm at a site I expect to be at, something's odd

stuart: positive v. negative indicators?

rob: implicit, not well-broadcast
... no conditioning for legitimate sites to possibly have that positive indicators ...
... found that a lot of users have come to ignore info bar ...
... would expect that you don't need to interact with info bar in order to continue browsing; people ignore it ...

tyleR: people could paint "verified by visa" in that style

section 8.2, poorly defined role for chrome

real chrome, not spoofed, what are problems

all indicators displayed in chrome are chosen by attacker, can fool the user

put better motivation into the text, like you spoke it

attacker has only some control, so how can attacker choose what is seen?

discussion with IE for how EV cert is displayed

EV cert displays name of CA, organization name

yngve: anything we can do in URL bar? some info that atacker has full control over

mez: what do we mean by control

text string that shows up on screen is put there by attacker

tlr: nervous about mixing attacks where the attacker choses arbitrary stuff and attacks where the attacker has to go through administrative processes and the like

stuart: disagree with assumption that attacker can put any pixels out there

need to id who you are talking to

PHB: not too much phishing going on where there is any authentication; most is where there is no authentication

can't make it imposible for attacker to get cert; but can make it much harder

MEZ: propose alternatives for the text?

hal: attacker can choose confusing url constructions;...
... our charter is about displaying secure info accurately, what is displayed in URL isnt in?

<tlr> s/hal: is/hal: our charter is/

8.2.3 attacker can choose url in other ways

web page can choose to show any logo it chooses

clarify that webpage is making decision about what to display

if network attack, display may not have anything to do with website

what is intent of fabricant?

<tlr> ACTION: thomas to propose alternative wording for 8.2.3 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action08]

<trackbot> Created ACTION-100 - Propose alternative wording for 8.2.3 [on Thomas Roessler - due 2007-02-06].

<Mez> Tyler, is there a ref for Favicon? If so, can it be added?

is there a favicon reference

<tlr> ACTION: zurko to suggest favorite favicon reference [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action09]

<trackbot> Created ACTION-101 - Suggest favorite favicon reference [on Mary Ellen Zurko - due 2007-02-06].

<yngve> Wikipedia http://en.wikipedia.org/wiki/Favicon

8.2.4 padlock atttacker choosees whether is on or off

attacker can use ssl certificate? no attackers decision, can tell browser whether to turn on or off

<tlr> ACTION: tyler to switch order of 8.2.3 and 8.2.4 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action10]

<trackbot> Created ACTION-102 - Switch order of 8.2.3 and 8.2.4 [on Tyler Close - due 2007-02-06].

site author's actions will influence how browser displays things;

8.2.5 rehash of 8.2.2 firefox repeats host name taken from url; is the one attacker chose; with javascript can override

any indicators in major browsers not in note, except status bar

<tlr> ACTION: beltzner to propose descriptive text on firefox anti-phishing UI (for 8.2) [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action11]

<trackbot> Created ACTION-103 - Propose descriptive text on firefox anti-phishing UI (for 8.2) [on Mike Beltzner - due 2007-02-06].

<tlr> ACTION: tyler to extend 8.2.1 by tab title [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action12]

<trackbot> Created ACTION-104 - Extend 8.2.1 by tab title [on Tyler Close - due 2007-02-06].

<tlr> beltzner: notification / information bar

<tlr> rachna: other dialogues

<tlr> ACTION: beltzner to propose text on notifiaction / information bar [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action13]

<trackbot> Created ACTION-105 - Propose text on notifiaction / information bar [on Mike Beltzner - due 2007-02-06].

what is chrome? diaglog boxes should be included

<tlr> ACTION: Zurko to start discussion on mailing list to draw chrome items out and get analysis completed [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action15]

<trackbot> Created ACTION-132 - Start discussion on mailing list to draw chrome items out and get analysis completed [on Mary Ellen Zurko - due 2007-02-13].

everything that people are bringing up are things attacker is choosing to make display

phishers with certs are a non problem today

8.3 whole semantics around url depends on whether padlock is present

<tlr> ACTION: beltzner to propose clarifying language for 8.2.5 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action16]

<trackbot> Created ACTION-106 - Propose clarifying language for 8.2.5 [on Mike Beltzner - due 2007-02-06].

8.3

8.3 user perceptions - summarized 3 of major results of user studies

cite the 3 studies

<beltzner> ACTION: beltzner to create a library of testcases / examples of attacks listed in section 8 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action17]

<trackbot> Created ACTION-107 - Create a library of testcases / examples of attacks listed in section 8 [on Mike Beltzner - due 2007-02-06].

cite user studies for each point being made

<tlr> ACTION: thomas to track rachna to contribute more studies for 8.3 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action18]

<trackbot> Created ACTION-108 - Track rachna to contribute more studies for 8.3 [on Thomas Roessler - due 2007-02-06].

padlock icon - users believe it means security is present but studies show they don't really understand

does padlock come up for any ssl? if domain matches cert

<beltzner> the steps required to get the padlock in KDE are here: http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors

note contains much of padlock mechanisms; should make bigger point of what user studies show

<yngve> Opera differentates padlock levels (1-3). domain must match for level 3 (if using strong crypto). non match means level 1 (and in v9 no padlock)

<tlr> ACTION: brandon to propose more elaborate text for 8.3.1 ("padlock icon") [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action20]

<trackbot> Created ACTION-109 - to propose more elaborate text for 8.3.1 (\"padlock icon\") [on Brandon Porter - due 2007-02-06].

should stuff on mechanism be here?

blacklist is out of scope

do we want to go deeper to mention what state browsers is being displayed with padlock icon

<tlr> Use section 7 to drill down on what SSL icon *really* means; processes used to verify icons.

8.3.2 rewrite of first 3 sentences

issue is "earlier components are subordinate to later components" what does subordinate mean

host names: like first names, last names

how can host name be presented to user? we're not interested in solutions now

<tlr> beltzner: users believe the first part of a domain name is important, when it's not

<beltzner> I think the problem is that 8.3.2 is worded in a needlessly complex manner, as opposed to saying "users think that the first string in a domain name is important or controlled, and it isn't"

<beltzner> or what tlr said

<tlr> rachna: it's any string in it

<scribe> new section 8.2 what can you do given attacker has control over specific strings

<tlr> phb: needs to be URL attacks, not just host name attacks -- new section in 8.2

<beltzner> ACTION: tyler to create new subsection under 8.2 to classify types of attacks [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action22]

<trackbot> Created ACTION-110 - Create new subsection under 8.2 to classify types of attacks [on Tyler Close - due 2007-02-06].

do browsers cut off beginning of url

<tlr> ACTION: tyler to track rob tracking URL scrolling issues [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action23]

<trackbot> Created ACTION-111 - Track rob tracking URL scrolling issues [on Tyler Close - due 2007-02-06].

8.3.3 security tool bar chrome versus page distinction does not exist in users mind

need to be clearer on definition of "most user"

<staikos> I don't really believe there is a valid "most user" :)

point of this section is identity things we need to improve on when making recommendations, such as "chrome" and "page'

<bwporter> ACTION: brad to offer text suggestion around "many users" [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action24]

<trackbot> Created ACTION-133 - Offer text suggestion around \"many users\" [on Brandon Porter - due 2007-02-13].

<tlr> ACTION: thomas to rewrite 8.3.2 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action25]

<trackbot> Created ACTION-112 - Rewrite 8.3.2 [on Thomas Roessler - due 2007-02-06].

should 8.4.1 be in 8.3?

8.3.3. have def of chrome but not def of page

<tlr> ACTION: stuart to suggest "page" definition for Tim's glossary [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action26]

<trackbot> Created ACTION-113 - Suggest \"page\" definition for Tim\'s glossary [on Stuart Schechter - due 2007-02-06].

cant expect users to understand diff between page and chrome?

8.4 if user understand what indicators are, are there still problems? this points out what user studies have shown

when browsing web, never really need to look at chrome, so what is the point of putting stuff in chrome

<tlr> ACTION: thomas to track rachna suggesting alternative wording for 8.4.1 [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action27]

<trackbot> Created ACTION-114 - Track rachna suggesting alternative wording for 8.4.1 [on Thomas Roessler - due 2007-02-06].

8.4.2 hard for users to recognize when something is missing, so maybe adding decorations for user to notice isn't effective

8.4.3 dialog boxes dont give user reasonable options, so users hit OK button

<yngve> About 8.4.3 there are at least as far as I can tell very few reasonable choices. usually just proceed or stop. The only other option to asking the user this would be to choose one of these, but which one, combined with what explanations/indications are the ones that are best/most secure for the user? If we err on the side of caution, the users might not be able to do what they want to do and know are safe, while we may protect them from a number of

<yngve> possible dangers. Let the users through with some UI indication and they will beable to do what they want, but they are also free to ignore the warnings and do something they will regret.

<beltzner> Tyler, http://www.mozilla.com/firefox/its-a-trap.html

<tlr> scribenick: staikos

Petname demo

Pet name demo

Tyler: Pet name a is a firefox extension that can be downloaded from the add-on site
... people have "relationships" in the real world and make associations with those
... want to have the same associations on the web
... adds a lineedit toolbar. type in, ex: "dyndns" - goes to the appropriate website
... shows "untrusted" in pet name field when site is unknown
... simply type in a text name to remember the site
... also reminds you that you have been at a site if you go there by navigating links
... can add more information

mez: (missed question)

tyler: deployment experience

tyler: failings exist...

Hal: questions about all the input fields in the chrome

tyler: demos usage of firefox without url bar, only petnames + search + tabs

possible memory burden, like passwords

tyler: okay that it is guessable

But how many users will actually take time / effort to assign petnames?

No hard data on this

Banking is by far most popular usage

steep drop off beyond that in terms of usage

petname in url bar is slightly more spoofable (idea brought up by Mike)

tab title is a possible place to put the pet name

however petname applies site-wide, title is page-scope

generating chrome pattern skin to avoid pic-in-pic?

reports say they may not be working

wants to see a cartoon char in far-left of chrome

<beltzner> (cite: Jackson & Microsoft Research, recent study on EV certs showed that even difference in chrome colouration didn't significantly improve picture-in-picture recognition)

another problem; it's yet another chrome indicator and therefore users may not look there actively

would like to see user/password entry fields out of content region

(see also: cardspace, kwallet, web wallet, ...)

could warn when sending passwords to new sites

keeping reliable info at bottom of region in particular to separate it from things like urls that are provided from possibly untrusted content

rob: giving feedback on risky actions is good if we can find consistent ways to do it, but the bottom of the page is risky

too many confusing widgets nearby

IE uses it for low-value notifications

(discussion of implementations of other systems)

form fill might be workable in the bottom but security notifications there are risky

Stuart: why not using existing bookmark interface?

tyler: easy, I am!

petnames automatically creates a bookmark when you create a petname, and the petname bookmark can be used for navigation

maritzaj: like the positive or interrogative boxes vs negative message boxes

tyler can keep talking if we want, but that means scribe has to keep typing

so vote is no

tyler: petnames is also great for banks that have multiple sites

uses information from the SSL cert

Extended Validation Certificates

See: slides

PHB: scope of EV: limited
... ev is about accountability, which is not security, but enables security ...
... in the past: internet access was expensive ...

today we have: impersonation, can't see when it's safe or not safe, and DV certs

DV certs solve some classes of problems

(DV = domain validated)

Ev objectives: increase accountability, confidence, and inform suspicious users

biggest bank costs is not direct fraud, but customer help desk calls

stretch goal: protect naive user

mez: increasing confidence of users while not protecting them. excellent.

beltzner: improved user experience is not addressed strictly in EV

EV in IE7 demo

mez:display switches over between different data -- accessibility guidelines?

rob: UI challenges exist, but our implementation does pass US govt accessibliity requirements

phb: user experience changes are shallow, but testing shows that users notice the UI indicator
... disagrees with the recent study bashing EV

rob: pic in pic attack is definitely real. we expect site ops to communicate and educate users

pic in pic can be defeated with education

not all agree

One study showed that the red bar trumped the green one and that was what stood out in memory

(debate ensues about how good the IE7 UI decisions were)

mez: we should get data on this

two studies are coming on this

one from CMU, one from usable security

reports conflict

in the past, training was hard because the UI was hard. better UI makes training easier

back to the PHB show

CA-browser forum: defining minimum criteria for authentication

consists of most browser developers, most CAs

tyler: what about name collisions?

phb: name+jurisdiction is they primary key

is this vulnerable to trademark phishing?

obtaining the cert requires display of incorporation documents, address for legal processes, display of accountability for that name

We have an accountability trail now

beltzner: this has been reviewed rigorously by authorities (ex: top legal experts)

people will try to attack it

?

http://www.pcworld.com/article/id,128674-c,onlinesecurity/article.html

Revocation changes with EV....

eventually OCSP is mandatory with ~1 hr update cycles

rob: we need to be positive in our report too. talk about all the great improvements we've made.

beltzner: speaking slowly
... we would do better to separate UI EV aspects from the spec when we talk about it...
... this demo mixes the two ...
... EV is a huge leap in information available ...
... green bar is a step up, but small step relative to what could be there

mez: tones will not be scribed in docs

rob: balance++

tyler: EV attempts to address phishing through cost increases
... this increases costs for everyone ...
... requires $100k/year to justify an EV cert ...

beltzner: EV spec doesn't need to be consistent with W3C. I am a big opponent of current EV spec but hope to support it someday
... SMB issue is a special case, and market will improve costs
... EV is there to identify, not to verify ...
... does not address business practices ...

stuart: how does economy of scale apply?

phb: costs : paying the CA, but also the procedures involved
... complainers dont' even have SSL certs and are just making noise ...
... back to the regularly scheduled show ...
... "Opinion letter" ...
... allows extending the model to more than just the business name ...
... brands, logos, BBB rating, etc ...
... for non-inc businesses, could use "Merchant Acquirer Agreement" ...
... some issues exists ...

fancy logotype demo

... logotypes are not part of CA-Browser forum ...
... but they should use EV as a minimum security level ...

(details about the contents of EV spec)

tyler: EV spec focuses on true name - is this really the phishing problem?
... maybe the relationship is more of an issue ...
... "is this -my- bank" ...

(search for a usecase for the EV model)

6.12 maybe

... bob could share FSTC cases with us...

Bob: very narrow scope, maybe not relevant

PHB: (explanation of the OID system in EV roots. ref: CA-Browser forum)

beltzner: dont' know where it should go but we need "current limitations" in the document

bwporter: cost burden is shifted in the different approaches
... where could it be shifted? ...

Tyler: can we quantify the user-burden?

mez: groupware is an analogy

<tlr> ACTION: zurko to contribute reference on cost/benefit questions in usability [recorded in http://www.w3.org/2007/01/30-wsc-minutes.html#action28]

<trackbot> Created ACTION-115 - Contribute reference on cost/benefit questions in usability [on Mary Ellen Zurko - due 2007-02-07].

Tyler: burden with petnames is small

<maritzaj> http://www.w3.org/2006/WSC/drafts/note/

Discussion of section 9.1

maritzaj: things to keep in mind
... Affordance ...
... Lock icon clcikability is not clear ...
... Conceptual model - info should be displayed in a way that the user understands that what s/he thinks is happening is actually happening ...

Tyler: says the conceptual model is the user model
... discussion of password *ing case...

(site could be stealing keys)

(https may not be in use)

hal: *s were never intended to indicate encryption or protection. it was just an anti-shoulder-surfing-mechanism

mez: doesn't think it's been thought through

2.1 appears to apply

icons may be hard to describe though

may be too narrow - maybe use "indicators"

should be changed in the doc by Tyler

tlr: why should it only be 1 conceptual model?

mez: maybe there won't be just one, but there is no indication that -we- -want- to put out multiple...
... compare to cars: we want to be able to have everyone operate safely, even if they don't operate the same way ...
... discussion of mental model and whether or not to include it ...
... we should discourage indicators that lead to false mental models ...
... if conceptual model goes in, it needs to go in the glossary ..

(so why put it in if we can't define it anyway?)

... there is a definition there and seems to be UI-expert-friendly ...

beltzner: creating a mental model is an overwhelming task
... there appears to be a disconnect between what users think is happening and what actually is happening ...

9.1.3

UI should be understandable (language, etc) to the user

it should not be written in SHA-1

introducing new terms in a limited sense can be good

9.1.4

from Raskin's book

habit formation happens, design around it

9.1.5: single locus of attention

then it's always in focus!!

<tlr> staikos thinks we should put the padlock and EV indicator in the mouse pointer

256x256 pixels

;)

tyler: user can quickly forget what security indicator said

mez: we made it to 9.1.5!!!

<beltzner> staikos, meh, that's spoofable

beltzner: okay, then 512x512 pixels

we could put the url: bar in the mouse pointer too

 Summary of Action Items

<trackbot> Created ACTION-93 - Explain issue raising process on public mailing list [on Thomas Roessler - due 2007-02-06].

<trackbot> Created ACTION-94 - Draft subsections for 8 about \"compelling user interface\", crypto [on Phillip Hallam-Baker - due 2007-02-06].

<trackbot> Created ACTION-95 - Review use cases, suggest reorganization, ... [on Stuart Schechter - due 2007-02-06].

<trackbot> Created ACTION-96 - Draft initial outline of glossary [on Tim Hahn - due 2007-02-06].

<trackbot> Created ACTION-97 - Seed and drive process to document current-generation undocumented safeguards in wiki [on Mike Beltzner - due 2007-02-06].

<trackbot> Created ACTION-98 - Track Rachna adding references for 8.1.2 [on Thomas Roessler - due 2007-02-06].

<trackbot> Created ACTION-99 - Track Rachna to draft text for section 8, covering \"block pages\" [on Thomas Roessler - due 2007-02-06].

<trackbot> Created ACTION-100 - Propose alternative wording for 8.2.3 [on Thomas Roessler - due 2007-02-06].

<trackbot> Created ACTION-101 - Suggest favorite favicon reference [on Mary Ellen Zurko - due 2007-02-06].

<trackbot> Created ACTION-102 - Switch order of 8.2.3 and 8.2.4 [on Tyler Close - due 2007-02-06].

<trackbot> Created ACTION-103 - Propose descriptive text on firefox anti-phishing UI (for 8.2) [on Mike Beltzner - due 2007-02-06].

<trackbot> Created ACTION-104 - Extend 8.2.1 by tab title [on Tyler Close - due 2007-02-06].

<trackbot> Created ACTION-105 - Propose text on notifiaction / information bar [on Mike Beltzner - due 2007-02-06].

<trackbot> Created ACTION-132 - Start discussion on mailing list to draw chrome items out and get analysis completed [on Mary Ellen Zurko - due 2007-02-13].

<trackbot> Created ACTION-106 - Propose clarifying language for 8.2.5 [on Mike Beltzner - due 2007-02-06].

<trackbot> Created ACTION-107 - Create a library of testcases / examples of attacks listed in section 8 [on Mike Beltzner - due 2007-02-06].

<trackbot> Created ACTION-108 - Track rachna to contribute more studies for 8.3 [on Thomas Roessler - due 2007-02-06].

<trackbot> Created ACTION-109 - to propose more elaborate text for 8.3.1 (\"padlock icon\") [on Brandon Porter - due 2007-02-06].

<trackbot> Created ACTION-110 - Create new subsection under 8.2 to classify types of attacks [on Tyler Close - due 2007-02-06].

<trackbot> Created ACTION-111 - Track rob tracking URL scrolling issues [on Tyler Close - due 2007-02-06].

<trackbot> Created ACTION-133 - Offer text suggestion around \"many users\" [on Brandon Porter - due 2007-02-13].

<trackbot> Created ACTION-112 - Rewrite 8.3.2 [on Thomas Roessler - due 2007-02-06].

<trackbot> Created ACTION-113 - Suggest \"page\" definition for Tim\'s glossary [on Stuart Schechter - due 2007-02-06].

<trackbot> Created ACTION-114 - Track rachna suggesting alternative wording for 8.4.1 [on Thomas Roessler - due 2007-02-06].

<trackbot> Created ACTION-115 - Contribute reference on cost/benefit questions in usability [on Mary Ellen Zurko - due 2007-02-07].

[End of minutes]


Minutes formatted by David Booth's scribe.perl version 1.127 (CVS log)
$Date: 2007/03/09 16:14:21 $