WSC Working Group Teleconference

20 Feb 2007

See also: IRC log


Mike Belzner
Chuck Wade
Hal Lockhart
Maritza Johnson
Mary Ellen Zurko
Tony Nadalin
Phill Hallam-Baker
Paul Hill
Rob Franco
Thomas Roessler
(Rob Franco)
Mary Ellen Zurko
Phill Hallam-Baker


Minutes approval

Approving minutes from last meeting

<tlr> http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html

Minutes approved nem con

Action Item review

Next topic: Newly closed action items

No issues raised.

Note Draft

tlr http://www.w3.org/2006/WSC/drafts/note/

MEZ: Issue is getting our note to First Public Working Draft (FPWD). Have people actually read the draft?

<Nadalin> yes

MEZ: Reading the draft is 'trivial parallelism': we can all read it at once. Are there substantive issues we need to address before FPWD?

TLR: One would be to move material from overview to the abstract

MEZ: OK but this is not a blocking issue, you can do it this week while you are editor.

tlr ACTION: thomas to expand abstract of note by moving in material from overview [recorded in http://www.w3.org/2007/02/20-wsc-minutes.html#action02]

Recorded as ACTION-145.

Chuck Wade: we need to address the fact that there are many specialized browsers for paticular content, specialized actions etc, W3C can provide forward references. This? was not comming out in note

Bill-d: We should address the topics of forward evolving models, forward security models, isolated sandbox modes, newer O/S models, treat security possibly in completely different mechanisms

Chuck: Part of what maybe needs to be brought to the forefront is the way that browsers deal with the platform, using common infrastructure of the platform rather than bringing it all themselves. The platform is a better place to put security to be used by many browsers, applications as common interfaces, this is not jusyt about how security should be presented to users using a browser but by users using the Web, many more diverse platforms, many more uses than in the past,

tlr: did a bit of rewriting last week on the way in which the note deals with what is in and out of scope. Rephrased from relatively product centric view to talking about web interactions, httop, https at the center of that

Chuck I agree with you, Thomas, that some of the recent changes do improve the document.

tlr: Are the changes made last week sufficient to take this into account in your view, is this something that has to happen now?

chuck: can happen later, should be more visible, some of the recent changes heading in the right direction

mez: charter is very general, say web user agent

Chuck I'm merely arguing that at some of these key concepts need to be more "front and center."

mez: use cases were browser centric last time I looked at them

Chuck We need to be "Web" centric, and not "browser" centric in terms of user security context

mez: we briefly discussed widgets on the list a while ago we discussed voice browsers a while ago , in general we were trying to motivate the stuff we are doing with use cases, it could be that there are some use cases that are missing. one that is missing is a list of user agents we are going to cover, one of the reasons I would have liked the list is for just this reason, trying to keep in mind, do it centraly as sort of a goal thing.

Chuck How about the "iTunes" use case? This is somewhat "tongue in cheek" remark, but this is an example of what will likely emerge as a much more common approach.

mez: How do people get security context from iTunes? Not the way they get it from a browser? Are these use cases rather than user agents?

Chuck: Use cases rather than user agents, stock transactions, things like that, what about the AJAX applications? Web will be redefined in many way, New sociual engineering opportunities

Beltzner +1 to MEZ

MEZ we are not about changing anything under the covers, you are begining to wander there

TLR: I am going to be the beuraucrat: there are a ?lot of important points, are these on the critical path for the first draft of this note? To what extent does it affect classes of implementations for which we define conformance? State that the note is in currently is ok for first public draft, may want to contribute further use cases, first draft is soliciting comment for the first time, not closure

ChuckI am not suggesting that we hold off sharing our work with a wider audience, but that we consider evolving our Note to address some of the forward references

MEZ: Chuck willing to take an action to lead conversation on list

Chuck: yes

tlr ACTION: chuck to start conversation on conformance for non-browser user agents and forward-looking web use [recorded in http://www.w3.org/2007/02/20-wsc-minutes.html#action03]

Recorded as ACTION-146.

MEZ: Everyone is happy, any more comments on FPWD? ... NO

TLR: Thing to do is for the group to agree to go to FPWD if folk are happy with me to fix the abstract

MEZ: will ask you to send out a copy of or a link to when it changes ... that ok thomas?

TLR: need to be clear, we are doing the first PWD for the note not substantive proposals. I rephrase, if nobody objects then we publish that would work for me, does that make sense?

MEZ i think it sounds good

MEZ: should we talk through any mechanics need to do at group level

TLR at group level we need a decision

MEZ we are making the decision now

TLR: sorry for spoiling the party: title and short name for the thing?

MEZ: do you remember what they were

MEZ takes a minute to find it

MEZ will have the dreaded phrase web security context

MEZ any other proposals, put them forward

tlr PROPOSED: Web Security Context Use Cases and Requirements

tlr shortname: wsc-reqs

Chuck How about: "Trusting the Web--Not!"

PHB: we need something bettwr than security context

HAL: user interface?

Mez "Web Security Context: Requirements and Use Cases"

PHB User Experience is better

MEZ agrees

Chuck How about "Security EXperience"? The Acronym ought to be catchy

Mez "Usable and Robust Dispay of Web Security Context: Requirements and Use Cases"

Beltzner: don't like user interface, tends to create ire amongst browser providers

Mez "Are You Experienced"

Beltzner: idicators is good, indicators

Nadalin Secure Web User Experence: Requirements and Use Cases

Mez "Web Security Experience and Indicators: Use Cases and Requirements"

MEZ: security experience and indicators?

Chuck Security Experience and Indicators

hal just web security indicators

TLR: ??

Mez WEB Security Experience ...

TLR: secure browsing? tagline from PR

MEZ Are we overpromising?

bill-d web IA

TLR does this map to what we provide?

hal I like just plain web security indicators - drop experience

johnath Web Security Information and Indicators?

Mez "Web Security Indicators: Use Cases and Requirements"

Chuck How about Web Trust Indicators

PHB likes experience

Chuck Trust is the real problem,

MEZ trust makes her nervous

Chuck Ultimately, what matters is whether the person can trust their experience on the WEb

Mez "Trusting Web Trust" - gets both usability and robustness

Nadalin I think that we need to include "experience" since we are not talking about all of security its just the visual experience

rfranco I think the document is more about recomendations rather than requirements, needs, you wanted to be more than just experience and indicaters - needs to use context to provide IA

beltzner rfranco++

Mez "Making Assurance Double Sure: Directions in Web Experience and Indicators"

bill-d: information assurance... want trust.. secure experience.. don't want to say provide secure environment

Chuck How important is it for the user to be able to trust the content they're presented with?

PHB: We can make an empirical statement about the state of Web security experience... albeit a negative one

beltzner Mez_: "security" seems to have some consensus

beltzner :)

Mez "Web Security Experience, Indicators, and Trust"

MEZ: consensus????

johnath Mez_++

beltzner yeah, that last one was good

Mez "Trusting Web Security Experiance and Indicators: Use Cases and Directions"

beltzner plus it starts with WS, which makes johnath and I happy

Chuck There's trust of the session you have with a Web site or sites, and then there is the question of whether or not you can trust what you get back from the Web site. The tendency to have so many actors throwing up content on a page that the user thinks is associated with a single site is a real part of the problem.

johnath mez - Liked your previous one more than this last

HAL: term security maps to what people expect..

Chuck "Trust" as a term is a perfectly good English word that has been corrupted by the various security snake oil purveyors

Mez "Web Security Experience, Indicators and Trust: Requirements and Use Cases"

johnath yes - sorry, assumed the suffix there. Mez++ again

TLJ: must not appear to be recommendations as it isn't

Mez "Web Security Experience, Indicators and Trust: Scope and Use Cases"

Belzner: note is not putting forward requirements

beltzner sounds like a barn burner

TLR use cases but probably not specific enough for requirements

MEZ: now taking concrete sugggestioons or alternatives

MEZ: ok we have a title

tlr title: Web Security Experience, Indicators and Trust: Scope and Use Cases

Mez wseit-scope

Mez wsc-scope

Mez wsc-use-cases

tlr wsc-usecases

HAL: hard enough without name of doc being different to WG

mez: any objections, alternatives

tlr RESOLVED: Web Security Experience, Indicators and Trust: Scope and Use Cases

tlr RESOLVED: wsc-usecases

MEZ: ok we have a title, short title

Chuck Yes

rfranco what is the date?

tlr RESOLVED: To move editor's draft to FPWD after no-objection period for abstract

TLR: purely editorial changes ... publication now mechanical apart from the abstract

TLR abstract by noon eastern tommorrow

TLR 2,3,4 March for publication???

TLR any changes after now into future version

franco: going live with news immediately prior to the next f2f?

Mez http://www.w3.org/2006/WSC/

MEZ: any other things needed at the team level

MEZ alright great....

MEZ: don't think we have time for any other discussion items today... will send notes on chrome to list

MEZ will also be putting out reply on reputation service

TLR: metz q on how to proceed
... note will not be published by next meeting, how do we move on to the recommendations side of the doc?
... probably quite ready to move on to the technical side of the discussion, Take up threat trees

tlr meeting adjourned

Summary of Action Items

[NEW] ACTION: chuck to start conversation on conformance for non-browser user agents and forward-looking web use [recorded in http://www.w3.org/2007/02/20-wsc-minutes.html#action03]
[NEW] ACTION: thomas to expand abstract of note by moving in material from overview [recorded in http://www.w3.org/2007/02/20-wsc-minutes.html#action02]

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.127 (CVS log)
$Date: 2007/03/09 16:15:20 $