See also: IRC log
Approving minutes from last meeting
<tlr> http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html
Minutes approved nem con
Next topic: Newly closed action items
No issues raised.
tlr http://www.w3.org/2006/WSC/drafts/note/
MEZ: Issue is getting our note to First Public Working Draft (FPWD). Have people actually read the draft?
<Nadalin> yes
MEZ: Reading the draft is 'trivial parallelism': we can all read it at once. Are there substantive issues we need to address before FPWD?
TLR: One would be to move material from overview to the abstract
MEZ: OK but this is not a blocking issue, you can do it this week while you are editor.
tlr ACTION: thomas to expand abstract of note by moving in material from overview [recorded in http://www.w3.org/2007/02/20-wsc-minutes.html#action02]
Recorded as ACTION-145.
Chuck Wade: we need to address the fact that there are many specialized browsers for paticular content, specialized actions etc, W3C can provide forward references. This? was not comming out in note
Bill-d: We should address the topics of forward evolving models, forward security models, isolated sandbox modes, newer O/S models, treat security possibly in completely different mechanisms
Chuck: Part of what maybe needs to be brought to the forefront is the way that browsers deal with the platform, using common infrastructure of the platform rather than bringing it all themselves. The platform is a better place to put security to be used by many browsers, applications as common interfaces, this is not jusyt about how security should be presented to users using a browser but by users using the Web, many more diverse platforms, many more uses than in the past,
tlr: did a bit of rewriting last week on the way in which the note deals with what is in and out of scope. Rephrased from relatively product centric view to talking about web interactions, httop, https at the center of that
Chuck I agree with you, Thomas, that some of the recent changes do improve the document.
tlr: Are the changes made last week sufficient to take this into account in your view, is this something that has to happen now?
chuck: can happen later, should be more visible, some of the recent changes heading in the right direction
mez: charter is very general, say web user agent
Chuck I'm merely arguing that at some of these key concepts need to be more "front and center."
mez: use cases were browser centric last time I looked at them
Chuck We need to be "Web" centric, and not "browser" centric in terms of user security context
mez: we briefly discussed widgets on the list a while ago we discussed voice browsers a while ago , in general we were trying to motivate the stuff we are doing with use cases, it could be that there are some use cases that are missing. one that is missing is a list of user agents we are going to cover, one of the reasons I would have liked the list is for just this reason, trying to keep in mind, do it centraly as sort of a goal thing.
Chuck How about the "iTunes" use case? This is somewhat "tongue in cheek" remark, but this is an example of what will likely emerge as a much more common approach.
mez: How do people get security context from iTunes? Not the way they get it from a browser? Are these use cases rather than user agents?
Chuck: Use cases rather than user agents, stock transactions, things like that, what about the AJAX applications? Web will be redefined in many way, New sociual engineering opportunities
Beltzner +1 to MEZ
MEZ we are not about changing anything under the covers, you are begining to wander there
TLR: I am going to be the beuraucrat: there are a ?lot of important points, are these on the critical path for the first draft of this note? To what extent does it affect classes of implementations for which we define conformance? State that the note is in currently is ok for first public draft, may want to contribute further use cases, first draft is soliciting comment for the first time, not closure
ChuckI am not suggesting that we hold off sharing our work with a wider audience, but that we consider evolving our Note to address some of the forward references
MEZ: Chuck willing to take an action to lead conversation on list
Chuck: yes
tlr ACTION: chuck to start conversation on conformance for non-browser user agents and forward-looking web use [recorded in http://www.w3.org/2007/02/20-wsc-minutes.html#action03]
Recorded as ACTION-146.
MEZ: Everyone is happy, any more comments on FPWD? ... NO
TLR: Thing to do is for the group to agree to go to FPWD if folk are happy with me to fix the abstract
MEZ: will ask you to send out a copy of or a link to when it changes ... that ok thomas?
TLR: need to be clear, we are doing the first PWD for the note not substantive proposals. I rephrase, if nobody objects then we publish that would work for me, does that make sense?
MEZ i think it sounds good
MEZ: should we talk through any mechanics need to do at group level
TLR at group level we need a decision
MEZ we are making the decision now
TLR: sorry for spoiling the party: title and short name for the thing?
MEZ: do you remember what they were
MEZ takes a minute to find it
MEZ will have the dreaded phrase web security context
MEZ any other proposals, put them forward
tlr PROPOSED: Web Security Context Use Cases and Requirements
tlr shortname: wsc-reqs
Chuck How about: "Trusting the Web--Not!"
PHB: we need something bettwr than security context
HAL: user interface?
Mez "Web Security Context: Requirements and Use Cases"
PHB User Experience is better
MEZ agrees
Chuck How about "Security EXperience"? The Acronym ought to be catchy
Mez "Usable and Robust Dispay of Web Security Context: Requirements and Use Cases"
Beltzner: don't like user interface, tends to create ire amongst browser providers
Mez "Are You Experienced"
Beltzner: idicators is good, indicators
Nadalin Secure Web User Experence: Requirements and Use Cases
Mez "Web Security Experience and Indicators: Use Cases and Requirements"
MEZ: security experience and indicators?
Chuck Security Experience and Indicators
hal just web security indicators
TLR: ??
Mez WEB Security Experience ...
TLR: secure browsing? tagline from PR
MEZ Are we overpromising?
bill-d web IA
TLR does this map to what we provide?
hal I like just plain web security indicators - drop experience
johnath Web Security Information and Indicators?
Mez "Web Security Indicators: Use Cases and Requirements"
Chuck How about Web Trust Indicators
PHB likes experience
Chuck Trust is the real problem,
MEZ trust makes her nervous
Chuck Ultimately, what matters is whether the person can trust their experience on the WEb
Mez "Trusting Web Trust" - gets both usability and robustness
Nadalin I think that we need to include "experience" since we are not talking about all of security its just the visual experience
rfranco I think the document is more about recomendations rather than requirements, needs, you wanted to be more than just experience and indicaters - needs to use context to provide IA
beltzner rfranco++
Mez "Making Assurance Double Sure: Directions in Web Experience and Indicators"
bill-d: information assurance... want trust.. secure experience.. don't want to say provide secure environment
Chuck How important is it for the user to be able to trust the content they're presented with?
PHB: We can make an empirical statement about the state of Web security experience... albeit a negative one
beltzner Mez_: "security" seems to have some consensus
beltzner :)
Mez "Web Security Experience, Indicators, and Trust"
MEZ: consensus????
johnath Mez_++
beltzner yeah, that last one was good
Mez "Trusting Web Security Experiance and Indicators: Use Cases and Directions"
beltzner plus it starts with WS, which makes johnath and I happy
Chuck There's trust of the session you have with a Web site or sites, and then there is the question of whether or not you can trust what you get back from the Web site. The tendency to have so many actors throwing up content on a page that the user thinks is associated with a single site is a real part of the problem.
johnath mez - Liked your previous one more than this last
HAL: term security maps to what people expect..
Chuck "Trust" as a term is a perfectly good English word that has been corrupted by the various security snake oil purveyors
Mez "Web Security Experience, Indicators and Trust: Requirements and Use Cases"
johnath yes - sorry, assumed the suffix there. Mez++ again
TLJ: must not appear to be recommendations as it isn't
Mez "Web Security Experience, Indicators and Trust: Scope and Use Cases"
Belzner: note is not putting forward requirements
beltzner sounds like a barn burner
TLR use cases but probably not specific enough for requirements
MEZ: now taking concrete sugggestioons or alternatives
MEZ: ok we have a title
tlr title: Web Security Experience, Indicators and Trust: Scope and Use Cases
Mez wseit-scope
Mez wsc-scope
Mez wsc-use-cases
tlr wsc-usecases
HAL: hard enough without name of doc being different to WG
mez: any objections, alternatives
tlr RESOLVED: Web Security Experience, Indicators and Trust: Scope and Use Cases
tlr RESOLVED: wsc-usecases
MEZ: ok we have a title, short title
Chuck Yes
rfranco what is the date?
tlr RESOLVED: To move editor's draft to FPWD after no-objection period for abstract
TLR: purely editorial changes ... publication now mechanical apart from the abstract
TLR abstract by noon eastern tommorrow
TLR 2,3,4 March for publication???
TLR any changes after now into future version
franco: going live with news immediately prior to the next f2f?
Mez http://www.w3.org/2006/WSC/
MEZ: any other things needed at the team level
MEZ alright great....
MEZ: don't think we have time for any other discussion items today... will send notes on chrome to list
MEZ will also be putting out reply on reputation service
TLR: metz q on how to proceed
... note will not be published by next meeting, how do we move on to the
recommendations side of the doc?
... probably quite ready to move on to the technical side of the discussion,
Take up threat trees
tlr meeting adjourned