See also: IRC log
<tlr> http://www.w3.org/2007/05/16-wsc-minutes
Mez: last minutes approved
Mez: no objections?
Mez: anyone wants to change the agenda?
<tlr> -nope-
<PHB> trying to get here
<tlr> http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/handler
<tlr> http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/
tlr: make sure your mac address of your wireless card is in the questionaire, otherwise you will not have internet access in Dublin
<staikos> trinity is very strict about the mac address thing
tlr: another f2f, between Dublin and November
<tlr> http://www.w3.org/2002/09/wbs/39814/f2f3sched/
tlr: another questionaire about such a f2f, please answer it before you go to Dublin
<rachna_> is Mike coming to Dublin or calling in?
PHB: secure letterhead, means
communicating the brand to the customer
... if we are going to put the brand infront of the customer,
it has to be secure and trustworthy
... Using EV certificates
... combined, secure chrome, x509 logo type gives secure letter
head
... There are 3 slots for logo; subject, community and issuer
logos
... community logo allows space to extend accreditation
criteria.
bill-d: addessing many of the same issues as came up on EV
bill-d: how to verify?
<staikos> but no-one knows who the issuers are ;)
PHB: Demos, don't display subject logo, unless there is a issuer logo.
<johnath> staikos: we won't help that by continuing not to show them. :)
<asaldhan> can someone give me the wiki link for PHB's secure letter head description
<Mez> there is none; sorry
<Mez> there will be one in the action item follow up :-)
PHB: issuer's brand name will be linked to the subject logo
<Mez> but for now, we need to listen (which can be hard, I agree, without any text)
PHB: subject might not be honest, accountabiltiy for issuer
johnath: what kind of UI is envisioned for this?
PHB: see the secure letterhead "plugin"
<hal> I suggest a couple of screen shots
<Mez> +1 hal
PHB: it is not ready for "prime
time", yet
... if you look at IE7, to the right of the green address bar
you will see the logo
Chuck: what happens when you want multiple community logos ?
<Chuck> There's the reverse situation, where the "community" would want to set policy for CA issuers
<serge> So beyond spoofing chrome in picture in picture attacks, most users can't even tell between chrome and content
<Zakim> johnath, you wanted to note that EV doesn't have rules for logotype
johnath: logotype and EV are not specified
<PHB2> The CABForum 1.0 guidelines do not make any statement on logos, it is silent
<PHB2> It is entirely valid to issue an EV cert today
rachna_: spoofing issues; chrome vs content
<tlr> ACTION: Hallam-Baker to introduce Secure Letterhead item in the wiki - due 2007-05-30 [recorded in http://www.w3.org/2007/05/23-wsc-minutes.html#action01]
<trackbot> Created ACTION-220 - introduce Secure Letterhead item in the wiki [on Phillip Hallam-Baker - due 2007-05-30].
<PHB2> an EV cert weith letterhead
<PHB2> There is already a major application product deployed that has logotype functionality built in, it is not yet enabled
<tlr> http://www.w3.org/2006/WSC/wiki/RobustSecurityIndicators
Mez: Making security indicators robust from spoofing attacks
<PHB2> So CABForum definitely needs to address this and it was in fact due for discussion at the last meeting (but was not discussed)
<staikos> uh
<staikos> ??
<PHB2> WRT Rachna's issue, yes icons are a very very powerful tool, that is why I want to use them.
<tlr> if you still hear us, all is well, and it's just zakim confused
<staikos> I do not
<tlr> in that case, retry
<PHB2> I regard a good test of the user interface to be if it is dangerous in that fashion.
Mez: three issues; 1) Make it hard to guess, 2) ??, 3) how to create such a chrome
<serge> It seems there are two different issues here: making the indicators secure from spoofing, and conveying that to users
bill-d: what is robustness?
Mez: robustness is, something
that can make something hard hard to spoof.
... techniques to not allow content to emulate security
indicators
<rachna_> I think robustness can be accomplished by 1) making indicators hard to predict by attackers (customization) 2) generated in a way only the user can generate (secure action sequence)
<PHB2> I would like to do double-blind trials of the schemes, show a genuine site and a phishing site with and without the security indicators. The power of the indicator is determined by the extent to which it is relied on. If an indicator is strong it should cause people to trust the phishing site and the absence should cause people not to trust the genuine site.
<tlr> that were the 5 min indeed
serge: as long as the content looks good, the security indicators are ignored. How do we handle that?
<rachna_> PHB: to add to your study, you also need to study the condition where there is an absence of indicators in the chrome and they are present in the webpage. This is a low cost attack that will be very effective.
<PHB2> rachna: very true, in fact I would suggest that we need to rethink the whole issue of security usability testing. The Microsoft study illustrates an unfortunate fact that a study with three sample points seems to trump a deployment study with a few tens of millions of data points :-)
rachna_: robustness and usability are separated on the f2f
<tlr> ACTION: zurko to match RobustSecurityIndicators against other proposals; ensure nothing gets lost [recorded in http://www.w3.org/2007/05/23-wsc-minutes.html#action02]
<trackbot> Created ACTION-221 - Match RobustSecurityIndicators against other proposals; ensure nothing gets lost [on Mary Ellen Zurko - due 2007-05-30].
<tlr> ACTION-221 due June 8
Mez: that's it for the lightening discussions. If you want to hold one, please contact Mez.
<tlr> not WS!
tlr: we should get out an updated draft of the use case document around the time of the f2f
<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0114.html
Mez: how do we incorporate deadlines for the drafts?
tlr: that's why we have last call drafts
<Zakim> rachna, you wanted to get back to f2f agenda... is there a reason that we are discussing robustness and usability testing separately at the meeting?
Tyler: Will have to post the current snapshot of our document by tomorrow, to make it by June 2
<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0118.html
Mez: can we get Thomas' changes into the document?
Tyler: yes
Mez: anyone has any issues with posting the current draft?
<tlr> RESOLUTION: publish current state of wsc-usecases as public working draft
<tlr> ACTION: thomas to work with Tyler to ensure publication of updated draft [recorded in http://www.w3.org/2007/05/23-wsc-minutes.html#action03]
<trackbot> Created ACTION-222 - Work with Tyler to ensure publication of updated draft [on Thomas Roessler - due 2007-05-30].
<tlr> 61# mutes
<tlr> 60# unmutes
<tlr> Zakim seems sick
<staikos> no
<staikos> oh yes you are
<staikos> I think so
<tlr> it's a bit better
<tlr> mez, keep talking
<Chuck> The problem appears to be with the bridge, perhaps due to varying delay due to VoIP artifacts
<johnath> you're clear at the moment
<johnath> (@ Mez)
Mez: any problems with putting out the first public working draft?
tlr: start walking through the individual recommendations at the f2f, this might give us better understanding of the issues at hand.
Tyler: it is important to have good conformance recommendations.
<Mez> it's a good point; what is it we need from a fpwd? I too have been assuming it's enough to start prototyping and testing
tlr: concern; some of the proposals might not be concrete enough
<Mez> doesn't testing come before making sure what is tested can be conformed to?
<tlr> http://www.w3.org/TR/UAAG/
hal: are there models from other w3c groups for specifications of user interfaces?
tlr: might be worth to have a look at the usability and accessibilty guidelines
<rachna_> another example are previous usability tests. Some studies test abstract ideas (e.g., a security warning on a toolbar) rather than a specific implementation (e.g., the NetCraft toolbar).
PHB: must use high level language in the recommendations. Not too many details
<PHB2> ??? did we just lose sound?
<Mez> yes
<Mez> I can hear you
<Mez> but it's lousey
<Tyler> I can hear TLR
<Mez> yeah, it's ok
<Mez> there's a bit of tinny reverb
<PHB2> not getting anything
<Mez> I hear him phil
tlr: a section for techniques on how to implement a recommendation
<Mez> prototype creator can be confident it reflects the recommendation, and it's good enough to design some tests
<tlr> Editors draft of recommendations Deadline May 14, two weeks before next f2f
<Mez> tlr, please type in which parts you think have slipped already
<Mez> which item on the timeline?
<Mez> I don't see "close enough"
tlr: I think we might be slipping the editor's draft of the recommendation
<tlr> Editors draft of recommendations Deadline May 14, two weeks before next f2f
<Mez> ah, yes, that was May 14 and we did not make that; thanks
<Mez> When is Shawn getting out the editor's draft?
Tyler: this week
<Mez> by the 25th
Mez: how do we decide wether or not go to the first public working draft?
tlr: we need to have som notion on what conformance is
<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0098.html
<tlr> ACTION: thomas to propose prioritization of rec template elements [recorded in http://www.w3.org/2007/05/23-wsc-minutes.html#action04]
<trackbot> Created ACTION-223 - Propose prioritization of rec template elements [on Thomas Roessler - due 2007-05-30].
Tyler: we need a cut off date for making recommendation proposals
<tlr> ACTION: zurko to propose cut-off date for fitting rec proposals into template [recorded in http://www.w3.org/2007/05/23-wsc-minutes.html#action05]
<trackbot> Created ACTION-224 - Propose cut-off date for fitting rec proposals into template [on Mary Ellen Zurko - due 2007-05-30].
<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0050.html
<tlr> adjourned