See also: IRC log
http://www.w3.org/2007/05/23-wsc-minutes
MEZ: from last conf call not f2f
... minutes are approved
MEZ: done some cleanup on the action items
... no issues ...
... some closed due to inactivity
... no issues with closed actions
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0027.html
MEZ:today we will be finishing up the lightning discussions and discuss about action-177 that thomas would lead ...
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0017.html
MEZ: we will add threat tree discussions to agenda
<Mez> http://www.w3.org/2006/WSC/wiki/TrustedBrowserComponent
MEZ: Trusted Browser Component will be discussed in the lightning discussions today
rachna: describing an interface to an mutual
authentication protocol ...
... proposal requires users to login to a trusted component in the browser
...
... goal is to make sure credentials are not transferred outside of the
...
... browser and to capture user intent to login to a site, even when they
...
... don't know they are at the wrong site ...
rachna: assumptions are being discussed
... discussing expected user behaviour
for reference:http://www.w3.org/2006/WSC/wiki/TrustedBrowserComponent
comparing with Verisign's Seatbelt
rachna:Verisign seatbelt is an add-on that
has a spoofable red/green ...
... indicator to indicate whether user is at the correct openID site. This
...
... proposal is similar only in that it allows user to know whether they are
...
... at a site they have been to and approved before ...
johnath: how it would it related to PII
rachna: There are some abstract ideas that
may overlap...
... in particular both proposals try to inform the user that they are ...
... at the same site they have been to and trusted in the past, but ...
... using different interaction techniques.
<Mez> I think our proposals/recommendations will/should be mergingmore as we go forward
<Mez> I want to start categorizing, moving pieces around, etc.
<Mez> some are about displaying information, some about input, some about making displays non guessable
rachna: requesting feedback from the group
chuck: this kind of proposal is very
constructive. Issue is whether it should be at browser level or at the OS
level...
... to make it a broader way to work across applications
... comparing with CardSpace - wondering if we view this as 2 separate
proposal - one at OS level and one at browser level...
rachna: OS/Platform are out of scope currently so need to see how we can address this
tlr: there are kernel-level http daemons, but that doesn't make http a system-level spec, OS does enable certain features in browsers, but this is definetely not a charter to deal with OS level
stephenf: proposal is quite resonable and could be done in a way that's generically useful
johnath: replying to chuck's question about in scope or not
<tlr> +1 to johnath
johnath: cardspace is impl at system level and that's great but it's probably not good to spend time on it but concentrate at browser level
hal: seems like there are bunch of proposals, good idea but isn't it at the same level of a new protocol out of scope like a OS
<Chuck> I was more concerned with the implied constraint that this is a recommendation for browsers only. If we can abstract this as guidance that could be implemented at any level, then I believe we will be offering more useful recommendations.
hal: the proposal needs a new shared secret that servers don't do today...
<stephenF> Doesn't tlr supportt session re-init?
<PHB2> The real issue in my view is not where it is implemented but whether it is designed in such a way as to be easily digestible at the platform level. It is entirely possible to implement CardSpace without using the secure desktop, the CardSpace design on XP is not as integrated as Vista, on linux it might not be integrated at all
hal: so it requires new changes
<tlr> chuck, I think we're aiming for that abstraction level
phb: can it be something simple enough that can
later be extended to OS level. designing something that's small enough and
bound enough - the advantage with web is that it satisfies this requirement -
same as JS
... looking at cardspace to extend it to payment system
tlr: question- do not understand what trust it's adding, logging into a browser is not necessarily be a good thing as we might not want the password to be shared with a client.
<PHB2> ANother parallel here would be the SiteSeal that VeriSign uses to represent a secure site - most other CAs have a similar program. The SiteSeal is content and thus inevitably spoofable. But we have been proposing browser extensions to support site seal in the chrome for over a decade now - that is where logotype came from originally.
tlr: probably better to define best practices for presentations so browsers can pick up and implement those
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0017.html
<scribe> ACTION: rachna to expand on the proposal and incorporate today's discussions [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action01]
<trackbot> Created ACTION-257 - Expand on the proposal and incorporate today\'s discussions [on Rachna Dhamija - due 2007-06-13].
<rachna>
MEZ: need to figure out where to go next with Threat trees
rachna: walk through the list and find out
what's useful
... requesting thomas's view on usecases and how these apply to them
<rachna> thoma: threat trees should be there own document and not be in the critical path of getting the note done.
tlr: suggestion to keep it separate as a companion document but donot put threat trees into the critical path for use cases. They are more useful technically but probably should not be in the critical path
<stephenF> tend to agree with TLR
<Chuck> I will put in a vote that the threat trees are useful. I also believe that the refinements to the threat tree Wiki page have made this much more useful. We need this to justify why we are making any recommendations to improve Web Security Context.
johnath: threat trees aren't something that's guiding people might be a wrong statement. threat trees does help as an excercise to understand real world example/threats and help in trying to mitigate threats that bad people can insert.
rachna: agrees with jonath
<Zakim> Thomas, you wanted to ask what this mean in terms of the note
tlr: threat trees are useful excercise but what is the right time for them ?
<johnath> urr - only spelled properly
tlr: still feels they would mostly be useful as a companion note as part of the recommentations
<Zakim> johnath, you wanted to rpely to thomas
johnath: fair point. it's about justifying recommendation. seems like available security information and usecases might influence the docs.
<Chuck> Well said!
bill-d: threat trees also help to find out what's missing
<johnath> thomas - agree
<johnath> (I won't q+ to say so, but agree)
<Mez> I'm beginning to hear that a concrete proposal about exactly what to put into the note on threat trees might fly
<Audian> i agree
tlr: if we can convert the threat trees into something presentable that might be useful
<Mez> could be the threat trees, or just a pointer to the wiki, or some simplified version
<Zakim> stephenF, you wanted to say that we'll always miss threats ; later is better
<bill-d> Bill-d Threat tree will help define items in scope and recomendations for items out of scope
stephenF: don't think it's useful yet but might be later
mez: asking for volunteers to take the proposal and expand on it
<Mez> yes, the list is easier to read and understand
<Mez> it has a more natural language, less formal structure
johnath: threat tree is relatively complicated looking text. whether it makes sense to include without recommendations.
<tlr> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl
johnath: if we put them in the recommendations
text, how are we going to wrap it in the text.
... if we think it's valuable info and incl in the draft of the
recommentation instead of note, what it should look like in the draft.
tlr: we can do additional notes to publish new material that is useful. would rather see threat trees as one of those notes
<stephenF> if threattrees is its own note, there will be an issue later about whether the references to that from the rec, are normative or informative
<stephenF> +1 on that: if pointers to vuln DB appear in template, that's good
<johnath> Mez: that's a whole other call, and I'm telling my HR contact about you. :)
tlr: happy to define a template that links to the draft if that's useful
<stephenF> http://cve.mitre.org/ is the DB I'd use btw
MEZ: formality of threat tree is still confusing...
MEZ: how to link to the recommendations we are woring on
johnath: some in the list are not in the threat tree yet. May be helpful to explain them more so we can link to them from the recommendations saying which attack/threat it;s addressing
<tlr> "References to ThreatTrees or vulnerability databases will be useful, but not required."
johnath: would that presentation be more appropriate to include
<johnath> fine by me
<johnath> rachna?
<rachna> fine by me.
<stephenF> +1 to tlr (whatever he said:-)
thomas I would need your help to write that out :-)
<stephenF> +1 to whoever just said whatever he said
<tlr> accurate
<tlr> thomas: Put the sentence I said on IRC above in there, it's not critical path for FPWD, but we'll do it later. Meanwhile, refine stuff in Wiki.
<Chuck> It's nice to have an interpreter :-)
every one agrees that threat trees are useful for people reading recommendations
<scribe> ACTION: Rachna to create template out of Threat Trees (with sample threats) [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action02]
<trackbot> Created ACTION-258 - Create template out of Threat Trees (with sample threats) [on Rachna Dhamija - due 2007-06-13].
<tjh> sorry - have to leave for another meeting. Cheers
chuck: trying to clarify traditional defintion of threat. what;s really imp and inscope of this group is what's the vulnerability to user, what protocol to use, etc. probably we shoudl work in terms of mapping threats to vulnerabilities. more interested in seeing vulnerability aspect of threats.
<PHB2> attacks are useful as a means of working out vulnerabilities
<PHB2> A vulnerability is a higher level of abstraction
bill-d: wanted chuck to explain more on what he meant by vulnerability?
<stephenF> A vulnerability exists without an attacker
chuck: webpage can have a form entry for XSS, pad lock in browser not working, weaknesses in the user-agent that help in exploiting attacks
bill-d: how to present information available so the user can make better decisions based on the information we have.
<PHB2> StephenF, I would call a situation in which an attacker employed an attack as an incident.
tlr: is there something concrete in terms of possible changing threats ?
<stephenF> A vulnerability can also be important if its triggered as a side-effect of something else
chuck: tie the recommendation to
vulnerabilities in the system. vulnerability can be significant only if there
is a threat to exploit it. so if we can come up with the threat tree for
which we will develop recommentations.
... vision I have is to come up with recommendations for vulnerability and
vulnerability is not interesting unless it has a credible threat against
it
rachna: no body is taking actions to take the threat tree and tie them up with vulnerabilities
<Chuck> Again, this is not an AI, but a process that we follow in getting to credible recommenations.
<tlr> the template update is done, indeed
<Chuck> Glad to play a support role.
tlr: wants to close old and undone actions
mez: will take care of them - aked thomas to send email with them
<tlr> ACTION-173 to be closed; moot
mez: close some recommedations and prepare for some demos
<Zakim> Thomas, you wanted to check in briefly on state of some edits
tlr: new template in the wiki, people might want to revisit to make edits
tlr: to close action 258 and open a new one with more information
<tlr> ACTION: rachna to work with Stephen, Chuck to revisit threat trees; work out process to join them to substantial work [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action03]
<trackbot> Created ACTION-259 - Work with Stephen, Chuck to revisit threat trees; work out process to join them to substantial work [on Rachna Dhamija - due 2007-06-13].
<tlr> rachna, hope that's the right action item
<tlr> if not, please fix it