WSC WG weekly
6 Jun 2007


See also: IRC log


Praveen Alavilli,
Rachna Dhamija,  
Mike Beltzner, 
Jan Vidar Krey, 
Yngve Pettersen, 
Johnathan Nightingale,
Stephen Farrell, 
Hal Lockhart, 
Chuck Wade, 
Bill Doyle, 
Maritza Johnson , 
Thomas Roessler, 
Phillip Hallam-Baker 
Mary Ellen Zurko, 
Tim Hahn,
Mary Ellen Zurko



approving last meeting's minutes


MEZ: from last conf call not f2f
... minutes are approved

Newly Completed Action Items

MEZ: done some cleanup on the action items
... no issues ...
... some closed due to inactivity
... no issues with closed actions

Agenda Bashing


MEZ:today we will be finishing up the lightning discussions and discuss about action-177 that thomas would lead ...

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0017.html

MEZ: we will add threat tree discussions to agenda

<Mez> http://www.w3.org/2006/WSC/wiki/TrustedBrowserComponent

MEZ: Trusted Browser Component will be discussed in the lightning discussions today

Trusted Browser Component

rachna: describing an interface to an mutual authentication protocol ...
... proposal requires users to login to a trusted component in the browser ...
... goal is to make sure credentials are not transferred outside of the ...
... browser and to capture user intent to login to a site, even when they ...
... don't know they are at the wrong site ...

rachna: assumptions are being discussed
... discussing expected user behaviour

for reference:http://www.w3.org/2006/WSC/wiki/TrustedBrowserComponent

comparing with Verisign's Seatbelt

rachna:Verisign seatbelt is an add-on that has a spoofable red/green ...
... indicator to indicate whether user is at the correct openID site. This ...
... proposal is similar only in that it allows user to know whether they are ...
... at a site they have been to and approved before ...

johnath: how it would it related to PII

rachna: There are some abstract ideas that may overlap...
... in particular both proposals try to inform the user that they are ...
... at the same site they have been to and trusted in the past, but ...
... using different interaction techniques.

<Mez> I think our proposals/recommendations will/should be mergingmore as we go forward

<Mez> I want to start categorizing, moving pieces around, etc.

<Mez> some are about displaying information, some about input, some about making displays non guessable

rachna: requesting feedback from the group

chuck: this kind of proposal is very constructive. Issue is whether it should be at browser level or at the OS level...
... to make it a broader way to work across applications
... comparing with CardSpace - wondering if we view this as 2 separate proposal - one at OS level and one at browser level...

rachna: OS/Platform are out of scope currently so need to see how we can address this

tlr: there are kernel-level http daemons, but that doesn't make http a system-level spec, OS does enable certain features in browsers, but this is definetely not a charter to deal with OS level

stephenf: proposal is quite resonable and could be done in a way that's generically useful

johnath: replying to chuck's question about in scope or not

<tlr> +1 to johnath

johnath: cardspace is impl at system level and that's great but it's probably not good to spend time on it but concentrate at browser level

hal: seems like there are bunch of proposals, good idea but isn't it at the same level of a new protocol out of scope like a OS

<Chuck> I was more concerned with the implied constraint that this is a recommendation for browsers only. If we can abstract this as guidance that could be implemented at any level, then I believe we will be offering more useful recommendations.

hal: the proposal needs a new shared secret that servers don't do today...

<stephenF> Doesn't tlr supportt session re-init?

<PHB2> The real issue in my view is not where it is implemented but whether it is designed in such a way as to be easily digestible at the platform level. It is entirely possible to implement CardSpace without using the secure desktop, the CardSpace design on XP is not as integrated as Vista, on linux it might not be integrated at all

hal: so it requires new changes

<tlr> chuck, I think we're aiming for that abstraction level

phb: can it be something simple enough that can later be extended to OS level. designing something that's small enough and bound enough - the advantage with web is that it satisfies this requirement - same as JS
... looking at cardspace to extend it to payment system

tlr: question- do not understand what trust it's adding, logging into a browser is not necessarily be a good thing as we might not want the password to be shared with a client.

<PHB2> ANother parallel here would be the SiteSeal that VeriSign uses to represent a secure site - most other CAs have a similar program. The SiteSeal is content and thus inevitably spoofable. But we have been proposing browser extensions to support site seal in the chrome for over a decade now - that is where logotype came from originally.

tlr: probably better to define best practices for presentations so browsers can pick up and implement those

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0017.html

<scribe> ACTION: rachna to expand on the proposal and incorporate today's discussions [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action01]

<trackbot> Created ACTION-257 - Expand on the proposal and incorporate today\'s discussions [on Rachna Dhamija - due 2007-06-13].


Threat trees

MEZ: need to figure out where to go next with Threat trees

rachna: walk through the list and find out what's useful
... requesting thomas's view on usecases and how these apply to them

<rachna> thoma: threat trees should be there own document and not be in the critical path of getting the note done.

tlr: suggestion to keep it separate as a companion document but donot put threat trees into the critical path for use cases. They are more useful technically but probably should not be in the critical path

<stephenF> tend to agree with TLR

<Chuck> I will put in a vote that the threat trees are useful. I also believe that the refinements to the threat tree Wiki page have made this much more useful. We need this to justify why we are making any recommendations to improve Web Security Context.

johnath: threat trees aren't something that's guiding people might be a wrong statement. threat trees does help as an excercise to understand real world example/threats and help in trying to mitigate threats that bad people can insert.

rachna: agrees with jonath

<Zakim> Thomas, you wanted to ask what this mean in terms of the note

tlr: threat trees are useful excercise but what is the right time for them ?

<johnath> urr - only spelled properly

tlr: still feels they would mostly be useful as a companion note as part of the recommentations

<Zakim> johnath, you wanted to rpely to thomas

johnath: fair point. it's about justifying recommendation. seems like available security information and usecases might influence the docs.

<Chuck> Well said!

bill-d: threat trees also help to find out what's missing

<johnath> thomas - agree

<johnath> (I won't q+ to say so, but agree)

<Mez> I'm beginning to hear that a concrete proposal about exactly what to put into the note on threat trees might fly

<Audian> i agree

tlr: if we can convert the threat trees into something presentable that might be useful

<Mez> could be the threat trees, or just a pointer to the wiki, or some simplified version

<Zakim> stephenF, you wanted to say that we'll always miss threats ; later is better

<bill-d> Bill-d Threat tree will help define items in scope and recomendations for items out of scope

stephenF: don't think it's useful yet but might be later

mez: asking for volunteers to take the proposal and expand on it

<Mez> yes, the list is easier to read and understand

<Mez> it has a more natural language, less formal structure

johnath: threat tree is relatively complicated looking text. whether it makes sense to include without recommendations.

<tlr> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl

johnath: if we put them in the recommendations text, how are we going to wrap it in the text.
... if we think it's valuable info and incl in the draft of the recommentation instead of note, what it should look like in the draft.

tlr: we can do additional notes to publish new material that is useful. would rather see threat trees as one of those notes

<stephenF> if threattrees is its own note, there will be an issue later about whether the references to that from the rec, are normative or informative

<stephenF> +1 on that: if pointers to vuln DB appear in template, that's good

<johnath> Mez: that's a whole other call, and I'm telling my HR contact about you. :)

tlr: happy to define a template that links to the draft if that's useful

<stephenF> http://cve.mitre.org/ is the DB I'd use btw

MEZ: formality of threat tree is still confusing...

MEZ: how to link to the recommendations we are woring on

johnath: some in the list are not in the threat tree yet. May be helpful to explain them more so we can link to them from the recommendations saying which attack/threat it;s addressing

<tlr> "References to ThreatTrees or vulnerability databases will be useful, but not required."

johnath: would that presentation be more appropriate to include

<johnath> fine by me

<johnath> rachna?

<rachna> fine by me.

<stephenF> +1 to tlr (whatever he said:-)

thomas I would need your help to write that out :-)

<stephenF> +1 to whoever just said whatever he said

<tlr> accurate

<tlr> thomas: Put the sentence I said on IRC above in there, it's not critical path for FPWD, but we'll do it later. Meanwhile, refine stuff in Wiki.

<Chuck> It's nice to have an interpreter :-)

every one agrees that threat trees are useful for people reading recommendations

<scribe> ACTION: Rachna to create template out of Threat Trees (with sample threats) [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action02]

<trackbot> Created ACTION-258 - Create template out of Threat Trees (with sample threats) [on Rachna Dhamija - due 2007-06-13].

<tjh> sorry - have to leave for another meeting. Cheers

chuck: trying to clarify traditional defintion of threat. what;s really imp and inscope of this group is what's the vulnerability to user, what protocol to use, etc. probably we shoudl work in terms of mapping threats to vulnerabilities. more interested in seeing vulnerability aspect of threats.

<PHB2> attacks are useful as a means of working out vulnerabilities

<PHB2> A vulnerability is a higher level of abstraction

bill-d: wanted chuck to explain more on what he meant by vulnerability?

<stephenF> A vulnerability exists without an attacker

chuck: webpage can have a form entry for XSS, pad lock in browser not working, weaknesses in the user-agent that help in exploiting attacks

bill-d: how to present information available so the user can make better decisions based on the information we have.

<PHB2> StephenF, I would call a situation in which an attacker employed an attack as an incident.

tlr: is there something concrete in terms of possible changing threats ?

<stephenF> A vulnerability can also be important if its triggered as a side-effect of something else

chuck: tie the recommendation to vulnerabilities in the system. vulnerability can be significant only if there is a threat to exploit it. so if we can come up with the threat tree for which we will develop recommentations.
... vision I have is to come up with recommendations for vulnerability and vulnerability is not interesting unless it has a credible threat against it

rachna: no body is taking actions to take the threat tree and tie them up with vulnerabilities

<Chuck> Again, this is not an AI, but a process that we follow in getting to credible recommenations.

<tlr> the template update is done, indeed

<Chuck> Glad to play a support role.

tlr: wants to close old and undone actions

mez: will take care of them - aked thomas to send email with them

Next Meeting - Wednesday, June 13th

<tlr> ACTION-173 to be closed; moot

mez: close some recommedations and prepare for some demos

<Zakim> Thomas, you wanted to check in briefly on state of some edits

tlr: new template in the wiki, people might want to revisit to make edits

tlr: to close action 258 and open a new one with more information

<tlr> ACTION: rachna to work with Stephen, Chuck to revisit threat trees; work out process to join them to substantial work [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action03]

<trackbot> Created ACTION-259 - Work with Stephen, Chuck to revisit threat trees; work out process to join them to substantial work [on Rachna Dhamija - due 2007-06-13].

<tlr> rachna, hope that's the right action item

<tlr> if not, please fix it

Summary of Action Items

[NEW] ACTION: Rachna to create template out of Threat Trees (with sample threats) [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action02]
[NEW] ACTION: rachna to expand on the proposal and incorporate today's discussions [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action01]
[NEW] ACTION: rachna to work with Stephen, Chuck to revisit threat trees; work out process to join them to substantial work [recorded in http://www.w3.org/2007/06/06-wsc-minutes.html#action03]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.128 (CVS log)
$Date: 2007/06/17 21:57:22 $