Web Security Context WG Teleconference
20 Jun 2007


See also: IRC log


MaryEllen_Zurko, Thomas, staikos, Tyler, anil, yngve,rachna, luis, maritzaj, audian, PHB, Chuck, serge
Tim_H, Bill_D, Bruno_vN, Shawn_D, Johnathan_N, Mike_B, Jan_Vidar_K, Paul_H



Approval of minutes

Approve meetings from last meeting

<tlr> http://www.w3.org/2007/06/13-wsc-minutes

meeting minutes approved

<mezanyone has issues with the recently closed action intems

inactive action items

<tlr> MEZ: ACTION-191 probably moot

<tlr> MEZ: ACTION-216 probably taken care of, anything missing?

<mezI close some items as inactive due to no due date on them

<tlr> Tyler: ACTION-192 -- don't think I can take up another proposal

tlr: Tyler, can you tell me about the complexity of the proposal

<staikos> no

<staikos> yes

<Mez> hahahaha

anil:tlr, u r audible but can u please pen what you just asked as a question to the group

<Mez> what was it you wre trying to say staikos?

<staikos> yes and no

<Mez> to one question or two????

tyler: can't handle the testing and ??? of two proposals

<staikos> two one :-P

<staikos> no?

tyler: would like to leave the action items for some more time and Mez has issues with due dates not updated if the person has no time to deal with it.

mez: action items that were inactive have been dealt with

Agenda bashing

checking in on current state of document

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0157.html

<Mez> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals

<rachna> I do

Mez: it will be nice to know if people are planning to iterate on proposals that are not templatized yet (not make to the 1st draft)

<tlr> RecRevisitingPastDecisions

yngve: will work on my proposal (secure page proposal) but had some other stuff in the past 2-3 days

Mez: may send out a mail summarizing
... it is important to carry forward
... any proposals/comments for the 1st draft

Recommendations sections discussion

mez: tyler on PIIEditorBar

<Mez> http://www.w3.org/2006/WSC/drafts/rec/#piieditor

<Zakim> Thomas, you wanted to ask whether shawn knows about this

tyler: abandoned the wiki version to aid Shaun and (??? and which version are u going to use)

Mez: tyler, i would like u to lead us on the PIIEditor

<tlr> you type "+1"

tyler: anybody new to this? Can u raise hands

<Mez> I read the previous draft

<tlr> or sth like that

<tlr> I also read the previous one.

<Mez> and I was aorund for the lightening discussion

tyler: mez and tlr have read the previous drafts and others are new.
... i will walk thru. should I?
... (please fill in your details here plz)

anil: can I have the uri where tyler is discussing?

<tlr> http://www.w3.org/2006/WSC/drafts/rec/#piieditor

tyler: when you come to a web site, you want to be sure about the string that you are going to type into

<Mez> who do we have here that's pure usability? Audian, others? Any comments on input field in the bottom of the browser chrome? (if I understood Tyler rightly)

anil:tlr or tyler can you summarize what tyler is talking now later for the final minutes

Mez: anybody here with UI experience?

<Mez> staikos, this is early discussion. it's the time to bring out concerns, and what deployment experience we'd need

<tlr> tlr: strikes me as similar to some terminal-based applications; 3270 terminals in particular, but also other apps

<Mez> chat clients do have input at the bottom of the window

<staikos> safari has to statusbar

<tlr> tyler: most important part is no take data entry outside content area

tyler: it is better to get the input area outside the content area

<Audian> safari has a cool way of 'folding down' a form field (from the top of the page)

<Mez> I'm wondering if there are interesting interactions if you hang a pull down onto the bottom of a window; just another thought

<staikos> that's a mac-general thing

<Mez> I recognize that thisis a nit

<staikos> for messageboxes

tyler: any Qs before I walk in thru various use cases
... section: bootstrap scenario

<Zakim> Mez, you wanted to ask about attention keys, here and in safe browsing and to ask about looks like searches, and to see what happens when I put myself on queue twice

Mez: Q1: how will u motivate users to use the PII bar?

<rachna> attention sequences and safe browsing mode switches are interesting things to test in a study. There are no studies on this.

tyler: I am trying to motivate the users to use it. They will be more comfortable in using the PII bar to get to their bank over other mechanisms.

<staikos> CTRL+ALT+DEL is my favorite :-P

<serge> actually, I think there have been studies on that,

<PHB2> There is testing experience, it is just not public

<serge> hang on, there's one I'm thinking of

<PHB2> And the critertia under test is not necessarily whether it enhances security

<Mez> Phil, that's good to know, but not very helpful, unless we can use it

<PHB2> Rather it might be whether it sells the product

tyler: I do not need an attention key such as ctrl-alt-del but rather a key that the browser knows that the PII needs to be activated

<serge> ...looking for a URL

<staikos> I agree with PHB2


PHB2: MS has changed the attention seeking sequence (c-alt-del) in Vista

<rachna> I am confused. Is it ok if a user types their CC# into a spoofed PII bar (e.g., in the content of the website)?

tyler: in bootstrap mechanism, they have a choice of working with prior set up relationships

<Mez> staikos, ctrl alt del takes me back to orange book vmm security, so it's a bit of a nostalgia trip for me

tyler: CC# will not be entered into the PII bar but I am expecting the PII bar to already know my CC#. A spoofed PII bar is not expected to know my cc#

<rachna> I see. It will be interesting to test this type of safeguard.

<serge> This is what I was thinking of: http://www.courtneymoskowitz.com/chameleon.html they did some user testing on switching between security modes

<Mez> nice; tx serge

anil:I wonder if an analogy can be drawn to cardspace

asaldhan: looks like PHB mentioned the same

<rachna> serge, can you add that ref to shared bookmarks?

<tlr> yep. I think PHB's problem can be solved elsewhere.

<staikos> tyler, it's called .Mac :-)

<Chuck> What about the problem that plagues all forms capture tools--namely that your browser is storing lots of sensitive info along with who you submit this info to, and this becomes a new vulnerability. An attack on the browser (which is exposed by being the tool you use on the Internet) can result in serious exposures of PII.

<serge> yeah, sure, I'm updating the shared bookmarks right now anyway

<PHB2> how do

tyler: Firefox and other browsers (possibly) are working on users moving their bookmarks (and other custom information) across computers

<PHB2> how do I log into .mac without being spoofed?

<serge> I don't have the paper in front of me, so I can't really summarize the results. The full thing is in the Usable Security book

<PHB2> If I can do that I caqn log into OpenID

<Mez> in telling us why it was interesting, you gave the summary that's needed in sharedbookmarks

<Mez> that's all you need; the reference, and a line on why we care

<Mez> "user testing on switching between security modes" and that's an aspect of several of our proposals

<serge> I think the book might be on my desk, I could add a bit more

<Mez> even better!

<serge> right, but the summary should probably mention the results

yngve: Do we know what type of data that is going into the pii bar?

<serge> e.g. "they found that users don't understand the different modes"

<Mez> better to have it in with not enough data than not have it in at all. since it can be added to later. But either way, whateve ryou can do is good

tyler: for now, it is data strings
... most pii identifiers are recognizable by humans

<Mez> tlr, we should track those kinds of things. who we request reviews from.

tyler: drop down of telephone number, email address etc

<serge> is there any conceivable order in the shared bookmarks? or should I just add to the end of a relevant section?

<Mez> tlr, here is good to track things like that

<Mez> http://www.w3.org/2006/WSC/wiki/RecProcess

<Mez> please add it there

<Mez> the review part, not the discussion/concern part

<rachna> serge, the shared bookmarks is getting long enough that we should impose some order. it is hard to find what is there.

tyler: the good thing about the PII bar is that the user tells the browser that it is ok to store this particular information
... no need for either the site or any popup to confirm

<Mez> I've had problems findng stuff in the sharedbookmarks, as you saw in the f2f!

tyler: chuck wade 2 months ago did a study that users were using password managers rather than typing in password on banks' websites

<rachna> is there a reference to the study that Tyler mentioned on current use of password managers at bank websites?

tyler: it may be better to continue with Mike McCormick on this Topic

Chuck: Banks have considerable concern that they are dealing with not humans but some robot (Pwd Manager) that has entered the password

<staikos> how do you ever solve that? Find NP-complete problems for the user to solve in order to log in?

Chuck: There are reports of attacks at forms database in browsers.

tyler: first concern: banks want to know that password is obtained from user action

<staikos> Even more, why attack the form database when the connection is more weakly encrypted? At least it is in KDE.

tyler: Answer is that user chooses the information from the PII bar and only then will that information gets into the text box on the site

<staikos> The connection is easier to capture and easier to break -> no point in attacking the db

tyler: Concern: we are building a database of information.
... Valid concern. The DB exists on the computer but not in order. The information will be on the browser cache.

<Mez> while I agree with a lot of what you say staikos, I've been wondering about the "logic" of attacks lately

<staikos> If the information is in the browser cache, there are big problems. However it definitely is in the VM somewhere

anil:(Tyler, could you please add some information on this concern about the DB storing information)

<Mez> we've been hearing about federal concern about directed attacks to add trap doors to products

Chuck: I just wanted to add this concern to the discussion.

<Mez> and I wonder why organized crime does that

<Zakim> Thomas, you wanted to note that there's a lot of work on forms and that we'll have to consider the interaction

<Mez> instead of just pumping the vulnerabilities

<staikos> Mez: backdoors distribute better

<Mez> what does that mean?

tlr: have we considered relationship between this proposal and work on xforms, xforms-transitional

<staikos> Mez, the manufacturer ships the software to all their customers for you, and the binary isn't further modified. It can't get any better

tlr: have we considered relationship between this proposal and work on xforms,xforms-transitional/

<Mez> I see; longer lifetime, more even distribution

<staikos> yeah

<tlr> http://www.w3.org/2007/03/XForms-Transitional/

anil:(yngve. can u please type in ur comment)

Mez: can u please get to the conformance section?

<Chuck> Actually, there are some authentication mechanisms that are much better for "liveness" testing (in response to Yngve)

tyler: anyone having any doubts on the use cases, please post to the list and I can answer. We need to build a consensus

<yngve> It may be impossible for the banks to find out if they are talking to a flesh and blood human.

<Mez> Chuck, aren't those CAPTCHAs and the like?

<tlr> on captchas: http://www.w3.org/TR/turingtest/

<yngve> Even CAPTCHAs are loosing ground

<tlr> Inaccessibility of CAPTCHA / Alternatives to Visual Turing Tests on the Web / W3C Working Group Note 23 November 2005

<PHB2> CAPTCHAs are bogus: http://dotfuturemanifesto.blogspot.com/2007/06/end-of-captcha-hardly.html

<Chuck> Captchas are one technique, but OTP tokens are another. Also, most biometric schemes have a strong liveness characteristic that can be leveraged.

<serge> I have another meeting to get to. ta.

<staikos> mmmm token bundles. I'll be doing more banking at the teller in the future I think :)

<Mez> tellers need job security too!

<staikos> Mez: they'll have to type in a captcha each day when they arrive at work?

<staikos> or just carry a token?

<Mez> hey, they're paid to authenticate themselves :-)

<Mez> I carry my badge to work every day

<Chuck> Tyler, you may also want to include the use case where the site owner changes, along with its name. This is not a fringe case, given the M&A activity in the financial industy.

<tyler> Thanks Chuck I'll write that one up. The proposal does indeed support this use case

<rachna> Tyler, I added a skeleton proposal on "Drop the URL bar" proposal to the wiki, in case that makes it easier to fill out the content.

<tlr> yngve, can you please put the URI into IRC?

<tyler> Rachna, it's mostly the testing and implementation work that's scaring me off. Are you interested in that?

<yngve> phil might want to consider this in his discussion about ev http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev

<staikos> that's quite the title

<tlr> tyler, there's a reason why I said we shouldn't expect everybody who brings up a proposal to be able to implement it.

<tlr> mez, are we expecting to meet on July 4?

<rachna> tyler, I agree with tlr.

<PHB2> I don't plan to attend on July 4

<tyler> I sure hope not

<staikos> yes they do

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.128 (CVS log)
$Date: 2007/07/01 14:21:46 $