WSC WG Weekly
27 Jun 2007


See also: IRC log


MaryEllen Zurko, Thomas Roessler, George Staikos, Phillip Hallam-Baker, Jan Vidar Krey, Yngve Pettersen, Chuck Wade, Tyler Close, Johnathan Nightingale, Hal Lockhart, Luis Barriga, Bill Doyle, Mike Beltzner, Rachna Dhamija
Tim_H, Bruno_vN, Audian_P, Dan_S, Shawn_D, Maritza_J, Serge_E
staikos, chuck




Mez: George [Staikos] is scribing today
Mez mentioned recent experience scribing for a call, and that it can be challenging
... so, appreciates George very much

minutes approval

<TLR> http://www.w3.org/2007/06/20-wsc-minutes.html

<TLR> so approved

Mez: Minutes from June 20th meeting approved

action item review

Mez: No actions closed due to inactivity

<TLR> ACTION-237 completed succesfully; no actions at risk.

Began "agenda bashing" discussion. It was suggested that we get someone to brief this group on the recent TIPPI workshop.

<jvkrey> http://crypto.stanford.edu/TIPPI/

PHB: Burt Kaliski and Dan Boneh are the workshop organizers/leaders

<Mez> Please discuss the TP Day agenda during one of your near-future Group calls, and start a discussion on your mailing lists. Provide your Group's input by 13 July 2007 to the Tech Plenary discussion list ...

<Mez> -- mailto:member-techplenary@w3.org

<Mez> This list is also archived at...

<Mez> -- http://lists.w3.org/Archives/Member/member-techplenary/

<Mez> ... and is Member readable and writable.

<Mez> Feel free to provide input on agenda topics (e.g., future of (x)HTML(n), video on the Web, efficient XML, etc.), or on the format for sessions (e.g., panels, demos, lightning talks, etc.). Think about topics that would have appeal to a wide variety of W3C folks.

<johnath> Sorry Mez, I missed a snip of that at the end - did you say you will start this conversation by email?

johnath: my browser doesn't work so is there anything we want to get on the agenda/

TLR: forward ideas directly or channel through Mez or TLR

Mez: not me
... updates from tyler and thomas on what to do before last call
... which groups should we liaison with? now is the time...

Mez initiated discussion of what needs to be done prior to last call. Also, what other groups should we ask to review our document or liaise with.

Tyler: controversial items: list of security information - more data needed
... use cases don't provide basis for explanation and evaluation

Mez: Asks for more information and clarification?

TLR: Yes, there is info to add, but dont' want to block on that for last call

<johnath> none from me - I think it captures the things I've considered in my recs

Bill Doyle: We could go over the [use cases] again

Tyler: I took out 'exhaustive' keyword
... at f2f felt that people felt that this section was woefully incomplete
... with a list, I could add them myself
... doesn't claim to provide -all- information, just a limited list of what's in scope

Bill D: takes action to review it this week (tomorrow)

<TLR> ACTION: Bill to review list of security information this week [recorded in http://www.w3.org/2007/06/27-wsc-minutes.html#action01]

<trackbot> Created ACTION-263 - Review list of security information this week [on Bill Doyle - due 2007-07-04].

TLR: does not understand the meaning of some items in there
... maybe we need to expand on it

Tyler: I need to know specifically which items are at issue

TLR: will send a list

Tyler: do we need to rework the use cases for something that is easier to build recommendations off of?

Johnathan: I don't like to bring up threats when I don't have solution [to offer]

Mez: we're not specifically requesting threats/responses information, what we have is in the Wiki and informal

Johnathan: It's weak to say in use cases "this applies to all use cases"

<Mez> the top of the template says:

<Mez> All sections are required for FPWD. Use your best judgement on filling them with appropriate content.

<Mez> I thought the latter would be enough room for people to say in totally inappropriate sections - not applicable

TLR: Johnathan, I agree on robustness, but, for example, the fullscreen usecase might be something to cover

[Ed: if I understood TLR correctly]

Mez: Not everything we cover needs to be in use cases

<Chuck> Does it help to address "vulnerabilities" as a more specific topic than the broader and more ambiguous topic of "threats"?

<Rachna_> "Full screen mode" is currently not one of our use cases or in our list of attacks.

<Mez> Rachna, shouldn't that be there? is it just a matter of adding it?

<TLR> Rachna, indeed, that was my point. Some of the robustness things might specifically *not* useful in such a context.

Mez: checklist is good but not mandatory

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0188.html

Mez: threat tree is a reference - agreed to at f2f

<rachna_> http://www.w3.org/2006/WSC/wiki/ThreatTrees

<Chuck> Part of the problem is that "attacks" are constantly evolving.

Tyler: Suggested postponing discussion until next meeting in 2 weeks?

<rachna_> Bill and Tyler, IMO, we should label branches that are out scope or move them to a different section, rather than deleting them, so that people know that we are aware of them.

<tyler> rachna, that sounds good

George Staikos: I am being distracted by various interrupts. I am having difficulty scribing the conversation.

<Chuck> Ok, I'll fill in

<TLR> ScribeNick: chuck

<TLR> thanks Chuck

Mez: Put out call for liaisons with other organizations.

<rachna_> Digital PhishNet is Microsoft's version of APWG - they have law enforcement membership (FBI)

Anything else for last call (Mez)??

<hal> Thomas did you get the name of that group mentioned yesterday that we should liaise with?

<TLR> Hal, I guess the closest there is to "the group" would be Project Concordia or Liberty Alliance as such.

<rachna_> other potential orgs to liason: IETF, gov agencies (FTC, FDIC/FFIEC)

letterhead discussion

Mez: Moving to discussion of Secure Letterhead, handoff to PHB

<Mez> http://www.w3.org/2006/WSC/drafts/rec/#letterhead

PHB: Secure Letterhead provides a secure means for cryptographically binding logos to the cert and also for associating the cert with the actual parties. Secure Letterhead is based on established standards, primarily from IETF. Also existing industry practices from cert issuers (e.g., VeriSign) support these mechanisms.

PHB: Secure Letterhead can display issuer logo as part of browser chrome. Can be used with DKIM as well. This allows email clients to display DKIM cert info and issuer logotype when presenting email message to user.

PHB: Three types of logotypes: subject, issuer, and "community." Community logos are meant to imply membership or accreditation; goes beyond issuer's representations. Any display of logos needs to be accredited in some fashion. Phillip plans to make a proposal to CABForum that will represent a baseline for presenting logotypes.

<Mez> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl

Mez asks PHB about conformance language; observes that this appears to be missing from draft of Secure Letterhead proposal

<Mez> Requirement | Good Practice

<Mez> The statement against which we expect an implementation to declare conformance. Requirements correspond to a MUST, Good Practices correspond to a SHOULD

PHB expanded his comments on conformance language, introducing "may," "should," and "must." He also noted some concerns about trademark issues that relate to graphical images. Probably should reference CABForum as a source of requirements.

Tyler raises questions about passive indicators in chrome, given that all studies seem to show marginal benefit.

PHB: This is probably not your first line of defense in phishing. One use of logotype certs provides a tie-in to other solutions, like Card Space, which can introduce more active controls with proper indications to users. Went on to note that this can also be used in a customer support context, and provided an example of telephone dialogue with customer support rep, who might ask customer what their browser is currently displaying. Customer support is a major cost for financial institutions, and so this may help improve impact on customer support resources. Phillip went on to indicate that usability tests need to be considered in a broader context that reflect months of use, and familiarity, as well as training.

Johnath: Difficult to provide meaningful feedback on this document without the conformance language—i.e., what does it mean to have a compliant implementation? As an example, can this be implemented in secondary chrome? Without this context, it is difficult to assess the concreteness of this proposal.

Johnath: Example, can this be implemented in secondary chrome? Concreteness of recommendation is difficult to asses.

Mez: Asks PHB to take action to update proposal to comply with all template sections.

<TLR> ACTION: hallam-baker to complete secure letterhead template [recorded in http://www.w3.org/2007/06/27-wsc-minutes.html#action04]

<trackbot> Created ACTION-264 - Complete secure letterhead template [on Phillip Hallam-Baker - due 2007-07-04].

PHB: added that "accessibility" issues have been a concern with this, and other high visibility features

PHB: noted that tech specs for logotypes can include alternative info, such as sound recordings (sound bites or audio files). However, it might be better to have browser read out cert info [to someone who is visually impaired].

<Zakim> Thomas, you wanted to note there's sound trademarks

PHB: Further noted that there are no specs yet for how to display community logotypes. There are also unknowns as to how an issuer vouches for the community logo. This could have major issues with liability for issuers.

<Mez> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Letterhead

<Mez> thank you phb

PHB: Observed that a section on accessiblity is included in both template and proposal.

TLR: expressed a concern that we may need to dig into the accessibility issues further. For example, how screen readers [for visually impaired users] present information on security.

PHB: responded to Thomas by noting that it is difficult to require subjects to include audio logos, but they can be required to provide an x.509 distinguished name, which can be audibly read out to a user.

Yngve provided reference to use of sound bites from the [Sci-Fi] literature

<yngve> Sciene Fiction reference was to L. E. Modesitt Jr. book "Flash"

<yngve> background is that "Rez" chords are used for product placement/trademarks.

Synopsis of 3rd TIPPI Workshop

Mez: Asked Rachna if she could provide an update on TIPPI. She agreed to cover this topic today.

<rachna_> http://crypto.stanford.edu/TIPPI/

Rachna gave a bit of background on TIPPI Workshop. She considers it to be one of the best conferences addressing this problem space due to it's focus on practioners [not too academic].
Yahoo presented overview of their solution, and PassMark presented their sitekey technique. Rachna gave a talk on usability testing that addressed limitations of SiteKey. This led to a debate/discussion of the benefits of SiteKey-like techniques based on these three presentations. Bank of America's position seems to be that SiteKey is useful because it has helped to increase user confidence in online banking, and that users like it.

PHB: Questioned value of "increasing confidence" of users. If you don't actually deliver improvements, then confidence can also be eroded. One of the consequences of things like SiteKey is that you disrupt some of the users' assumptions, and complicate the social engineering issues.

Rachna added that users have not been trained what to do when they don't see their SiteKey.

PHB: investments in technologies (like SiteKey) may have become an impediment to a realistic assessment of their effectiveness.

Rachna continued with topics from TIPPI. Malware papers were delivered and discussed.

Rachna noted that ethical testing questions were discussed, and Tyler asked for clarification as to how this affects in-the-wild testing. Rachna noted tradeoffs between qualitative and quantitative data

Rachna (someone?) presented a paper on malware that hijacks sessions on the users machine, and proposed some possible countermeasures involving VM-baed approaches.

TLR: observed that malware attacks are a growing concern to European banks.

Rachna: A U of Indiana researcher proposed a counter-measure that would have the browser send history information to a relying web site. This was viewed as controversial.
In summary, Rachna observed that the sense coming out of TIPPI 3 is somewhat depressing. There's not much progress to report, while problems continue to grow.

Tyler: asked about clarification on malware vs. phishing. Rachna observed that phishing attacks are becoming much more intertwined with malware attacks. There are lots more types of attacks, in part, because of new techniques leveraging malware.

Tyler: is looking for insights into what distinctions we might be able lean on in our work.

Rachna: agrees with Tyler that these do lead to important questions of scope. The goals of the attackers are the same, independent of their approach.

TLR: noted connection between root kits and higher level security models. (Ed, having a hard time hearing TLR's editorialization)

Jonath: Refers to APWG stats that show increases in and evolution of phishing attacks, but wonders about actual losses and whether there is data on how effective phishing attacks really are. Rachna observed that FIs tend to be very discrete about actual loss rates, so this information is not generally available.

Chuck: Aside, APACS in the UK is one of the few official sources for fraud loss rates. (ref: www.apacs.org.uk)

Jonath: Raises question of whether or not there are incentives to keep reporting on how big the phishing problem is, but not how effective the attacks really are? Could effectiveness be decreasing?

Beltzner: raised similar question about effectiveness of phishing attacks. Do takedown measures help? What is effective seems to be vague. We know black/white lists are not terribly effective, but do they help at all? Rachna agrees that this is a very important set of questions, with few answers readily at hand.

PHB: adds that concrete data is hard to come by. The losses are also in the operational costs to reverse fraudulent transactions. The cost of back end and customer support is what really concerns the banks. Banks imply that they are making more money on online banking and they have more users on online banking. Fraud is not currently the biggest concern with online banking, but the fraud rates are rising fastest in this area.

<johnath> +1 to tyler's question, and anyone who could answer it

<Mez> thomas, this was the last question, sorry

Tyler: we should be evaluating our recommendations and proposals in terms of impact on customer support calls and costs. Do we have any figures on the magnitude of these problems.

Rachna: does not have references to data, but it seems like an important consideration

<rachna_> Mike, this is one public analysis I have seen on website takedown on phishing (It doesn't answer your question though): http://www.cl.cam.ac.uk/~rnc1/weis07-phishing.pdf

TLR: suggests that we consider this as a topic for future discussion and feedback.

Rachna did plug the work of WSC at the TIPPI conference—way to go!

next meeting

Mez: Brought meeting to a close. Noted that there will not be a meeting next week due to U.S. Holiday.

Summary of Action Items

[NEW] ACTION: bill to review list of security information this week [recorded in http://www.w3.org/2007/06/27-wsc-minutes.html#action01]
[NEW] ACTION: phillipp to complete secure letterhead template [recorded in http://www.w3.org/2007/06/27-wsc-minutes.html#action03]
[End of minutes]