See also: IRC log
<tlr> Scribe: AnilSaldhana
<tlr> ScribeNick: asaldhan
anil
<tlr> +Hal
<tlr> http://www.w3.org/2007/06/27-wsc-minutes
<tlr> RESOLVED: minutes accepted
<tlr> anil, I'm taking care of the topic lines. ;)
<tlr> ACTION-226 done
<tlr> ACTION-240 done
<tlr> ACTION-243 done
<tlr> no issues with any of these?
<tlr> anil, any trouble scribing?
tlr: I am trying to catch what they are referring to
<tlr> anil, just scribe things as much as you can
tlr: can u pitch in here
<tlr> if people are too fast, slow them down
johnath: can u pitch what u referred to
<tlr> johnathan and MEZ both grappling with integrating robustness into spec test?
<johnath> johnath: Question for Mez: I have an action item which refers to integrating robustness recommendations into the doc, but it's unclear how that should happen
Mez: we will categorize into 4 . One of them is robustness. It is difficult to fit robustness into current template. We are trying to figure it out and waiting for editors draft
<johnath> johnath: therefore, I will keepe xtending my due date until that comes out
Mez: based on my conversations with shawn offline, my statements are valid
Mez: discussion about liasons
... we also have discussion on "Secure page"
... anybody has to say anything about agenda?
Mez: there are number of groups that we should
work with
... Dan has agreed to work with apwg/fbi, Bruno with omtp, mwbp,etsi
<johnath> Shawn will be on the call - sent a note - running late
Mez: we need volunteers for a few
... any takers for volunteering
PHB2: can volunteer for CABFOrum
<Zakim> stephen, you wanted to ask about IETF/SAAG and if there's a current-liaisons list somewhere
Mez: put down phill for cabforum
stephenF: is there a link someplace in the wiki for the liasons
<PHB2> How slow is zakim?
Mez: it is in the agenda.
<PHB2> Sped up now
<tlr> ACTION: mez to put liaison list into wiki [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action01]
<trackbot> Sorry, couldn't find user - mez
Mez: please give me an action item to place liasons in the wiki
<tlr> ACTION: zurko to put liaison list into wiki [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action02]
<trackbot> Created ACTION-266 - Put liaison list into wiki [on Mary Ellen Zurko - due 2007-07-18].
<Zakim> tlr, you wanted to note that OMA is represented in HCG and to also note there's a generic W3C-wide liaison list
Mez: stephen for IETF SAAG?
<stephenF> not stephen for 3gpp
<stephenF> phew
Mez: cannot take on additional liason duties. I
have enough already
... want help from the team
tlr: what are we looking for from OMA?
Mez: this depends on the person
tlr: what are we expecting from them?
... hcg is the primary mechanism to do that
Mez: tlr lets take it offline
<Zakim> stephen, you wanted to ask about IETF/TAM (could be under AOB either)
<anil> I am from Chicago
tlr: stephenF can u give us an elevator pitch
stephenF: managing trust anchors and protocols
associated
... this trust anchor is fit for this and not for that. mainly for x509
a bank can issue client certs to their users. a new protocol. create possiblilites of providing ssl certs
<Chuck> Aside: Michael McCormick of Wells Fargo is likely to have direct interest in the IETF TAM topic.
tlr: is it not slotted for the next meeting?
Mez: set it up offline
tlr: I can take it offline. but if u want resolution now, we cannot take offline
Mez: cannot remember the issue
it is resolution
tlr: i agree that there is an aspect of financial services usecase that may not be useful
stephenF: if there is no one from the financial services, then we can defer
<tlr> tlr to attend tam BOF in Chicago, wave WSC flag, report back
<Chuck> Reminder, Michael McCormick has a standing conflict with this group's weekly conference calls.
<tlr> ACTION: roessler to attend tam BOF in Chicago, wave WSC flag, report back [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action03]
<trackbot> Created ACTION-267 - Attend tam BOF in Chicago, wave WSC flag, report back [on Thomas Roessler - due 2007-07-18].
<stephenF> stephen doesn't agree but will do that some other time:-)
<anil> I would like to attend as I live in Chicago
<tlr> stephen, you don't agree with what?
<stephenF> more than welcome anil
<stephenF> tlr - just generally:-)
<johnath> he's very disagreeable
<stephenF> oh no I'm not
<tlr> johnath, we all know that
<johnath> stephenF: :)
Mez: I am going to type in IRC
tlr: not yet arrived
... welcome shawn. middle of liaison discussion
... wonder anybody on the call what aspect of 3gpp we shud be liaisoning
... want to defer this part as dan/bruno unavailable
<stephenF> think dlna is home n/w
<jvkrey> Wikipedia says TISPAN is "Telecoms & Internet converged Services & Protocols for Advanced Networks", part of European Telecommunications Standards Institute (ETSI)
tlr: I want to defer to dan as to what dlna
is
... rob and bruno on avail. Lets defer this and move to next item
correction: rob and bruno unavail
<tlr> http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage
yngve: lets see how am doing
<tlr> agenda order: WhatIsASecurePage, then wsc-usecases
yngve: goals i am trying to add.
... definitions
Mez: good background.
... am looking for ??? section that will be good
<johnath> Mez - halfway down - numbered list
<tlr> http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#head-efe936b22bcb83eed5ffa40cef2335278973f7cc
<johnath> "Proposals for..."
<Zakim> stephen, you wanted to ask if that should be "secure page" or "TLS-secured page"
<tlr> woah @ the anchor
stephenF: u seem to be talking about tls secure
page
... is it a tls secure page or a secure page
yngve: am trying to move towards tls secure
page
... whether u can say whether mybankDOTcom is really my bank, it cannot be at
that level
stephenF: it can confuse people if no distinction is made
yngve: determine what kind of security
yngve: usually it is the padlock
yngve: i have listed the criteria
yngve: some that are in and some that are out of scope. Some that are suggested.
hal: are u saying that any insecure content- that we consider insecure (was not clear from writeup)
yngve: from my thinking, we cannot tell how
sensitive a content is
... can include information at what u r looking for
... as I mentioned, some banks want to consider content over insecure
connection in a secure page
<Zakim> stephen, you wanted to ask whether reputation is better dealt with elsewhere
yngve: I am leaning in the direction that it is insecure until it is all secure
stephen: that seems to me that we presume what is a page
<tlr> stephen: presumes notion of what a page is
<maritzaj> forgot about another meeting at 11:30 ... apologies for cutting out early
<tlr> yngve: all that's displayed?
yngve: somebody has a better suggestion
stephenF: if it is a tls secure page, it should be mentioned elsewhere
yngve: mentioned the possibility to use ocsp to get info as to what kind of credit card to use
stephenF: I hate that idea
yngve: that info can be included in the
certificates.
... if it is authorized by AmEx to pay by CC.
<PHB2> I don't like it either :-)
<johnath> digression alert!
stephenF: do not like that too much info into
certs + layering violation + need to go to Mastercard,Amex
... if the scope of this proposal is - what is a page? what is a tls secure
page?
<Mez> how is this a digression? sorry, it seemed on point to me. but if it's a digression, it should be stopped
stephenF: the scope of what is a secure page is
too broad
... it will lead us to make mistakes
... just get the scope to "what is a page?
<PHB2> OK what I would go for is a world where maybe we issue EV certs with specifically accredited OIDs that can be used by payment processing protocols.
<johnath> Mez - sorry - stephenF's point, that the rec should be well constrained, is on-topic. But how CC information might be handled in cert vs. ocsp is all a separate rec, if at all. :)
<Mez> got it
yngve: am going through what criterial to consider. In opera, associated fraud detection close to the padlock.
stephenF: i want to address just tls and not authorization
yngve: can take a look
Mez: sounds good
tyler: in ur conformance section, 5,9 and 12
talk about redirect behavior. I do not understand. they seem contradictory.
Please add some text around the recommendations
... do not understand the motivation for why these should be done
yngve: aiming at when banks go from http to https
tyler: why is it a problem?
yngve: not much a problem. But I want these links to be clean. I want to include in the links (that indiciate https) into the security indicators. Originally opera did that
<tlr> is that you, audian?
<Audian> yes
yngve: this is point 9. u click the link, submit the page. All this should be included in the security indicator. If anything is insecure transaction, this should be displayed in the security indicator.
<tlr> rachna, is that you?
<rachna> yes
yngve: if anything goes over http (when wished
https), malicious code can be inseted
... seen a couple of case, html/javascript created a page without padlock,
but showed padlock.
<Zakim> johnath, you wanted to comment on criteria 16, 15, 10, 8, and 7 :) (I suspect I'll be re-queueing :)
Mez: can u please respond to tyler's request.
yngve: I will. providing some bckgrnd
<anil> who is talking
<tlr> johnath
<tlr> asaldhan, when you can't identify the speaker, just say ??1: blah blah
<stephenF> +1 on not saying 2^32
<johnath> ref for keylength recs: http://www.keylength.com/
yngve: am sort of putting in an advice if for example NIST recommendation for xxx bit
johnath: for writing conformance report, consider keylength
Mez: that is for the authorities
johnath: many of them are crypto people
... here.
yngve: 512 bit certs are still in use
... a month or 2 ago, some finance sites were using it
<johnath> zakim: q?
<tlr> e.g., bcp 86?
yngve: authorities do not always agree. euro authorities are not recommending 1024 bits
<tlr> http://tools.ietf.org/html/bcp86
<tlr> Determining Strengths For Public Keys Used For Exchanging Symmetric Keys
PHB2: we should differentiate confidentialty
with authenticity instead of secure page
... a class of certs are only for confidentiality
<stephenF> phb: what's wrong with anon D-H for that
PHB2: either u do not see any indicators or u register the cert
<Zakim> Thomas, you wanted to ask if there's a spec elsewhere that we might reference
tlr: follow up with the discussion about keylength - bcp86
<johnath> yngve: for the record, I think this is an important recommendation to get in. I'm wordsmithing it, but I think this is one of the key recs to get browser vendors to align on, as a whole.
<stephenF> bcp 86 only requires "commensurate" though (from memory)
tlr: bcp86 is a moving target document.
<Zakim> stephen, you wanted to ask if item #4 is ok since its a server thing
yngve: will look at it
<tlr> ... deliberately ...
stephenF: proposal #4
<tlr> huh? The charter explicitly gives that example. ;-)
stephenF: we thought we do not do proposals
about what websites shud do. are we breaking rule
... concerned that we will be making a reco that ppl will totally ignore
... there are large # of developers who code websites in a number of ways
... situations where someone has control over part of the website and not the
other part. They will have difficulties in conformance
<Mez> thomas is
tlr: what web client should do ???
<johnath> (I hear low volume noise)
<johnath> hal, asaldhan - can you mute if you're not going to jump in?
stephenF: tlr we need to issue statements for server side developers?
<tlr> I think there's value to writing up "how to deploy a web site that causes security indicators to show up" type checklists in MUST/SHOULD language. ;-)
<anil> *** stephen I am lost a bit here
tlr: am saitisfied to keep what we have.
<Zakim> johnath, you wanted to question criterion #10
johnath: criteria 10
... understand how this got in. users may not realize they are submitting
content to a unsecure site
<PHB2> In fact I would like to see as little flipping from secure to unsecure as possible
johnath: I do not see this recommendation may not help making a better world.
<Mez> tyler, does PII use the submit url as the target website, or the url of the form? I hadn't thought about that crisply, and this discussion makes me wonder
yngve: submitting creds intended for protected services. U need to plan to do it in secure fashion. In a protected page
johnath: creating this behavior in the browser will create sufficient nuisance for people to work around it.
<Mez> warnings would get disabled after the first time
<Mez> but some sort of SCI would be interesting
<stephenF> -1 to flag days
<Mez> it wouldn't be possible for all clients to implement anything totally at the same time
<tlr> +1 to -1 to flag days
<tlr> ;-)
<tlr> I'm +1 to point 2, but -1 to 10.
<Zakim> stephen, you wanted to ask if this text treats the SCI in too "binary" a way
Mez: we can have discussion on alternatives
stephenF: in dublin, we discussed that security
indicators is a binary flag.
... but this proposal indicates that binary display is not sufficient
<tlr> indeed, that's an important point
stephenF: why not "low secure" "high secure"? Increase security
<tlr> padlock -> $padlock
yngve: do not have a glossary as to what terms mean
<stephenF> fair enough to revisiting when glossary done
<tlr> I think "padlock" at this point is an existentially quantified variable that holds whatever the right kind of indicator is.
Mez: agree with stephen that we need to bring more recommendations
<Zakim> Thomas, you wanted to speak about #3
tlr: #3. Sounds like a good idea
... if u have been using secure connectn to transmit creds, u shud not be
using those creds/tokens in a less secure env
... authentication/authorization models exist
<anil> ****tlr. please fill in some information about authentiction/ tokens/cookies here plz
<stephenF> fwiw, stephen fine to punt SSC discussion to next week
<Mez> stephen, would you be ok if ssc got moved back to the next meeting if we run over on this topic?
<Mez> great, tx
<stephenF> fwiw2: I gotta go off the call for 5 mins
<Mez> ok, then we're definately pushing it back to next week
<Mez> next week then. what the heck.
<Audian> yawn
<stephenF> back now
<tlr> audian, yawn @ what?
<anil> ***tlr I am lost. Please fill in what you mentioned
<anil> *** before we send the minutes
<Zakim> PHB, you wanted to say, banks should simply put all their content in a secure zone
<tlr> tlr: there's the typical token-based authentication mode used by big web properties, which is based on authentication going on through HTTPS, then a token (cookie) is transferred through HTTP to low-value services.
PHB2: suggest changing #1 that all web servers shud support ssl restarts?
<stephenF> s/restart/resume/ is it?
<tlr> #3 contradicts that; do we want to deprecate that practice?
PHB2: oh yes, we can secure entire web site but
it will not performant
... should tell users that they should secure all of their content
<tlr> agree on the bank interactions.
<Mez> I look forward to seeing the conformance language for that!
PHB2: unless if u r a site like amazon where majority of the site is content. secure content is done by separate servers. For banks, everything should be secure. once secure, no reason to go to insecure content.
<tlr> however, there is a reason to go back to insecure: You need a TLS private key on every server. Either, you open a CA, you cough up a lot of money, or you create attack surface by using wildcard certs.
<tlr> mez, so do I. It's a hard to crack problem.
<tlr> ACTION: phb to phrase conformance language for fully securing sites [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action04]
<trackbot> Created ACTION-268 - Phrase conformance language for fully securing sites [on Phillip Hallam-Baker - due 2007-07-18].
Mez: tlr and I think that conformance language around that is tough. U want to take a crack at that?
<tlr> phb, we don't hear you
tyler: reco for server side developers, one reco for tls secure page and one reco ???
<Mez> I encourage everyone with thoughts that might not get them out in the next 12 minutes to put them in email, issues, etc.
<johnath> if tyler is getting to recommending that this be broken down: +1
<johnath> there we go, +1 to tyler. :)
<tlr> +1, too
<stephenF> +1
tyler: could you break out the tls section
<Mez> the template itself though really works against making smaller parts. Because there's so much reference material. But I think we'll need to deal with that anyway, with the robustness issues.
yngve: will take a look
<Zakim> johnath, you wanted to discuss criterion 16, if there's still time before stephen's SSC topic
<tlr> reading 14 and 16 side by side, they are similar, and should be phrased in parallel
<PHB2> did I just drop off the call
<tlr> yes phill
<tlr> a while ago actually
johnath: support tyler in breaking out the 3 components
<Mez> yes, we missed you phill
johnath: criterion #16
<Mez> you were saying something about making #1 more general, then dropped
<sduffy> gotta run to another meeting... REMINDER: Please have your proposals in the new template form by COB today
<Mez> thanks shawn
*** johnath, please chime in what you are saying.
**** johnath I lost the trail
<stephenF> jonath: insisting on all-EV seems over the top
<stephenF> +1 to jonath - similar point could be made about 2048 vs 1024 mixes
<tlr> yuck, don't do a MAY there
<stephenF> am I'm disagreeable? :-)
johnath: EV tells that this is paypal. But it does not tell that paypal is legitimate
***johnath could u please pen what you talked about in IRC
<johnath> (self-scribing) johnath: criterion 16 requires user agents to treat a totally https page with an EV top-level document as non-EV if it includes https content which uses OV/DV certs. I think that the use of those certs doesn't alter the identity of the page
*** tlr. I need to vanish at the next scribing assign
<Mez> sorry bill and thomas
<Mez> I really, really hope you put your questions into email