WSC WG weekly
11 Jul 2007


See also: IRC log


Thomas, jvkrey, Tyler, Chuck_Wade, stephen, johnath, asaldhan, maritza, yngve, Hal_Lockhart, Bill_Doyle, PHB, MaryEllen_Zurko, sduffy, audian, rachna
Dan_S, Audian_P




<tlr> Scribe: AnilSaldhana

<tlr> ScribeNick: asaldhan


<tlr> +Hal

approve minutes

<tlr> http://www.w3.org/2007/06/27-wsc-minutes

<tlr> RESOLVED: minutes accepted

Pick a Scribe. Anil present

<tlr> anil, I'm taking care of the topic lines. ;)

newly completed action items

<tlr> ACTION-226 done

<tlr> ACTION-240 done

<tlr> ACTION-243 done

<tlr> no issues with any of these?

<tlr> anil, any trouble scribing?

tlr: I am trying to catch what they are referring to

<tlr> anil, just scribe things as much as you can

tlr: can u pitch in here

<tlr> if people are too fast, slow them down

johnath: can u pitch what u referred to

<tlr> johnathan and MEZ both grappling with integrating robustness into spec test?

<johnath> johnath: Question for Mez: I have an action item which refers to integrating robustness recommendations into the doc, but it's unclear how that should happen

Mez: we will categorize into 4 . One of them is robustness. It is difficult to fit robustness into current template. We are trying to figure it out and waiting for editors draft

<johnath> johnath: therefore, I will keepe xtending my due date until that comes out

Mez: based on my conversations with shawn offline, my statements are valid

agenda bashing

Mez: discussion about liasons
... we also have discussion on "Secure page"
... anybody has to say anything about agenda?

liaisons list

Mez: there are number of groups that we should work with
... Dan has agreed to work with apwg/fbi, Bruno with omtp, mwbp,etsi

<johnath> Shawn will be on the call - sent a note - running late

Mez: we need volunteers for a few
... any takers for volunteering

PHB2: can volunteer for CABFOrum

<Zakim> stephen, you wanted to ask about IETF/SAAG and if there's a current-liaisons list somewhere

Mez: put down phill for cabforum

stephenF: is there a link someplace in the wiki for the liasons

<PHB2> How slow is zakim?

Mez: it is in the agenda.

<PHB2> Sped up now

<tlr> ACTION: mez to put liaison list into wiki [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action01]

<trackbot> Sorry, couldn't find user - mez

Mez: please give me an action item to place liasons in the wiki

<tlr> ACTION: zurko to put liaison list into wiki [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action02]

<trackbot> Created ACTION-266 - Put liaison list into wiki [on Mary Ellen Zurko - due 2007-07-18].

<Zakim> tlr, you wanted to note that OMA is represented in HCG and to also note there's a generic W3C-wide liaison list

Mez: stephen for IETF SAAG?

<stephenF> not stephen for 3gpp

<stephenF> phew

Mez: cannot take on additional liason duties. I have enough already
... want help from the team

tlr: what are we looking for from OMA?

Mez: this depends on the person

tlr: what are we expecting from them?
... hcg is the primary mechanism to do that

Mez: tlr lets take it offline

<Zakim> stephen, you wanted to ask about IETF/TAM (could be under AOB either)

<anil> I am from Chicago

tlr: stephenF can u give us an elevator pitch

stephenF: managing trust anchors and protocols associated
... this trust anchor is fit for this and not for that. mainly for x509

a bank can issue client certs to their users. a new protocol. create possiblilites of providing ssl certs

<Chuck> Aside: Michael McCormick of Wells Fargo is likely to have direct interest in the IETF TAM topic.

tlr: is it not slotted for the next meeting?

Mez: set it up offline

tlr: I can take it offline. but if u want resolution now, we cannot take offline

Mez: cannot remember the issue

it is resolution

tlr: i agree that there is an aspect of financial services usecase that may not be useful

stephenF: if there is no one from the financial services, then we can defer

<tlr> tlr to attend tam BOF in Chicago, wave WSC flag, report back

<Chuck> Reminder, Michael McCormick has a standing conflict with this group's weekly conference calls.

<tlr> ACTION: roessler to attend tam BOF in Chicago, wave WSC flag, report back [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action03]

<trackbot> Created ACTION-267 - Attend tam BOF in Chicago, wave WSC flag, report back [on Thomas Roessler - due 2007-07-18].

<stephenF> stephen doesn't agree but will do that some other time:-)

<anil> I would like to attend as I live in Chicago

<tlr> stephen, you don't agree with what?

<stephenF> more than welcome anil

<stephenF> tlr - just generally:-)

<johnath> he's very disagreeable

<stephenF> oh no I'm not

<tlr> johnath, we all know that

<johnath> stephenF: :)

Mez: I am going to type in IRC

tlr: not yet arrived
... welcome shawn. middle of liaison discussion
... wonder anybody on the call what aspect of 3gpp we shud be liaisoning
... want to defer this part as dan/bruno unavailable

<stephenF> think dlna is home n/w

<jvkrey> Wikipedia says TISPAN is "Telecoms & Internet converged Services & Protocols for Advanced Networks", part of European Telecommunications Standards Institute (ETSI)

tlr: I want to defer to dan as to what dlna is
... rob and bruno on avail. Lets defer this and move to next item

correction: rob and bruno unavail


<tlr> http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage

yngve: lets see how am doing

<tlr> agenda order: WhatIsASecurePage, then wsc-usecases

yngve: goals i am trying to add.
... definitions

Mez: good background.
... am looking for ??? section that will be good

<johnath> Mez - halfway down - numbered list

<tlr> http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#head-efe936b22bcb83eed5ffa40cef2335278973f7cc

<johnath> "Proposals for..."

<Zakim> stephen, you wanted to ask if that should be "secure page" or "TLS-secured page"

<tlr> woah @ the anchor

stephenF: u seem to be talking about tls secure page
... is it a tls secure page or a secure page

yngve: am trying to move towards tls secure page
... whether u can say whether mybankDOTcom is really my bank, it cannot be at that level

stephenF: it can confuse people if no distinction is made

yngve: determine what kind of security

yngve: usually it is the padlock

yngve: i have listed the criteria

yngve: some that are in and some that are out of scope. Some that are suggested.

hal: are u saying that any insecure content- that we consider insecure (was not clear from writeup)

yngve: from my thinking, we cannot tell how sensitive a content is
... can include information at what u r looking for
... as I mentioned, some banks want to consider content over insecure connection in a secure page

<Zakim> stephen, you wanted to ask whether reputation is better dealt with elsewhere

yngve: I am leaning in the direction that it is insecure until it is all secure

stephen: that seems to me that we presume what is a page

<tlr> stephen: presumes notion of what a page is

<maritzaj> forgot about another meeting at 11:30 ... apologies for cutting out early

<tlr> yngve: all that's displayed?

yngve: somebody has a better suggestion

stephenF: if it is a tls secure page, it should be mentioned elsewhere

yngve: mentioned the possibility to use ocsp to get info as to what kind of credit card to use

stephenF: I hate that idea

yngve: that info can be included in the certificates.
... if it is authorized by AmEx to pay by CC.

<PHB2> I don't like it either :-)

<johnath> digression alert!

stephenF: do not like that too much info into certs + layering violation + need to go to Mastercard,Amex
... if the scope of this proposal is - what is a page? what is a tls secure page?

<Mez> how is this a digression? sorry, it seemed on point to me. but if it's a digression, it should be stopped

stephenF: the scope of what is a secure page is too broad
... it will lead us to make mistakes
... just get the scope to "what is a page?

<PHB2> OK what I would go for is a world where maybe we issue EV certs with specifically accredited OIDs that can be used by payment processing protocols.

<johnath> Mez - sorry - stephenF's point, that the rec should be well constrained, is on-topic. But how CC information might be handled in cert vs. ocsp is all a separate rec, if at all. :)

<Mez> got it

yngve: am going through what criterial to consider. In opera, associated fraud detection close to the padlock.

stephenF: i want to address just tls and not authorization

yngve: can take a look

Mez: sounds good

tyler: in ur conformance section, 5,9 and 12 talk about redirect behavior. I do not understand. they seem contradictory. Please add some text around the recommendations
... do not understand the motivation for why these should be done

yngve: aiming at when banks go from http to https

tyler: why is it a problem?

yngve: not much a problem. But I want these links to be clean. I want to include in the links (that indiciate https) into the security indicators. Originally opera did that

<tlr> is that you, audian?

<Audian> yes

yngve: this is point 9. u click the link, submit the page. All this should be included in the security indicator. If anything is insecure transaction, this should be displayed in the security indicator.

<tlr> rachna, is that you?

<rachna> yes

yngve: if anything goes over http (when wished https), malicious code can be inseted
... seen a couple of case, html/javascript created a page without padlock, but showed padlock.

<Zakim> johnath, you wanted to comment on criteria 16, 15, 10, 8, and 7 :) (I suspect I'll be re-queueing :)

Mez: can u please respond to tyler's request.

yngve: I will. providing some bckgrnd

<anil> who is talking

<tlr> johnath

<tlr> asaldhan, when you can't identify the speaker, just say ??1: blah blah

<stephenF> +1 on not saying 2^32

<johnath> ref for keylength recs: http://www.keylength.com/

yngve: am sort of putting in an advice if for example NIST recommendation for xxx bit

johnath: for writing conformance report, consider keylength

Mez: that is for the authorities

johnath: many of them are crypto people
... here.

yngve: 512 bit certs are still in use
... a month or 2 ago, some finance sites were using it

<johnath> zakim: q?

<tlr> e.g., bcp 86?

yngve: authorities do not always agree. euro authorities are not recommending 1024 bits

<tlr> http://tools.ietf.org/html/bcp86

<tlr> Determining Strengths For Public Keys Used For Exchanging Symmetric Keys

PHB2: we should differentiate confidentialty with authenticity instead of secure page
... a class of certs are only for confidentiality

<stephenF> phb: what's wrong with anon D-H for that

PHB2: either u do not see any indicators or u register the cert

<Zakim> Thomas, you wanted to ask if there's a spec elsewhere that we might reference

tlr: follow up with the discussion about keylength - bcp86

<johnath> yngve: for the record, I think this is an important recommendation to get in. I'm wordsmithing it, but I think this is one of the key recs to get browser vendors to align on, as a whole.

<stephenF> bcp 86 only requires "commensurate" though (from memory)

tlr: bcp86 is a moving target document.

<Zakim> stephen, you wanted to ask if item #4 is ok since its a server thing

yngve: will look at it

<tlr> ... deliberately ...

stephenF: proposal #4

<tlr> huh? The charter explicitly gives that example. ;-)

stephenF: we thought we do not do proposals about what websites shud do. are we breaking rule
... concerned that we will be making a reco that ppl will totally ignore
... there are large # of developers who code websites in a number of ways
... situations where someone has control over part of the website and not the other part. They will have difficulties in conformance

<Mez> thomas is

tlr: what web client should do ???

<johnath> (I hear low volume noise)

<johnath> hal, asaldhan - can you mute if you're not going to jump in?

stephenF: tlr we need to issue statements for server side developers?

<tlr> I think there's value to writing up "how to deploy a web site that causes security indicators to show up" type checklists in MUST/SHOULD language. ;-)

<anil> *** stephen I am lost a bit here

tlr: am saitisfied to keep what we have.

<Zakim> johnath, you wanted to question criterion #10

johnath: criteria 10
... understand how this got in. users may not realize they are submitting content to a unsecure site

<PHB2> In fact I would like to see as little flipping from secure to unsecure as possible

johnath: I do not see this recommendation may not help making a better world.

<Mez> tyler, does PII use the submit url as the target website, or the url of the form? I hadn't thought about that crisply, and this discussion makes me wonder

yngve: submitting creds intended for protected services. U need to plan to do it in secure fashion. In a protected page

johnath: creating this behavior in the browser will create sufficient nuisance for people to work around it.

<Mez> warnings would get disabled after the first time

<Mez> but some sort of SCI would be interesting

<stephenF> -1 to flag days

<Mez> it wouldn't be possible for all clients to implement anything totally at the same time

<tlr> +1 to -1 to flag days

<tlr> ;-)

<tlr> I'm +1 to point 2, but -1 to 10.

<Zakim> stephen, you wanted to ask if this text treats the SCI in too "binary" a way

Mez: we can have discussion on alternatives

stephenF: in dublin, we discussed that security indicators is a binary flag.
... but this proposal indicates that binary display is not sufficient

<tlr> indeed, that's an important point

stephenF: why not "low secure" "high secure"? Increase security

<tlr> padlock -> $padlock

yngve: do not have a glossary as to what terms mean

<stephenF> fair enough to revisiting when glossary done

<tlr> I think "padlock" at this point is an existentially quantified variable that holds whatever the right kind of indicator is.

Mez: agree with stephen that we need to bring more recommendations

<Zakim> Thomas, you wanted to speak about #3

tlr: #3. Sounds like a good idea
... if u have been using secure connectn to transmit creds, u shud not be using those creds/tokens in a less secure env
... authentication/authorization models exist

<anil> ****tlr. please fill in some information about authentiction/ tokens/cookies here plz

<stephenF> fwiw, stephen fine to punt SSC discussion to next week

<Mez> stephen, would you be ok if ssc got moved back to the next meeting if we run over on this topic?

<Mez> great, tx

<stephenF> fwiw2: I gotta go off the call for 5 mins

<Mez> ok, then we're definately pushing it back to next week

<Mez> next week then. what the heck.

<Audian> yawn

<stephenF> back now

<tlr> audian, yawn @ what?

<anil> ***tlr I am lost. Please fill in what you mentioned

<anil> *** before we send the minutes

<Zakim> PHB, you wanted to say, banks should simply put all their content in a secure zone

<tlr> tlr: there's the typical token-based authentication mode used by big web properties, which is based on authentication going on through HTTPS, then a token (cookie) is transferred through HTTP to low-value services.

PHB2: suggest changing #1 that all web servers shud support ssl restarts?

<stephenF> s/restart/resume/ is it?

<tlr> #3 contradicts that; do we want to deprecate that practice?

PHB2: oh yes, we can secure entire web site but it will not performant
... should tell users that they should secure all of their content

<tlr> agree on the bank interactions.

<Mez> I look forward to seeing the conformance language for that!

PHB2: unless if u r a site like amazon where majority of the site is content. secure content is done by separate servers. For banks, everything should be secure. once secure, no reason to go to insecure content.

<tlr> however, there is a reason to go back to insecure: You need a TLS private key on every server. Either, you open a CA, you cough up a lot of money, or you create attack surface by using wildcard certs.

<tlr> mez, so do I. It's a hard to crack problem.

<tlr> ACTION: phb to phrase conformance language for fully securing sites [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action04]

<trackbot> Created ACTION-268 - Phrase conformance language for fully securing sites [on Phillip Hallam-Baker - due 2007-07-18].

Mez: tlr and I think that conformance language around that is tough. U want to take a crack at that?

<tlr> phb, we don't hear you

tyler: reco for server side developers, one reco for tls secure page and one reco ???

<Mez> I encourage everyone with thoughts that might not get them out in the next 12 minutes to put them in email, issues, etc.

<johnath> if tyler is getting to recommending that this be broken down: +1

<johnath> there we go, +1 to tyler. :)

<tlr> +1, too

<stephenF> +1

tyler: could you break out the tls section

<Mez> the template itself though really works against making smaller parts. Because there's so much reference material. But I think we'll need to deal with that anyway, with the robustness issues.

yngve: will take a look

<Zakim> johnath, you wanted to discuss criterion 16, if there's still time before stephen's SSC topic

<tlr> reading 14 and 16 side by side, they are similar, and should be phrased in parallel

<PHB2> did I just drop off the call

<tlr> yes phill

<tlr> a while ago actually

johnath: support tyler in breaking out the 3 components

<Mez> yes, we missed you phill

johnath: criterion #16

<Mez> you were saying something about making #1 more general, then dropped

<sduffy> gotta run to another meeting... REMINDER: Please have your proposals in the new template form by COB today

<Mez> thanks shawn

*** johnath, please chime in what you are saying.

**** johnath I lost the trail

<stephenF> jonath: insisting on all-EV seems over the top

<stephenF> +1 to jonath - similar point could be made about 2048 vs 1024 mixes

<tlr> yuck, don't do a MAY there

<stephenF> am I'm disagreeable? :-)

johnath: EV tells that this is paypal. But it does not tell that paypal is legitimate

***johnath could u please pen what you talked about in IRC

<johnath> (self-scribing) johnath: criterion 16 requires user agents to treat a totally https page with an EV top-level document as non-EV if it includes https content which uses OV/DV certs. I think that the use of those certs doesn't alter the identity of the page

*** tlr. I need to vanish at the next scribing assign

<Mez> sorry bill and thomas

<Mez> I really, really hope you put your questions into email

Summary of Action Items

[NEW] ACTION: mez to put liaison list into wiki [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action01]
[NEW] ACTION: phb to phrase conformance language for fully securing sites [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action04]
[NEW] ACTION: roessler to attend tam BOF in Chicago, wave WSC flag, report back [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action03]
[NEW] ACTION: zurko to put liaison list into wiki [recorded in http://www.w3.org/2007/07/11-wsc-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.128 (CVS log)
$Date: 2007/07/19 09:21:35 $