See also: IRC log
<trackbot-ng> Date: 05 March 2008
<scribe> ScribeNick: jvkrey
<Mez> http://www.w3.org/2008/02/27-wsc-minutes.html
Mez: approved
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0078.html
Mez: no particular items
Mez: no items
<PHB2> Off topic: There is also:
<PHB2> http://blogs.verisign.com/websecurity/2008/03/what_it_takes_to_make_the_inte.php
ifette: Problems booking hotel in Oslo, anyone else have problems?
yngve: can ask around
Mez: section 6.1 was not
completed last week
... remaining issues on 8.1
... 9.2 and 9.3
... logistics, no meeting next week, the week thereafter there
is a timezone difference between europe and US
<Mez> http://www.w3.org/2008/02/06-wsc-minutes.html#item01
<Mez> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#IdentitySignal
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0084.html
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0086.html
Mez: start looking through the normative language, and raise issues with it for the LC in June
ifette: if on a normal web page, what must be in the primary interface?
<ifette> (or should)
Mez: we have a line about it
ifette: question is about, validated as in not EV-cert
<ifette> this is too hypothetical
<Mez> I agree
<Mez> but luckily this is not about EV at all
<Mez> or even AA
PHB2: cert does not need to be EV to provide a strong identity signal. Subject name, verisign class 3.
<ifette> sure, but I want to know that we're recommending something that makes sense and right now it doesnt
<tyler> I'm on q to object to: "an applicable domain name label retrieved from the subject's Common Name attribute or from a subjectAltName extension MUST be displayed."
ifette: this is saying some
indicator should always be there, should always signal
something, which is unclear unless we are using ssl.
... only thing that can be trusted is the domain name
<tyler> When the certificate is not issued by a built-in CA, I'm worried about the text: "The Issuer field's Organization attribute MUST be displayed to inform the user about the party responsible for that information."
ifette: a lot of users are visiting sites they haven't visited before, why are we taking up screen estate when we have no identify information ?
Mez: issue is, show nothing at all when we have no identify information ?
<tlr> SHOULD show identity signal, always
Mez: is that ok for the current text?
PHB2: make the text more explicit, in particular, users are discovering new sites all the time
<Mez> During interactions with a TLS-secured Web page for which the top-level resource has been retrieved through a strongly TLS-protected interaction that involves an validated certificate, an applicable domain name label retrieved from the subject's Common Name attribute or from a subjectAltName extension MUST be displayed.
<tlr> tyler, you're objecting against the domain validated, not AA case, correct?
tyler: can be confusing to users, and be suseptible for phising
<tlr> (just making sure we're not talking past each other)
<stephenF> The text "domain name label" is a bit odd there too - I think it just means "DNS name"
Mez: do we want to allow for other pieces of information and/or downgrade this section from a MUST to SHOULD or MAY?
<tlr> stephen, correct. Label would be a single label, as in, the thing between two dots.
<stephenF> so just display ".com" then:-)
tyler: eliminate the paragraph that says we must display the altname
<Zakim> ifette, you wanted to elaborate on tylers point
ifette: domain names can be long, not likely display whole if really long, which means they will be truncated
Mez: objections for removing this line?
ifette: what are we left with, if this is removed?
<Zakim> stephenF, you wanted to ask what "otherwise authenticated" means after MUST
<Mez> Information displayed in the identity signal MUST be derived from validated certificates, from user agent state, or be otherwise authenticated.
<stephenF> that sentence is in 6.1.2 at the top (2nd para)
<Mez> tyler, you didn't get on q because you inserted a spurious comma
<luis> It could also be DNSSEC?
stephenF: probably give some examples, or constrain it somewhat
<ifette> -1 to DNSSEC
<stephenF> right, DNSSEC might be a good example (sometime)
<ifette> browsers dont necessarily have that information (e.g. done at higher level)
<luis> i think DNSSEC is OK. It's authenticated with sort of PKI
tlr: do we have anything that is otherwise authenticated ?
<tlr> dnssec is on the wrong level, no?
Mez: any objections for removing
the "otherwise authenticated" clause?
... resolved, will be removed.
PHB2: A validated cert, and no
cert makes a big difference.
... we are not specifying X509, a DNSSEC is a certificate
<Mez> The Issuer field's Organization attribute MUST be displayed to inform the user about the party responsible for that information.
tyler: propose to remove the MUST be displayed, or only applicable for installed root CAs
<stephenF> maybe 5.1.2?
<stephenF> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-interactively
tyler: certificate might be issued by unknown CA, in that case must we display the information ?
tlr: needs clarifications
<stephenF> sounds good to me to refer back to section 5 somewhere in 6
Mez: any problems with clarifying this?
tyler: what is the purpose of a
MUST, in this case?
... this is sort of an advertisement spot for CAs.
tlr: one more general point, the basic idea is to always show things in the same place. Should not rely on the absence of identify signals as a signal of danger.
<Zakim> stephenF, you wanted to ask if we will include 2119 text about what/how to display from x.509 certs
<Zakim> ifette, you wanted to disagree with tlr
stephenF: how do we display information from certificates? I would like to have some definitions.
ifette: staying away from absence of identify indicators is not a problem in most cases. In safe browsing mode then, yes.
<Zakim> stephenF, you wanted to ask about "all"
stephenF: "...across all web interactions", is that limited to user agent?
Mez: means within
user-agent
... On to 6.1.2
... "During interactions with a TLS-secured Web page for which
the top-level resource has been retrieved through a strongly
TLS-protected interaction that involves an augmented assurance
certificate, the identity signal MUST include the Subject
field's Organization attribute to inform the user about the
owner of the Web page."
ifette: can we boil 6.1 down to this?
<Zakim> stephenF, you wanted to ask what if "O=" isn't present in the cert (in the paragraph after the current one)
<ifette> (where this means the EV sentence)
Mez: typo in the next line, must is not capitalized
yngve: have a problem with the unless a change of security level has occured.
tlr: will be dropped, link
pointing nowhere
... probably needs to be coupled with 6.4.
Mez: next line
ifette: not sure about recommending logotype since it isn't being used, yet
Mez: will be removed for LC in June
tlr: the next one depends on the previous paragraph
PHB2: hang on, there is a prototype
<tlr> http://www.w3.org/2006/WSC/Group/demos/letterhead_u3.xpi
ifette: problem is not the lack of prototype, rather that there are no certs with logotypes yet.
PHB2: actually, verisign have had logotype for 5 years, now
<stephenF> its fair to say that we don't know what if any effect would be caused by display of logotypes
Mez: screenshot of prototype ?
<PHB2> just appeared on the list
<Mez> yes
tlr: will rewrite/remove some parts as discussed during the meeting... will leave the logotype part alone for the moment.
<PHB2> next week is IETF
<tlr> no meeting next week
Mez: no meeting next week, will send a reminder about it