Web Security Context Working Group Teleconference
05 Mar 2008

See also: IRC log


Mary Ellen Zurko, Thomas Roessler, Tyler Close, Jan Vidar Krey, Luis Barriga, Phillip Hallam-Baker, Bill Doyle, William Eburn, Hal Lockhart, Stephen Farrel, Maritza Johnson, Yngve Pettersen, Ian Fette, Mike McCormick
Dan Schutzer, Tim Hahn, Anil Saldhana, Rachna Dhamija, Serge Egelman, Johnathan Nightingale
Mary Ellen Zurko
Jan Vidar Krey




<trackbot-ng> Date: 05 March 2008

<scribe> ScribeNick: jvkrey

Approving minutes from last meeting

<Mez> http://www.w3.org/2008/02/27-wsc-minutes.html

Mez: approved

newly completed action items

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0078.html

Mez: no particular items

open action items

Mez: no items

issues closed due to inactivity

Agenda bashing

<PHB2> Off topic: There is also:

<PHB2> http://blogs.verisign.com/websecurity/2008/03/what_it_takes_to_make_the_inte.php

ifette: Problems booking hotel in Oslo, anyone else have problems?

yngve: can ask around

Mez: section 6.1 was not completed last week
... remaining issues on 8.1
... 9.2 and 9.3
... logistics, no meeting next week, the week thereafter there is a timezone difference between europe and US

Section 6.1 Identity and trust anchor

<Mez> http://www.w3.org/2008/02/06-wsc-minutes.html#item01

<Mez> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#IdentitySignal

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0084.html

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0086.html

Mez: start looking through the normative language, and raise issues with it for the LC in June

ifette: if on a normal web page, what must be in the primary interface?

<ifette> (or should)

Mez: we have a line about it

ifette: question is about, validated as in not EV-cert

<ifette> this is too hypothetical

<Mez> I agree

<Mez> but luckily this is not about EV at all

<Mez> or even AA

PHB2: cert does not need to be EV to provide a strong identity signal. Subject name, verisign class 3.

<ifette> sure, but I want to know that we're recommending something that makes sense and right now it doesnt

<tyler> I'm on q to object to: "an applicable domain name label retrieved from the subject's Common Name attribute or from a subjectAltName extension MUST be displayed."

ifette: this is saying some indicator should always be there, should always signal something, which is unclear unless we are using ssl.
... only thing that can be trusted is the domain name

<tyler> When the certificate is not issued by a built-in CA, I'm worried about the text: "The Issuer field's Organization attribute MUST be displayed to inform the user about the party responsible for that information."

ifette: a lot of users are visiting sites they haven't visited before, why are we taking up screen estate when we have no identify information ?

Mez: issue is, show nothing at all when we have no identify information ?

<tlr> SHOULD show identity signal, always

Mez: is that ok for the current text?

PHB2: make the text more explicit, in particular, users are discovering new sites all the time

<Mez> During interactions with a TLS-secured Web page for which the top-level resource has been retrieved through a strongly TLS-protected interaction that involves an validated certificate, an applicable domain name label retrieved from the subject's Common Name attribute or from a subjectAltName extension MUST be displayed.

<tlr> tyler, you're objecting against the domain validated, not AA case, correct?

tyler: can be confusing to users, and be suseptible for phising

<tlr> (just making sure we're not talking past each other)

<stephenF> The text "domain name label" is a bit odd there too - I think it just means "DNS name"

Mez: do we want to allow for other pieces of information and/or downgrade this section from a MUST to SHOULD or MAY?

<tlr> stephen, correct. Label would be a single label, as in, the thing between two dots.

<stephenF> so just display ".com" then:-)

tyler: eliminate the paragraph that says we must display the altname

<Zakim> ifette, you wanted to elaborate on tylers point

ifette: domain names can be long, not likely display whole if really long, which means they will be truncated

Mez: objections for removing this line?

ifette: what are we left with, if this is removed?

<Zakim> stephenF, you wanted to ask what "otherwise authenticated" means after MUST

<Mez> Information displayed in the identity signal MUST be derived from validated certificates, from user agent state, or be otherwise authenticated.

<stephenF> that sentence is in 6.1.2 at the top (2nd para)

<Mez> tyler, you didn't get on q because you inserted a spurious comma

<luis> It could also be DNSSEC?

stephenF: probably give some examples, or constrain it somewhat

<ifette> -1 to DNSSEC

<stephenF> right, DNSSEC might be a good example (sometime)

<ifette> browsers dont necessarily have that information (e.g. done at higher level)

<luis> i think DNSSEC is OK. It's authenticated with sort of PKI

tlr: do we have anything that is otherwise authenticated ?

<tlr> dnssec is on the wrong level, no?

Mez: any objections for removing the "otherwise authenticated" clause?
... resolved, will be removed.

PHB2: A validated cert, and no cert makes a big difference.
... we are not specifying X509, a DNSSEC is a certificate

<Mez> The Issuer field's Organization attribute MUST be displayed to inform the user about the party responsible for that information.

tyler: propose to remove the MUST be displayed, or only applicable for installed root CAs

<stephenF> maybe 5.1.2?

<stephenF> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-interactively

tyler: certificate might be issued by unknown CA, in that case must we display the information ?

tlr: needs clarifications

<stephenF> sounds good to me to refer back to section 5 somewhere in 6

Mez: any problems with clarifying this?

tyler: what is the purpose of a MUST, in this case?
... this is sort of an advertisement spot for CAs.

tlr: one more general point, the basic idea is to always show things in the same place. Should not rely on the absence of identify signals as a signal of danger.

<Zakim> stephenF, you wanted to ask if we will include 2119 text about what/how to display from x.509 certs

<Zakim> ifette, you wanted to disagree with tlr

stephenF: how do we display information from certificates? I would like to have some definitions.

ifette: staying away from absence of identify indicators is not a problem in most cases. In safe browsing mode then, yes.

<Zakim> stephenF, you wanted to ask about "all"

stephenF: "...across all web interactions", is that limited to user agent?

Mez: means within user-agent
... On to 6.1.2
... "During interactions with a TLS-secured Web page for which the top-level resource has been retrieved through a strongly TLS-protected interaction that involves an augmented assurance certificate, the identity signal MUST include the Subject field's Organization attribute to inform the user about the owner of the Web page."

ifette: can we boil 6.1 down to this?

<Zakim> stephenF, you wanted to ask what if "O=" isn't present in the cert (in the paragraph after the current one)

<ifette> (where this means the EV sentence)

Mez: typo in the next line, must is not capitalized

yngve: have a problem with the unless a change of security level has occured.

tlr: will be dropped, link pointing nowhere
... probably needs to be coupled with 6.4.

Mez: next line

ifette: not sure about recommending logotype since it isn't being used, yet

Mez: will be removed for LC in June

tlr: the next one depends on the previous paragraph

PHB2: hang on, there is a prototype

<tlr> http://www.w3.org/2006/WSC/Group/demos/letterhead_u3.xpi

ifette: problem is not the lack of prototype, rather that there are no certs with logotypes yet.

<MikeM> http://news.netcraft.com/archives/2008/02/17/extended_validation_ssl_certificates_now_1_year_old.html

PHB2: actually, verisign have had logotype for 5 years, now

<stephenF> its fair to say that we don't know what if any effect would be caused by display of logotypes

Mez: screenshot of prototype ?

<PHB2> just appeared on the list

<Mez> yes

tlr: will rewrite/remove some parts as discussed during the meeting... will leave the logotype part alone for the moment.

<PHB2> next week is IETF

<tlr> no meeting next week

Mez: no meeting next week, will send a reminder about it

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2008/03/19 18:15:03 $