Web Security Context Working Group Teleconference
13 Aug 2008

See also: IRC log


Mary Ellen Zurko, Tyler Close, Johnathan Nightingale, Ian Fette, Jan Vidar Krey, Thomas Roessler, Bill Doyle
Yngve Pettersen
Mary Ellen Zurko
Jan Vidar Krey


Approve minutes from previous meeting

<Mez> http://www.w3.org/2008/08/06-wsc-minutes.html

Mez: approved.

Open action items

<Mez> http://www.w3.org/2006/WSC/track/actions/open

Mez: no issues needs to be resolved in meetings.

Agenda bashing

Mez: next week I'd like to dive in on features at risk

Testing for candidate recomendation

Mez: tests needed, how to test, mechanical parts of the standards

tlr: we have tables of must/should. Go through that table and come up with scenarios that test these options
... write scenarios, expected behavior, create environment
... this approach will mostly work for section 5 and 6 in the doc.
... section 7 (esp. 7.4) might need to create scenarios that test deprecated behavior

Mez: any examples from other working groups?

tlr: (points to www.w3.org/TR)
... clause, example, behaviour description (pass/fail), expected/unexpected result.
... a table, implementation vs test case

<tlr> http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html

<tlr> http://www.w3.org/2007/xmlsec/interop/xmldsig/report.html

ifette: for any test case, we should release a test case file, instead of description of testcases
... for instance a webserver configuration file

<tlr> +100 to ifette

Mez: for creating infrastructure, what kind of restrictions do we have?

tlr: do not want to pinpoint any particular (bank) site as a bad example -- bad marketing
... the more concrete, for instance create a shell script which can generate certificate examples, fake CAs
... some questions remains for how to install fake CA certs in browsers

<tlr> ACTION: mez to inquire phb about ev cert for test environment [recorded in http://www.w3.org/2008/08/13-wsc-minutes.html#action01]

<trackbot> Created ACTION-500 - Inquire phb about ev cert for test environment [on Mary Ellen Zurko - due 2008-08-20].

ifette: adding an EV cert to a browser is user agent dependent.

johnath: might be problems creating a EV cert that would work on all browsers, but we should not depend on it.

Mez: no test infrastructure in cabforum, or others?

johnath: we can use debug builds to test, which can be used for certain edge cases and not intended for public use.

<tlr> (and actually, same question to jvkrey)

tlr: what kind of things exist in your (mozilla/opera) test infrastrucure, could we use?

johnath: alot of things can be used with firefox, but do not know how it will work for other browsers.

tlr: what do you have on the server side?
... more work for us to come up with something, or can Mozilla/Opera contribute with server side test cases?

johnath: i have no problem giving access to our tools, but our tools are built for mozilla products/environment

<tlr> (it might turn out that we're easier off *specifying* the tests, possibly the clients, and leaving it to the individual browser vendors to implement them in their respective frameworks)

tlr: i would be inclined to take a look at the test specification, then include for instance an apache configuration file.
... in certain specs we have had anonymous test results. Implementation A, pass/fail. etc.

Mez: Reviewing browser APIs, to check if robustness criterias are adhered to. Any specific place to go to find this?

johnath: One example, for resizing a window to larger than the screen or moving off screen, the implementation will not do it. We have unit tests for these kind of things.

ifette: no guarantee that a brower do not have an exotic API for doing something in a non-standard way.

tlr: there are apis like open window with coordinates, a test could look like: click button -> open window at coordinate (10000,10000) -> check if the window was opened on screen.

ifette: needs to try different coordinates.

tlr: exercice known APIs.
... Add a checkbox; are there other ways to create the same behavior?

Mez: for other tests, could there be a browser representative that could take care of this?

johnath: yes, I can answer them for Mozilla, of course there might be bugs.

Mez: Write up scenarios during meetings.
... doesn't look like Mozilla/Opera have scenarios already written up for immediate testing.
... we could try to create a scenario today.

tlr: looks like it is easier to distribute work so that people can write a test or two off-line.

Mez: experience tells me people don't do it off-line.
... what would be the first action item?

<Mez> http://www.w3.org/2006/WSC/wiki/FeaturesAtRisk

tlr: 6.1.1 and 6.1.2 will be good starting points for testing, these are simple testcases, then we can go for the more complex ones later.

Mez: what's the next step?

tlr: Any volunteers?

next meeting

Mez: we could target next week's meeting for 6.1.1 or features at risk.
... there are outstanding issues on the table, we could target 6.1.1

tlr: expect 6.1.2 to be closely related to 6.1.1

Mez: will send e-mail, if someone picks it up that's great, otherwise target it for next week's meeting.

anything else on anything else?

tlr: reviewing content altering proxies for mobiles. Especially if a proxy serves https content as http.

<tlr> http://www.w3.org/mid/OF6A396D5B.C319E834-ON8525749C.0041C8D5-8525749C.0041D63D@LocalDomain

<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0003.html

Summary of Action Items

[NEW] ACTION: mez to inquire phb about ev cert for test environment [recorded in http://www.w3.org/2008/08/13-wsc-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2008/09/03 16:24:52 $