W3C

- DRAFT -

Web Security Context Working Group Teleconference
21 May 2008

Agenda

See also: IRC log

Attendees

Present
MaryEllen_Zurko, PHB, tyler, Bill_Doyle, Maritza_Johnson, jvkrey, joesteele, yngve
Regrets
<everyone else>
Chair
Mez
Scribe
PHB2
Usability testing
Mez: We only got through day one of the agenda in oslo, this was all the exit criteria for june
11:11 Mez: Should get to last call by end of june
Mez: Need to talk about run from LC to candidate rec
Mez: besides last call, have to do testing
11:12 Mez: interop testing, need to develop test plans, particularly conformance test plans
Mez: Candidate rec entry and exit
Mez: Thomas not here today, but will try to get something done in his absence
Mez: Conforming implementaitons
11:13 Mez: discuss conforming implementations after testing
Mez: not got right people here today
Mez: so discuss UT
11:14 Mez: what will we do on UT to get to exit?
11:16 Marizaj: Status of usability testing
Mez: no discussion at all since
Marizaj: Status unchanged since San Jose
11:17 maritzaj http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCut
Marizaj: Have list of recomended proposals
Marizaj: Same status as last July, need to discuss what will do for each rec
Mez: some have been lost due to last call
Mez: some have been lost before last call
11:18 http://www.w3.org/2006/WSC/drafts/rec/rewrite.html
Mez: One issue is to move section 8 to own doc which is not going to be LC in June.
11:19 PHB: cuts out a lot of testing
Mez: Not clear that robustness needs testing
11:20 jvkrey : section 8 is moved to; http://www.w3.org/2006/WSC/drafts/wsc-content/
11:24 Mez: Not clear that the claims are expressed very well for testing
tyler: Have to go soon, are there any hooks in the implementation that would help with testing?
11:25 Marit: ok
11:26 Mez: OK lets start on Pet Name Tool (PNT) as a worked example
Mez : http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-petnames
Maritzaj: yes
Mez: OK here it is for everyone
Mez: Other thing wanted to do our email discussion where did we leave off?
Maritzaj: april 24th
11:27 Mez : http://lists.w3.org/Archives/Public/public-wsc-wg/2008Apr/0044.html
Mez: Do users remember enough to recognize pet names?
11:29 Maritz: Are people looking for pet names when they should be
Maritz: not nesc on NYT but certainly on BofA
ifette: what if users are presented with pet name not reasonably theirs?
ifette: not sure what is a different aspect?
11:30 tyler: talking about picture in picture attack
11:31 PHB: need to expose risks even if there is a control
11:32 Mez: are we gonna capture all this in minutes or should we be using the wiki?
PHB: wiki
Tyler: for pet name tool...
11:35 Test where there is gona be an unexpected result
Mez: not even enough resources for that
PHB: Categorites of test: Acceptance, communication of information, vulnerability to impersonation or emulation
11:36 Mez: Need to provide some usability claims
PHB: extra category: does it reliably modify user behavior?
Tyler: can describe claims simply enough that they can be tested in a very lofi way.
Mez: these are the claims I am relying on with the PNP
11:37 Maritz: recently
Tyler: yep
[will send]
11:38 ACTION: tyler to create list of usability claims and issues for potential testing of petnames section 5.1.6
Created ACTION-476 - Create list of usability claims and issues for potential testing of petnames section 5.1.6 [on Tyler Close - due 2008-05-28].
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#Robustness
Mez: shall we do robustness?
[We agree 'cos we do]
Created ACTION-477 - Put soaps position paper in shared bookmarks [on Mary Ellen Zurko - due 2008-05-28].
11:44 Bill: People may ignore this information
Bill: May show picture but not the picture you are expecting
11:45 Mez: Has this feature been adequately tested?
Bill: Yep, its negative!
Zakim sees PHB on the speaker queue
Mez: Thats a web site not a user agent
Zakim sees PHB, maritzaj on the speaker queue
Bill: Principle is the same
Mez: Not clear to me that the results transfer.
11:46 Mez: going to the link right now, what parts speak to this...
Zakim sees no one on the speaker queue
11:50 Joe: Dpn't think we shouldn't have usability testing round this but there is stuff we should look at.
PHB: so maybe arguing that this can be avoided due to triage
11:51 Joe: Is a conforming user agent implementation people can look at called Skipper
http://www.sxipper.com/
Sxipper
11:52 Joe: Can change your icon from a dog to graphic of your choice
Mez: very excited about your volunteering to bring this info together
Joe: Will do offline
11:54 ACTION: steele to pull together UT background on 7.1.1 robustness recommendation (shared secret)
trackbot-ng noticed an ACTION. Trying to create it.
Created ACTION-478 - Pull together UT background on 7.1.1 robustness recommendation (shared secret) [on Joe Steele - due 2008-05-28].
11:55 Mez: 7.1.2
11:56 Decided: 7.1.2 does not require usability testing
[Usability testing is not conformance testing]
Zakim sees maritzaj on the speaker queue
Mez: 7.2 you should not use a security indicator that content can mimic
11:59 Maritzaj: Some of this should also be in the separate document about the Web site
Zakim sees no one on the speaker queue
yngve : https://blog.startcom.org/?p=86
12:02 ifette apologizes but I have to drop off
12:03 Mez: Can see us doing usability testing to see if apps conform with the second statement
Mez: if the chrome was not displayed in a manner that confuses
Mez: only way to test conformance would be to see if it could be confused
12:04 Mez: test could be lo-fi or implementation, show user in a session things and ask them if they were controlled or might be spoofable.
12:06 PHB: I think it could be conformance testing rather than user testing
12:07 PHB: if you can make the distinction clear it should not need user testing to verify
12:08 PHB: need to be sparing with usability testing to avoid outdoing resources
Mez: agree we will need triage
12:09 Mez: OK we could do usability testing but it is not essential for 7.2
12:10 Mez: last para, the same
Mez: not enough argument.
12:11 <- joesteele has disconnected (Quit: joesteele)
Mez: maritzaj, what are next steps
Maritzaj, go through document in order
Mez: what are the things we might go through in terms of the claims.
jvkrey thinks "not enough arguments" looks like an error message
12:12 Mez: would be useful for some person to go through and process as will not get back to for several weeks
jvkrey - it is!
Maritzaj, could put together arguments people have made
12:13 [Mez prepares an action]
ACTION: maritza to pull together usability testing data from archives in 2 weeks
trackbot-ng noticed an ACTION. Trying to create it.
Created ACTION-479 - Pull together usability testing data from archives in 2 weeks [on Maritza Johnson - due 2008-05-28].
12:14 Mez: OK good start, close meeting early, see you next week
SEC_WSCWG()11:00AM has ended
Attendees were MaryEllen_Zurko, PHB, +1.650.862.aaaa, tyler, Bill_Doyle, Maritza_Johnson, +47.23.69.aabb, jvkrey, +1.925.984.aacc, joesteele, yngve, +1.650.214.aadd, ifettespan>

Summary of Action Items

[NEW] ACTION: Created ACTION-476 - Create list of usability claims and issues for potential testing of petnames section 5.1.6 [on Tyler Close - due 2008-05-28].
[NEW] ACTION:Created ACTION-477 - Put soaps position paper in shared bookmarks [on Mary Ellen Zurko - due 2008-05-28].
[NEW] ACTION:Created ACTION-478 - Pull together UT background on 7.1.1 robustness recommendation (shared secret) [on Joe Steele - due 2008-05-28].
[NEW] ACTION: Created ACTION-479 - Pull together usability testing data from archives in 2 weeks [on Maritza Johnson - due 2008-05-28].
[End of minutes]

Minutes formatted by hand