Web Security Context Working Group Teleconference
20 Aug 2008

See also: IRC log


Thomas Roessler, Mary Ellen Zurko, Philip Hallam Baker, Joe Steele, Maritza_Johnson, Jan Vidar Krey, Ian Fette, Tyler Close
Johnathan_N, Yngve_P
Maritza Johnson


Approve minutes from previous meeting

<Mez> http://www.w3.org/2008/08/13-wsc-minutes.html

mez: approved

Open action items

<Mez> http://www.w3.org/2006/WSC/track/actions/open

mez: standard set of open action items, i don't know of any extras
... first agenda, working through our first test scenario
... on vacation for the next two weeks
... tlr will chair

Agenda Bashing

<Mez> work through test scenario for 6.1.1 and 6.1.2

mez: someone should be in the wiki writing done the test scenario

thomas to capture conversation for wiki

<tlr> http://www.w3.org/2006/WSC/wiki/TestCases

Testing for CR Exit - work through test scenario for 6.1.1 and 6.1.2

<Mez> http://www.w3.org/TR/wsc-ui/#identity-requirement

mez: what will the test scenario be for viewing the identity information in the primary interface

tlr: there is a lot of check it off the list if it's ok in 6.1.1, they might depend on the individual browser

mez: do we ask them to go to the url and look for it

steele: the identity signal is consistent as the user navigates

tlr: an interesting question about the enumeration of conditions are things affected by the implementation in the second parapraph


mez: have we handled the second paragraph

tlr: the 3rd talks about consistency
... the UA must indicate no information is available
... the test would using the identity signal when interacting with different classes of websites

<steele> with a pinned cert?

tlr: set to test: plain http, https with regular cert, https with ev certs, https with broken ev cert, and possible cert conditions
... which we might find when testing for certificate errors
... we need more precise situations for these
... we need to understand the sites one visits when the identity information is available

mez: a forward reference to 6.1.2

<tlr> issue: clarify "positive form of identity" language in 6.1.1

<trackbot> Created ISSUE-215 - Clarify \"positive form of identity\" language in 6.1.1 ; please complete additional details at http://www.w3.org/2006/WSC/track/issues/215/edit .

mez: are we up to the 4th paragraph?
... why is the last line about web content there in 6.1.1

tlr: need to add material for when identity information is available
... the last sentence, as i read it, is that the identity signal is security chrome, might need an editorial clarificaiton
... the must in the last sentence might be redundant
... should deal with it in 7.1.4

mez: So we have a draft to cover 6.1.1

tlr: and we need to have the webpages with special variables to run this against

mez: planning the testbed? is that a different discussion?

tlr: let's focus on what the tests mean in the first place

mez: moving on to 6.1.2

tlr: sounds like another requirement that depends on how the UA shows it
... it should also be dealt with when there are many implementations

mez: i thought the test plan would cover what we need to do to make that claim

tlr: some things might be inspection of X, it's hard to test the absence of something

mez: so we'll have activities around verifying that there are conforming implementations not in the test plan

tlr: no, i'm having a hard time saying the questions we're asking are tested
... there is a difference between a test plan and a test

<tlr> me too

mez: i like having one place to cover everything
... don't care what name it has
... point in wiki on identity signal content

<tlr> I'm not actually sure it's code inspection.

steele: it sounds like we're requiring code inspection?
... is that gonna fly?

<Mez> someone in adobe claims they checked, it's good

mez: doesn't need to be an external person

<Mez> we nod our heads sagely

tlr: we could give a checklist but someone has to check it, maybe not our place to say how it happens

mez: we talked about it last week, how exposed do the tests need to be
... in the public? unnecessary, other tests have been done in house
... don't know of a good alternative for code that isnt' open source
... test cases for top-level that's at least AA/EV

tlr: we need to enumerate, tls secured webpage, and webpages where any of the criteria do not apply
... do/do not apply and need to verify the behavior in the cases

mez: tables format?

tlr: painful to do on phone and in wiki
... ... maybe someone should go through and write up what it should be
... there are some conclusions that derive from the initial spec that is useful

mez: something to do at the end of the call?
... we're doing in the call because of lack of volunteers to do it another time

<tlr> ACTION: baker to drive test case matrix for 6.12 - due 2008-09-03 [recorded in http://www.w3.org/2008/08/20-wsc-minutes.html#action01]

<trackbot> Sorry, couldn't find user - baker

<tlr> ACTION: phb to drive test case matrix for 6.12 - due 2008-09-03 [recorded in http://www.w3.org/2008/08/20-wsc-minutes.html#action02]

<trackbot> Created ACTION-502 - drive test case matrix for 6.12 [on Phillip Hallam-Baker - due 2008-09-03].

tlr: covers 6.1.2 in the spec
... looking through, we have conditions under which information is displayed, and we need cases where it is displayed
... shall we move further through the spec?

steele: in 6.1.2, phb's action item, is it a list of candidate certificates and how they'll be displayed?
... what do you mean by all the different cases

tlr: for the different types of certificates and the content conditions where they may be used, the cases need to be enumerated and the input needs to be broken into categories based on the interactions that occur, and state the output of the identity information

steele: 6.1.2 seems to talk about other properties of the certificate
... how does each certificate behave under conditions

tlr: would be a great piece of input

mez: not enough time to get another section done in remaining time

tlr: 6.3
... if we know the states when it should display we should know when the indicator should be present
... it appears the cases from 6.1 will cover it, but we should check
... is there anything else to say about 6.3 now

mez: need output from phb's action-502
... will that get folded into the parts that are there after it is fleshed out
... ok, good start, having worked examples is useful, any topics to bring up for next week

Next meeting

tlr: i'll plan to go over the comments we have so far, right now there's at least one comment to look at

Summary of Action Items

[NEW] ACTION: baker to drive test case matrix for 6.12 - due 2008-09-03 [recorded in http://www.w3.org/2008/08/20-wsc-minutes.html#action01]
[NEW] ACTION: phb to drive test case matrix for 6.12 - due 2008-09-03 [recorded in http://www.w3.org/2008/08/20-wsc-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2008/09/03 16:24:52 $