See also: IRC log
<trackbot> Date: 27 August 2008
<scribe> ScribeNick: tlr
trackbot, close ACTION-477
<trackbot> ACTION-477 Put soaps position paper in shared bookmarks closed
trackbot, close ACTION-489
<trackbot> ACTION-489 Take care of publication of wsc-ui as Last Call WD closed
ACTION-496: continued; Jan Vidar will need to offload to somebody else
<trackbot> ACTION-496 Fill out the Opera column in our features at risk table notes added
ACTION-350?
<trackbot> ACTION-350 -- Tyler Close to report about browser security model discussions -- due 2008-07-16 -- OPEN
<trackbot> http://www.w3.org/2006/WSC/track/actions/350
tyler: don't think we have anything about impact of certificates of different classes in a mix of frames
tlr: write up something?
tyler: basic scenario -- man in
the middle attacker intercepts, uses self-signed cert; there's
window open; attacker opens other tab; other tab has real site
with real cert
... but now evil site can navigate that tab ...
... can inject, has full control, oooops ...
yngve: shouldn't domain control in JavaScript handle that?
tyler: nope, this is a network attack
yngve: oh
tyler: user sees first pop-up -- not trustworthy, but "must be able to trust the real thing"
yngve: if the url in the other window is for different domain...?
tyler: same domain!
yngve: but it's being presented as other -- or directly through -- ok
tyler: network attacker allows
request to go through once, intercepts once, two pages on same
domain, controlled by different parties
... one might look trustworthy, one might not ...
trackbot, close ACTION-350
<trackbot> ACTION-350 report about browser security model discussions closed
<scribe> ACTION: tyler to frame discussion about interaction of navigation policy and security indicators [recorded in http://www.w3.org/2008/08/27-wsc-minutes.html#action01]
<trackbot> Created ACTION-503 - Frame discussion about interaction of navigation policy and security indicators [on Tyler Close - due 2008-09-03].
yngve: would think that there
isn't an EV indicator in that case
... or AA ;-) ...
tyler: multiple different certs
for the same hostname, treat that as an attack
... the attacker produces self-signed ...
yngve: yes, could be a problem
http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0013.html
http://www.w3.org/TR/mobileOK-basic10-tests/#http_response
<yngve> tlr:
<scribe> ACTION: tlr to propose comment on mobileOK test; propose on list with 24h objection period [recorded in http://www.w3.org/2008/08/27-wsc-minutes.html#action02]
<trackbot> Created ACTION-504 - Propose comment on mobileOK test; propose on list with 24h objection period [on Thomas Roessler - due 2008-09-03].
http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/#sec-https-link-rewriting
yngve: should mention client-side certificates
tlr: also, breaks channel binding
http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/#sec-https-link-rewriting
yngve: channel binding is work in
progress
... and the problem is that they won't find out until they
actually do the request ...
... most likely failure scenario is for the site to respond
with invalid login in text, in case they don't break the
connection ...
draft-altman-tls-channel-bindings
tlr: propose we suggest that they ask Altman and Williams, and also TLS WG
yngve: yeah, has been discussed
at TLS WG meetings several times
... mechanisms to use the master secret to get more key
material for application use
<scribe> ACTION: tlr propose comment re https lnk rewriting, client-side certs and channel bindings [recorded in http://www.w3.org/2008/08/27-wsc-minutes.html#action03]
<trackbot> Created ACTION-505 - Propose comment re https lnk rewriting, client-side certs and channel bindings [on Thomas Roessler - due 2008-09-03].
yngve: one point about the
channel binding -- that is going to require special apps that
have support for it
... question is whether or not that would happen; then again,
url will control
... question how relevant the issue is for this use case
http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724
yngve: have one that went directly to me
tlr: please forward to public
comment mailing list
... propose that LC-2058 be dealt with at editor's
discretion
... LC-2059 likewise
LC-2055 editorial too
tlr: LC-2056 -- update pkix to pkixbis
PROPOSED: to update reference to 5280
RESOLUTION: to update reference to 5280
<scribe> ACTION: thomas to update reference to 5280 [recorded in http://www.w3.org/2008/08/27-wsc-minutes.html#action04]
<trackbot> Created ACTION-506 - Update reference to 5280 [on Thomas Roessler - due 2008-09-03].
yngve: propose using PKIX as bibliography key
steele: oh, backward reference in there
yngve: related, updated TLS
reference?
... TLS 1.2 was released a couple of weeks back
tlr: yngve, please send
mail
... propose that we add reference to TLSv12 ...
... anything on weak algorithms there?
yngve: moved elsewhere
... separate document on DES ...
... there is a separate document about DES and IDEA ..
... they removed all ancient ciphers from the document ...
tlr: I'll propose a detailed edit in response to your e-mail
ACTION-500?
<trackbot> ACTION-500 -- Mary Ellen Zurko to inquire phb about ev cert for test environment -- due 2008-08-20 -- OPEN
<trackbot> http://www.w3.org/2006/WSC/track/actions/500
tlr: phill, anything new?
phb: cannot get you EV cert
without going through the process
... however, we do know how to fiddle with IE to make it
display anything as EV ...
... presumably, FF and Opera can help with that ...
yngve: EV OIDs are digitally
signed
... no test versions ...
... intentional that we don't let anybody override it ...
phb: in case of ie7, possible to
override by manually marking trust root
... as being EV ...
... it's not difficult ...
yngve: malware!
tlr: rathole!
ACTION-502?
<trackbot> ACTION-502 -- Phillip Hallam-Baker to drive test case matrix for 6.12 -- due 2008-09-03 -- OPEN
<trackbot> http://www.w3.org/2006/WSC/track/actions/502
phb: will do today
http://www.w3.org/2002/09/wbs/35125/TPAC2008/
http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0026.html
adjourned