<wseltzer> trackbot, start meeting
David Chadwick: sent reminder to mailing list on Verifiable Creds
Steve Olshansky: welcome (back)
<SteveO> Thanks. Glad to be here
<christine> https://w3ctag.github.io/security-questionnaire/
Background: Mike West produced original version of this doc -- self-review questionnaire
On security -- added priacy; adopted by TAG
TAG looking at doc again (living doc) - link above is latest version
Lukasz is the contact person in TAG, is looking at it himself
Coordinating on how PING can help improve doc
Doc helps groups think through privacy considerations before coming to talk to PING -- is self-review
Want to get doc into state to be helpful to design & review process
Would like to get this into shape for TPAC (imminent!)
Many thanks to Jason Novak for stepping up to lead PING's effort on this questionnaire
<npdoty> +1 thanks to jnovak for organizing this
<jnovak> thanks. Happy to help :)
DavidC used the doc for own review (Verifiable claims); had issues with Question 13, would like further description about what is being asked for
<npdoty> looks like first/third-party contexts
runnegar: some of the questions have more detail than others, and this one looks like a candidate for adding detail
jnovak: thanks for
feedback.
... thoughts for review: there are several old docs that are
aligned/misaligned/out of date -- hoping to obsolete
... want to look at questionnaire all in one piece, and also
want to look question-by-question
<wseltzer> Jason's email re process for questionnaire
jnovak: circulated email about process; want broad input from PING and want to get planning in place for TPAC timeline
<wseltzer> +1 to jnovak's proposal
runnegar: suggest we review proposal on this call
jnovak: process goal: to do all
this in github -- this is where doc resides, is W3C/TAG
standard tool, useful for version control
... easier to manage pull requests for TAG review
want to corral specific PING folks to work on specific sections of document - use github, send comments for PING review
jnovak: get comments back before
TAG merge
... also should work with to lukasz for coordination of pull
requests
it's 4-5 week schedule now to get ahead of TPAC deadline
npdoty: Opening a PR and *then* getting feedback from people - is that right process? Would it be better to get feedback before PR?
jnovak: might be due to
misunderstanding of git mechanics but goal is mainly to just
have the right place for PING to give feedback
... whatever the right process is for that - fine to follow
this
<npdoty> the TAG repo does have a list of issues: https://github.com/w3ctag/security-questionnaire/issues/
mikeoneill has there been much activity on github so far? I think you should create a branch for the work for the next few weeks.
jnovak: we need to make a branch - do we have a PING repo to fork this to?
wseltzer: suggest working in TAG repo with PING branch
<npdoty> I think a fork is reasonable, because otherwise they have to give us commit access to their repo
runnegar: Jason would also welcome input if you're not so familiar with github
<wseltzer> https://github.com/w3ctag/security-questionnaire
jnovak: would also welcome
assistance from github experts
... will set up branch
<wseltzer> https://github.com/w3c/ping is the PING repo
jnovak: we'll work through issues
in weekly meetings to coordinate the work
... email chairs to join
npdoty: do we add issues, or work on open items?
jnovak: both. First week: spend
time thinking through what we want doc to be.
... if we identify missing section, then we may create work
item "add section foo"
... but also we have several existing work items to
complete
runnegar: do we have clarity on
process now?
... most importantly: we would really appreciate your putting
your hand up to contribute
<DavidC> I put my hand up :-)
runnegar: most important person to contact is Jason but also can talk to chairs & staff
<mikeoneill> I can put some time in over the next few weekends
runnegar: if we're okay with
process, we can move to the content, but want to make sure
we're solid on that point first
... moving to the self-review questionnaire now
<christine> https://w3ctag.github.io/security-questionnaire
jnovak will walk us through questionnaire
jnovak: date is wrong, for
starters
... it's about helping spec authors consider security &
privacy issues
... starts off with a "privacy by default"-type stance
... talks about user agents in helpful way
... 1.1 - talks about thinking about privacy early, but not
sure this is actionable
when you are thinking of building *feature*, think about these concerns
additional concrete steps for authors to take might help
threat models: are reflective of original time doc was written; now there might be more about third-party tracking
(for example)
questions to consider: they have varying levels of depth
some are fine as-is; but maybe "high-value data" is not as clear (what exactly is this?)
some are also more security-focused (rather than privacy)
also location, sensors & others -- need to be updated for current issues/web
fingerprinting doc -- browsers have started making changes on this
incognito mode -- discussions likely (see also research talk this past Monday)
Is this something spec authors should be/can be thinking about?
good mitigation strategies -- but very broad and large hammers in here
there may be better suggestions here (like from GamePad API)
<mikeoneill> +q
runnegar: does anyone on the call have suggestions that we could start discussing today?
npdoty: basic structure is good,
matches model in docs like fingerprinting doc; mitigations is
the big gap here
... threat models: mostly have focused threats to users from
the *site* - not from malicious network attacker
jnovak: that threat has to be in scope
npdoty: suggest making this explicit
runnegar: agree; also stress need to update doc with current ecosystem
DavidC: the origin should be added to threat model
<npdoty> we also occasionally review specs that don't fit into that simple model (origin, browser, user) -- because they're data formats, or technology that can be used that isn't browser-mediated
Different between privacy & security -- clarify
When somebody goes to website -- how much can user be made aware of what is happening without making terrible UX
Should be topic area for putting user at the center - informing user appropriately
Might be explored in permissions workshop later this month?
<npdoty> yeah, user understanding and transparency aren't especially represented here
Find way to highlight user-focused aspects of privacy
(above discussion from mikeoneill)
jnovak: there is lot of
discussion of user agent, but not so much about this being
"user's agent"
... we may be able to add edits to the start to address
this
npdoty: to mike's point --
expanding list of mitigations might help; we use transparency
& control
... user understanding is a type of mitigation
runnegar: we have two options now -- we have had a good discussion of the process/plan and initial ideas.
jnovak - can we discuss when we want to get started? To make TPAC, have to start Mon Sept 17th or Sept 24th
Getting started sooner better than later if possible
runnegar - unless any objections...let's start Mon 17th.
consensus seems to be: let's jump in the 17th!
runnegar: reiterate: Jason doing
a lot of work but can't do this alone, so please pitch
in!
... key thing is to get main elements moving
... AOB?
... thanks, all for joining
... also - the Monday research talk went really well (incognito
mode)
Thanks all!
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Present: tara wseltzer weiler npdoty jnovak mikeoneill christine craig davidc steveo No ScribeNick specified. Guessing ScribeNick: tara Inferring Scribes: tara WARNING: No "Topic:" lines found. WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 13 Sep 2018 People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]