<christine> could someone paste the CryptPad link here please
<christine> found it - https://cryptpad.w3ctag.org/code/#/2/code/edit/NLylvy0EoY8ILUwfjq8wBOSQ/
<christine> Oops - that may not be the riight link
<christine> Looking again, it seems to be the right link
<jyasskin> https://cryptpad.w3ctag.org/code/#/2/code/edit/NLylvy0EoY8ILUwfjq8wBOSQ/
<jyasskin> We'll take minutes in the cryptpad.
<yoav> cryptpad link?
<yoav> presetn+
<jyasskin> https://cryptpad.w3ctag.org/code/#/2/code/edit/NLylvy0EoY8ILUwfjq8wBOSQ/
<Ralph> realtime notes
draft from jyasskin: https://jyasskin.github.io/privacy-threat-model/
<toml> +q
<Zakim> npdoty, you wanted to comment on “target”, and security threat modeling
<jyasskin> ack
<toml> +q
I think the questionnaire is the WG-directed tool
<toml> +q to reply about sec/priv considerations
but having a common threat model will help, and be cited regularly in doing analysis or in those guidance documents
<Zakim> manu, you wanted to ask how this document is expected to be used by WGs such at Verifiable Credentials and Decentralized Identifiers.
<Zakim> toml, you wanted to reply about sec/priv considerations
<Ralph> topic #privthreadmodel real-time scribing in https://cryptpad.w3ctag.org/code/#/2/code/edit/NLylvy0EoY8ILUwfjq8wBOSQ/
<Zakim> manu, you wanted to note how this could be used as a hammer
<toml> +q to suggest exactly that
I don’t think a threat model consists of statements like “you are not allowed to do X”, but it can tell you why it could be a really serious threat to a lot of people if you do X, and yes, many people might object because of that
<wseltzer> +1 npdoty
<jyasskin> ack
<Zakim> toml, you wanted to suggest exactly that
<mnot> +q
<Zakim> dbaron, you wanted to talk about discussing things at different levels of detail
<toml> @npdoty Maybe more?
<toml> About 80, by my count.
<toml> You don't have a camera, huh.
<wseltzer> dbaron, I think this doc does aim at that level of detail in its example table
I think that’s the goal for the questionnaire: https://w3ctag.github.io/security-questionnaire/
but a detailed threat model could certainly supplement that
<Ian> (One idea is to say in the spec that one target audience is spec writers.)
sounds like a Living document to me
<toml> +q to say that people generally expect not to be tracked on the web
<Zakim> wseltzer, you wanted to comment on hammers and lack thereof
I think there are lots of security threat model documents that don’t require a detailed description of trade-offs, where people might want to build a feature even if it has security risks
<jcj_moz> I mean, the hammer(s) are mostly those that members hold up while pointing at, say, this document
jcj_moz, +1
<Zakim> toml, you wanted to say that people generally expect not to be tracked on the web
<Zakim> Ian, you wanted to ask about user experience considerations
I suspect there is not a consensus on this ideal model
<Zakim> manu, you wanted to support the "user expectations" and "tracking by default is an anti-pattern" approach.
<Ian> Ian: There is probably not a consensus on the ideal model, but it's ok to write something down and say "This is why we consider this as the threat model"
<Ralph> [how should on-the-record comments here be inserted into the cryptpad?]
<toml> +q to kick email while it's down
<toml> I don't like email, and I don't like it for login 🤷🏻♀️
I’m concerned that some people may be expecting a single number of bits of entropy on the Web today; we can summarize the set of existing research on fingerprinting, but it will not be a single number
<slightlyoff> npdoty: I agree it won't be a single number; there's a lot of variability in each feature, however we can understand the ranges
<slightlyoff> npdoty: an reasonable model will need to deal with the statistical distribution
<Zakim> jyasskin, you wanted to talk about cutting the queue
<Zakim> toml, you wanted to kick email while it's down
<dbaron> I wasn't talking about big warning boxes -- I was talking more about browsers setting expectations through things like the sort of things they ask for permissions for (since asking for permission for X somewhat implies that X doesn't happen if the browser doesn't ask for permission).
<Zakim> kleber, you wanted to talk about what tracking means
<slightlyoff> npdoty: against a more emperical model, we can at least *chachterize* the quality of browser defaults
<Ian> (IJ agrees that "email as identifier" is not something built into the protocols but a social norm that gets better with web auth)
<toml> dbaron: I don't want browsers to be more honest about dystopia, I want there to be less dystopia.
slightlyoff, sure, we can summarize various statistics, that apply differently to different platforms, depend on different features, work for different threat models, have different outcomes for different population groups. I was referring more to csswg this week talking about a single number we needed to provide to prove that fingerprinting isn’t a lost cause
<slightlyoff> npdoty: e.g., when we evaluated the Tor Browser threat model years back on the TAG, it still had big holes in it. What we ended up with were principles that helped folks make more state user-controllable.
<slightlyoff> npdoty: not a lost-cause per sae, but we can't have a discussion about how lost (or not) it is until it's bounded
slightlyoff, yeah, I think the Tor Browser threat model documentation could be another good source for this document and our guidance in general
<slightlyoff> npdoty: ducking empericism gets us nowhere
<slightlyoff> (except more arguing)
slightlyoff, I’m very happy to cite the latest research in all our work! +1 for empiricism
<Ralph> [I wonder again how on-the-record comments here ought to be inserted into the cryptpad?]
<Zakim> manu, you wanted to discuss PING
many thanks to jeffrey for working on this!
<manu> +1
<jfishback> +1
<wseltzer> [Cryptpad transcript at https://github.com/w3c/ping/blob/master/summaries/breakout-privacythreat-20190917.md]
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Default Present: npdoty, (remote), dezell, taraw, Anssi_Kostiainen, Ian, blassey, yoav, jmann, dbaron, manu, Ralph, iclelland, Mek, wseltzer Present: npdoty (remote) dezell taraw Anssi_Kostiainen Ian blassey yoav jmann dbaron manu Ralph iclelland Mek wseltzer toml kleber rowan_m scheib jfishback christine mitja No ScribeNick specified. Guessing ScribeNick: npdoty Inferring Scribes: npdoty WARNING: No "Topic:" lines found. WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]