- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 21 Nov 2006 17:05:43 +0100
- To: public-wsc-wg@w3.org
The minutes for the face-to-face meeting on 14/15 November have been
accepted by the group on its telephone conference on 21 November.
They are available here:
http://www.w3.org/2006/11/14-wsc-minutes
http://www.w3.org/2006/11/15-wsc-minutes
Text rendering below the .signature.
Cheers,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC WG face-to-face
14 Nov 2006
[2]Agenda
See also: [3]IRC log
Attendees
Present in person
+ Mary Ellen Zurko
+ Phillip Hallam-Baker
+ Tim Hahn
+ Michael Smith
+ Chris Nautiyal
+ Sunil Agrawal
+ Hal Lockhart
+ Bill Doyle
+ Tyler Close
+ Thomas Roessler
+ Maritza Johnson
Present by phone
+ George Staikos
+ Brad Porter
+ Mark Little
+ Yakov Sverdlov
+ Tony Nadalin
+ Stephen Farrell
+ Mike McCormick
Guest, by phone
+ Rob Franco
Chair
Mary Ellen Zurko
Scribe
tlr (Thomas Roessler), malware (Michael Smith), tjh (Tim Hahn)
Contents
* [4]Topics
1. [5]Welcome
2. [6]Agenda Bashing
3. [7]W3C Process and Tools 101
4. [8]Scheduling
5. [9]charter review
* [10]Summary of Action Items
_________________________________________________________________
Welcome
MEZ: welcome ...
... schedule slightly tough ...
MEZ: internal processes ...
... more folks to travel ...
... chris will lead us to dinner somewhere here ...
... lunch catered in here ...
... think that's it ...
... pick four scribes ...
... one per quarter dy ...
... for brain-storming, scribing will be both important and intense ...
... if anybody wants to volunteer for first quarter-day ...
... brief role call
... Sunil
... Hal
... Tyler
... Maritza
... Bill?
... Thomas
... Tim
... on phone ...
Telephone introductions
Mark Little from Red Hat / JBoss ...
Yakov Sverdlov representing CA for last 6 years on WS security
Tony from IBM working form standards area
Steven Farrell intros
George Staikos from KDE and WebKit
Agenda Bashing
MEZ: Overview of Agenda
<tlr> agenda at [11]http://www.w3.org/2006/WSC/f2f1.html
... meeting in 4 parts ...
... first part is backgrounder on process...
... which Thomas will do ...
... then talk about scheduling ...
... hopefully everybody has responded to surveys about weekly calls and next
f2f ...
... then take break ...
... then take a look at the charter for this WG ...
... current wording perhaps too abstract ...
... also need to look at timeline ...
... also dependencies and liasons ...
... after lunch, brainstorming on first deliverable for this WG ...
... may want to carry brainstorming into tomorrow ...
... this PM brainstorming about the note on use cases ...
... (other stuff tomorrow) ...
... any suggestions about that format? ...
W3C Process and Tools 101
<tlr> [12]http://www.w3.org/2006/WSC/w3c101
(leaving out scribing of things that are on slides, -tlr)
... important to have quick minutes ...
... after 48 hours is the goal ...
... mailing list use ...
... your first instinct should always be to e-mail the public list (as
opposed to the member-confidential list or off-list exchanges)...
... keep technical discussions on the list! ...
... make the list your default ...
... you don't need a good reason to send stuff to the public list ...
... so don't hesitate to do it ...
... you do need a reason to send things to the confidential list ...
... suggested minutes publishing ritual: publish minutes regularly ...
... if we have discussions during meeting that are confidential, remove from
published version ...
... scribe will do some simple cleanup of minutes ...
... first agenda on future calls will be to accept minutes of previous
meeting ...
... format for minuting actions is recognized by bot ...
... recognizes action (items) ...
... any message to a list that mentions action-item keywords gets
automatically linked to issue-tracking system ...
<tlr> ACTION: Thomas to link tracker from Group page [recorded in
[13]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-1 - Link tracker from Group page [on Thomas
Roessler - due 2006-11-21].
What is the exact format for action keywords in e-mail?
tlr: format is string "ACTION-n" ...
... where "n" is the number ...
... use the keywords in e-mail ..
<stephenF> keywords for action etc seem to be described at
[14]http://www.w3.org/2002/03/RRSAgent
tlr: on of the important things is that we must keep other WGs informed
about our work ..
... we must also actively solicit public comments ...
... another aspect is "storytelling" ...
... what is are the use cases, connecting the different communities, etc.
...
... which is part of what the note deliverable is all about ...
... if we say "MUST do X", then we must be very clear ...
... a little bit about decision-making ...
... consensus means we have no "formal objection" ...
... the general aim is to go for decisions that do not create formal
objections ...
Mez: what is a formal objection?
Process reference: [15]Formal Objection
tlr: it is when somebody says, "I formally object to this..." ...
... chair has final call on saying when we have consensus ...
... we want people to be part of the process continuously ...
... do join all the calls, do come to the f2f meetings ...
... take the committment seriously ...
... follow up on action items, etc. ...
... when we think we are done, we do a last call ...
... "last call" tends to provoke more public comments than "working
draft"...
... after last call, we actively solicit implementations ...
... we will have think about what "implementation" means when we are
covering "behaviors" ...
... candidate rec leads to proposed rec ...
... and ends with us oncorking champagne after that ...
Hal: two things:
<tlr> hal: wg 15 or less?!
tlr: W3C docs say WG should be 15 people or less ...
... Hal says we should plan to do mock ups ...
tlr: yeah, W3C process docs say WG should not be too large
<tlr> phb: 120 people at WS-Security
PHB: we still had more than we needed
Hal: we had many people who just wanted to be listed as members of the group
... we never had more than 15 people at any f2f
... and all real work was actually done by a dozen or so people ...
tlr: the 15 is a "rough rule of thumb"
... we'll see where it goes ...
Mez: if anybody thinks the scale is not working, let me know
tlr: somebody asked, shouldn't we be doing testing earlier.
... we need insight from usability experts ...
Hal: the question was more about mechanics
... I am not in the position to do that, for example ...
mez: we have resources and I might to some "proactive" discussion with
people who have skills both in usability and security
Hal: I was just thinking that it might be better to test certain ideas if we
have a mock-up first?
Rob Franco joins the call as a guest.
Rob Franco is lead program manager for MSIE security... calling in from
Seattle
Mez: any more comments about process overview?
... we will transition o the WG schedule review
... I hope everyone has filled out both surveys ...
... somebody please bring up results of weekly survey ...
Scheduling
<tlr> [16]http://www.w3.org/2002/09/wbs/39814/wscweekly/results
Mez: if you have looked at those results, you will see there is no time that
no one has specified as a 1 ..
... that said, looks like Tuesday at 9am US/Eastern ...
... only person who says he can't make that time is Brad ...
... bill gave it a 2 ...
Hal: 10 US/Eastern is a "sweet spot" ...
Mez: I'm still leaning toward 9am US/East
<bwporter> yes, before 7am PST is rough on the pacific
<tlr> 9am or 10am on tuesdays are options
<stephenF> both ok for me
rob: would prefer that we try to nudge the time till 10am US/East
Mez: for the record, it is Tuesday US time
<bwporter> 10am Tues conflicts with voice browser working group, but I can
make trade-offs
<tlr> 10am Eastern, 7am Pacific
so we have a decision?
Mez: consensus is 10am US/east
RESOLUTION: The group will meet regularly at 10am EST on Tuesdays, for 1h.
<Nadalin> 1 hr right ?
<tlr> 1h
<stephenF> so that makes us 10 minutes into the first call:-)
Mez: please show results for next f2f ...
<tlr> [17]http://www.w3.org/2002/09/wbs/39814/wscspring07/
<tlr> [18]http://www.w3.org/2002/09/wbs/39814/wscspring07/results
Mez: we have not decided on the place ...
Hal: I have offered host on either coast
... personally I would rather do in Boston ...
PHB:who is from East Coast?
... and who is from West? ...
<stephenF> me, different island is all
<Tyler> lives on the West Coast
<bwporter> hard to hear the question from here
bwporter, which coast you live on
<YakovS> yakov - East Coast
<bwporter> west coast
<PHB> PHB is from the East
tlr: please indicate preference
<staikos> north america pref here :)
... East Coast, West Coast, or Dublin? ...
<staikos> east or west should be fine
<Nadalin> PHB Boston does not count
tlr: where should be go?
<bwporter> bwporter prefers north america (west coast opens up more dates
for me to attend)
Mez: we will have somewhere in US
show of hands in the room suggests Boston
<bwporter> bwporter votes for san jose
tlr: we do need to consider need to rotate the meetings
... we have already had (now) first f2f on East Coast, also Workshop, also
Nov 07 Tech Plenary in Cambridge ...
<Nadalin> yes and this one was on east coast
PHB: I can also do West
Mez: in terms of choosing dates, does the placement matter?
... host is BEA ...
Chris: Isn't there are holiday around there?
(Discussion around holding meeting in the 16/18 January time frame.)
MEZ: inclined to make decision off-line within those parameters
<staikos> oh correction, I'm in london england 18th->22
Mez: does anybody have problem with delaying decision until later today?
<Nadalin> what is the range ?
tlr: Everybody: fill in the questionnaire asap!
... see: [19]http://www.w3.org/2002/09/wbs/39814/wscspring07/ ...
... we don't have enough responses to the survey yet ...
<bwporter> is there a new questionairre or the existing one?
<tlr> use the existing one, please update it
Mez: conflicts should be indicate by a 1
... make sure to add comments ...
... we are now on break for 30 minutes ...
... until 10:50 ..
charter review
Mez: let's do "chop through" the charter
... we have the afternoon to cover discussion of deliverables ...
<tlr> [20]http://www.w3.org/2005/Security/wsc-charter
Mez: does everybody have access to the charter? ...
Mez: this is not about creating any new protocols ...
... this is not meant to disrupt or create new server-side protocols ...
... not meant to radically change the infrastructure ...
... phishing problem has created the need ...
hal: make that "social engineering" attacks
PHB: yes, so-called "pretexting" also
hal, PHB are making the point that problem is broader than just "phishing"
Mez: I am working under the assumption that we are not dealing with e-mail
issues.
... attacks on the "human processor" need to be considered
... for instance, I have had some people send me "anomoly" stuff offline
Tyler: Example: Right now if I give you two X.509 certs, there is no way to
tell if those came from same company?
Tyler, please type your question into IRC for the record.
tlr: We can always call on other WGs to request specs about some of this
stuff.
<tlr> (both internally & externally)
Mez: Deliverables: Notes document, two Rec's, other stuff (see charter)
hal:as I understand it the scope is limited to cases where there is a human
at one end of the wire
Mez: I agree.
<Tyler> Mez indicated "no new protocols"; however, I am hoping we can
clarify use of existing protocols. For example, how can client software tell
if two separate X.509 certificates were issued to the same company? For this
question, we clarify how the fields in the certificate are expected to be
used.
hal: we need to be more explicit by what we mean by the word "user"
<YakovS> Is handling of the mixed traffic (standard browser + web services)
in the scope?
<YakovS> SOAP 1.2 GET bindings, REST scenarios, potentially WS-Trust
challenge-response?
<Pau1> Scope: limited to users? Isn't the scope really limited to places
where a browser is at one end point? In other words, we're not trying to
solve the problem for WebDAV, CalDAV or other systems layered over http,
right?
Tyler: my question was not about human issues, it was about we have no
algorithm for identifying whether two X.509 certs are issued to same company
PHBthe information is what we need
<YakovS> yes
PHB: the current tools are tools for sysadmins, not for end users
Paul Hill are we talking about when there is a browser in the loop?
... as opposed to webdav / caldav ...?
Mezwe are talking about Web protocols...
... more broadly -- not necessarily just browser ...
YakovS: mentions specific Web protocols and wonders if they are in scope
tlr: charter does not rule those out of scope
... but we would need storytelling and use cases to motivate discussion
about whether we want to include those ...
Mez: part of my job is to come up with useful use cases
<tlr> tlr: use cases and stroy telling are a generic requirement; see also
note deliverable
Mez: the Note brainstorming might go longer than half a day
... we need to have the Note at least "really well fleshed out" by January
... I realize that there are a lot of holidays between now and then, that
would be agressive ...
... but that is actually only 2 months from now ...
Mez mentions tombstone
tombstone = "small textual indicator"
<tlr> tyler: FPWD effects in terns of patent policy?
<tlr> tlr: for rec-track deliverables, not for note
Mez: January is actually the 3-month mark, as far as hearbeat goes
... Last Call for Note April ...
<Tyler> Tyler asked how detailed the first Public Working Draft is expected
to be. This document triggers reviews based on the W3C patent policy, so
avoiding a vague document is important.
Mez: That's it for schedule.
... the chair is the liason to the W3C Hypertext coordination group
... they seem to be delighted that there is now a separate security group to
review all other WG's specs for security issues ...
tlr: there are some groups whose work does dovetail with our work ...
... and we do need to review their specs ...
... but review of random specs is not an explicit responsibility of this
group ...
... that is, specs other than the ones that dovetail with ours ...
... Web APIS and WAF groups are ones whose specs we /do/ need to review
MezIETF, OASIS, Liberty, APWG ...
halWS-SX - secure conversation is still relevant...
... but WSS is close to completing their charter ...
... and probably not be meeting any more (or only meeting one more time) ...
hal: interesting question around single-signon protocols
Tyler: what is relationship with CA/Browser Forum
[21]http://www.cabforum.org/
<YakovS> I didn't hear whether SSO issues are in the scope?
<stephenF> just on irc not phone
<Nadalin> its WSSX
<hal> WS-SX TC at OASIS has as its scope WS-SecureConverstion, WS-Trust &
WS-SecurityPolicy
Discussion about APWG
<tlr> ACTION: Thomas to organize call with APWG to discuss liaison
mechanisms with WSCWG [recorded in [22]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-2 - Organize call with APWG to discuss liaison
mechanisms with WSCWG [on Thomas Roessler - due 2006-11-21].
YakovS asks if single-sign-on related use cases are in scope
Mez: It will be if we can find use cases
... and it gets into the Note ...
<Nadalin> +1
Mez: it is not ruled out of scope at this point ...
<Nadalin> Is federation in scope
tlr: we are talking to Liberty around generic liason mechanisms
Mez: IETF PKIX WG
PHB they have been officially in "wind down" mode for a long time (4
years?)...
... they have recently accepted new work ...
... e.g., they have interest around secure logotype ...
<stephenF> I'll have to exit for a bit in a bit so my DKIM query is whether
or not this group want to think about the authentication-results work item
that may be happening in DKIM
<stephenF> I can fill in details later but potentially one might end up
presenting DKIM results to users
<YakovS> I assume that WS-Federation will also be in the scope assuming that
use cases will be provided?
Mez: what I am hearing is that we do not yet have compelling need to name a
liason for that?
<Pau1> There was also a recent individual draft submission within the IETF-
"GSSAPI authentication for HTTP", Leif Johansson, 13-Oct-06,
<draft-johansson-http-gss-00.txt>
Mez: I take it back, PHB will be liason if we need one ...
<hal> chair of Liberty Alliance Identity Theft SIG is Britta Glade
britta@projectliberty.org
<Zakim> stephenF, you wanted to talk about DKIM and to
Nadalin: says we have covered his question already
<stephenF> just typed my query above if covered already great
Mez: DKIM is about e-mail ...
... so I am not sure it is in scope ...
PHB: if you look at use cases and storytellling, I think you will find that
many originate in e-mail
... begins by when the get the e-mail message from attackers
... second is after they follow the link and go to the Web ...
Mez: e-mail is most prevalent form of first contact
Tim: first contact can be following a URL in a magazine
<stephenF> +1 to phb, question is about presentation of things like dkim
results that may originate from a mail and affect whether the user directs
their browser
PHB suggests making stephenF the liason, since he's the chair of DKIM
<stephenF> to DKIM? I can do that
<tlr> ACTION: Stephen to contribute use cases for Note [recorded in
[23]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-3 - Contribute use cases for Note [on Stephen
Farrell - due 2006-11-21].
<YakovS> WS-Federation?
MezWS-Federation is *not necessarily* out of scope
hal: how are we going to liason with the UAAWG group?
Mez: through Hypertext coordination groupfor now
hal: we need to consider that early on to avoid wasted work
Mez: we have 40 minutes left
... before the break ...
... move on now to brainstorming about deliverables.
Mezthe Note documents use-cases and assumptions...
... I would like for it to have more data on what is in-scope and
out-of-scope ...
... to help people think about the implications...
... and backgrounder, required reading ...
... What other things would people like to see included in the Note? ...
Mez: How about we brainstorm about use cases?
<stephenF> question is whether the more complex xml structures like XPath
etc need special consideration here?
Tyler: are we going to consider cases where there might be a Trojan?
<stephenF> Personally I've no idea, but they are worrying since they're
complicated enough to badness
Tyler: I would prefer to deal exclusively with cases where we know that the
user's environment has not been compromised.
hal_: mentions ability of malicious software to alter browser chrome
tlr: we assume there is something on the client side that can implement
certain behaviors, and can implement those reliably.
... assuming that we have this kind of reliable users environment, what
kinds of things that we can do? ...
... negative screen coordinates ...
tjh: we would assume there is some level of UI(?) that is trusted
stephenF, is your question on this same topic?
stephenF's question appears to be on another topic
<stephenF> similar; my concern is specifically that xpath, xquery etc are
generally not part of security analysis
PHB: we need to define boundary between platform and...
... for example Javascript-based UI issues ...
... are we going to consider code downloads to be in scope ...
<tlr> PHB: Javascript as web context in scope, as programming language for
browser, out of scope. it's where stuff comes from, not what technology is
used.
... I would suggest that we should not ...
<staikos> code downloads can do anything - not worth dealing with
Mez: would like to keep malicious code out of scope if it didn't get there
through something mechanism that is in scope for this WG
hal: there is some kind of TCB that you have to assume is functioning
<Zakim> stephenF, you wanted to ask about xquery etc
<stephenF> yep - I think Mez is right but would like someone (who knows, not
me) to consider whether xquery/xpath etc when thinking about
<tlr> stephen, people are confused and second-guessing what you talk about.
<stephenF> ...active content you may download. So just a "don't forget" type
note is enough for now
<stephenF> I can send a mail later this evening
Mez:stephenF, please do
<stephenF> ok
some brief discussion about security considerations around XSLT document()
tlr: I think it is out of scope for this group
Tyler: phishing pages checking for browser cache/history
... can enable fraudster to more effectively target a phishing attack ...
tlr: that information is collected through a not-trusted path
<stephenF> gonna disappear for a ~1 hr again
tlr: I don't think it something that we should be trying to address soon ...
Tyler: example: should we state that CSS should not expose the browser
history?
tlr:that is a known issue and out of scope for this group
Mez: I'm wondering if we want to sketch out in the Note where our works
falls in the Universe (universe of security issues)
<Nadalin> Phone problems !
PHB:privacy issues...
... stopping J. Edgar Hoover from knowing what I'm up to ...
tlr: this becomes relevant if we go down the route of "use history
information as a trust piece"
... but it is not the job of this WG to deal with, for example, cross-domain
scripting issue ...
bwporter: we need to talk about what classes of browser we are covering
<tlr> break now
<tlr> back at 1pm Eastern
Mez: if anybody finds there is some class of browser we are not covering,
let me know
break time
<Zakim> tlr, you wanted to put yourself into the queue
<YakovS> also may return a little bit late
<tlr> please fill in this form:
[24]http://www.w3.org/2002/09/wbs/39814/wscspring07/
<tlr> Issue and action tracker is linked from group home page
<tlr> See [25]http://www.w3.org/2006/WSC/Group/track
<tlr> Looking at
[26]http://www.w3.org/2002/09/wbs/39814/wscspring07/results, I think we have
a clear winner: 30/31 January
<tlr> we'll reconvene in 8min
<tlr> meeting reconvenes
<tlr> ScribeNick: tjh
Mez: suggestion
... as part of each use case/scenario, there should be an ACTION assigned to
them to follow through on the use case/scenario.
... resolution could be to drop it or to formalize the scenario in a wiki or
e-mail.
dinner reservation at a Tapas place - 120th and Amsterdam
Mez: opens the floor to use case brainstorming
... please, the harder, gnarlier the better
quiet in the room
tlr: lets try to go after the easier ones first
PHB: lets tell a story, and find what is in and out of scope
... we talked about phishing
... Alice gets an email (supposedly from BUsyBank)
... Alice clicks on link ... lands on a site
... that site asks for credit card number and PIN (but this is a phishing
site)
... root1 - Alice enters site and enters data
... root2 - Alice notices that this is a phishing site and navigates away
... root3 - Alice picks up the phone and calls BusyBank (costing BusyBank
$10 to answer the phone).
... in 10% of cases, the user then goes on to enter the spoofed site and
enter their information.
tjh: did they just not notice?
PHB: this does seem to be happening. In some of the cases, it is that the
user has already given their information out before they called the bank.
MEZ: another scenario - BusyBank really does send the e-mail out.
<tlr> ACTION: Hallam-Baker to formalize the scenario of user getting a
request via e-mail and using that information to contact a web-site using
HTTP protocol (e.g. using a browser) [recorded in
[27]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-4 - Formalize the scenario of user getting a
request via e-mail and using that information to contact a web-site using
HTTP protocol (e.g. using a browser) [on Phillip Hallam-Baker - due
2006-11-21].
Chris: if you e-mail a bank, they have a site where they log various
phishing attacks - perhaps we could get banks to get more comfortable with
sending e-mail out.
PHB: stepping back - there are some cases where the user has no prior
relationship with the bank.
Chris: wait - there are finer levels of that - you may have an account but
not have done anything over the web yet.
PHB: 1) no relationship
... 2) have an account (but no web access)
... 3) have an account (but have used the web access)
<Pau1> Remember that banks do, or used to, get acquired. (Bank of Boston
acquired by BayBank which was acquired by Fleet which was acquired by Bank
of America...)
Chris: have chosen not to address the "no relationship" case because this
falls under "know your customer"
<tlr> who joined?
tlr: while not in scope for Chris, it could be in scope for the WG.
PHB: different forms of authentication here
... 1) initial authentication
... 2) primary authentication (one time password, userid/password, etc.)
... 3) secondary authentication (cookies, etc.)
MEZ: other industries besides financial?
PHB: original authentication applies to many cases, "almost everything I do"
MEZ: mis-typing a URL (whether I've been there before) is a use case.
<tlr> ACTION: Zurko to formalize the use case of mis-typing a URL (and
various variants - been there before, not been there before) [recorded in
[28]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-5 - Formalize the use case of mis-typing a URL
(and various variants - been there before, not been there before) [on Mary
Ellen Zurko - due 2006-11-21].
PHB: impossible to eradicate typos
MEZ: while doing use cases, we would want to investigate different ways in
which some set of information is made to look like other information
... right now, all we have are URLs - in the future perhaps we would have
other forms of information to use. For example - history.
Tyler: Phil has said we should not try to weed out typos (after all, they
may NOT be typos).
PHB: preventing registration of the domain names is NOT feasible ... the
browser could do something.
Michael: Opera is doing something about this already - we have registrars on
a white-list who have a process in place that prevents registering domain
names that are similar to other names.
PHB: want to be clear - we don't want to give recommendations to ICAP.
Michael: we don't have the insight on how to spec this - even at the mixed
case level, let alone the use of Kanji characters which may look similar.
tlr: summarizing - we should make no assumptions on what constitutes a
domain names. And should not do something that leads to domain names being
understandeable.
Mez: if it is security context information, then it ought to be in-scope;
but outside of that, it's not clear what should be exhibitable.
Tyler: perhaps an example of this is that, for HTTPS - domain name in a URI
should NOT be displayed, but rather the domain name from the CN field of the
SSL-sent server certificate.
MEZ: should be vetted in a use case
Tyler: this is starting to overlap with other anti-phishing groups - which
are saying that to combat phishing, make your URLs look pretty
Hal: there are some browsers that are starting to look at this type of
thing.
PHB: you might have a rule (as a browser) that if you receive a URL that is
of a deprecated form, you should do something other than just go to that
site.
tlr: there is a difference between using URLs as communication from the user
and communication to the user.
MEZ: what is the security context information available to us that is
useful?
PHB: perhaps there is information that falls through the cracks when an
e-mail program hands off to a browser.
... today, any info about how the info was displayed to a user or if it came
in a signed form is lost by the time the browser gets a hold of the URL to
use.
Michael: would need a whole lot more communication between the two programs
PHB: would need some APIs or data flow between processes
MEZ: was hoping that our recommendations would be implementable without
major infrastructure changes
Hal: can a browser distinguish between a URL that has been typed and a URL
that has been clicked (in another application)
tjh: it depends (on how invoked)
Hal: then it is not always true ... and thus is an issue
PHB: I could envision a way of solving this without OS changes
Tyler: is there consensus with the group indicating that users should NOT
rely on informaiton in the URL for security context?
<scribe> ACTION: Tyler Formalize the statement regarding users not relying
on information within URL strings for establishing context (or security
context) [recorded in [29]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-6 - Formalize the statement regarding users not
relying on information within URL strings for establishing context (or
security context) [on Tyler Close - due 2006-11-21].
<Yakov> It's OK on the phone - certainly better than it was :)
tlr: lets get back to "we have a person who needs to do something on the
web, what information do they need to do it?"
... would like to hear a use case story involving Federation scenarios.
Hal: issue of going somewhere and authenticating there (the site probably
used SSL). But in a federation, you might be re-directed to another company
... and you (user) are expected to trust where you landed.
... is there a problem here? Or not?
... in reality, you're getting handed off to several different locations and
sites all with different policies.
<scribe> ACTION: Hal Formalize use case around user contacting one site,
then getting re-directed to another (as part of a federation of
organziations working together, legitimately), how does the user trust where
they landed on? [recorded in [30]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-8 - Formalize use case around user contacting one
site, then getting re-directed to another (as part of a federation of
organziations working together, legitimately), how does the user trust where
they landed on? [on Hal Lockhart - due 2006-11-21].
PHB: we see massive spikes in various types of crime because something was
working before no longer works so the attackers move on to something else.
Hal: that phishing continues means that the technology is still allowing it.
MEZ: there seem to be use cases around SSL - this seems an active area for
browser folks right now.
Hal: how about this - using cache poisoning, you can make it look like you
are from BusyBank. And recognizing that some SSL session is in place, you
can capitalize on it.
MEZ: what is the issue?
Hal: the screen looks like it is SSL-protected, but it is not.
<staikos> We have to remember that user education is even a blocker here.
Drawing a padlock in the page is often sufficient
<staikos> not yet :)
PHB: this was very much the case before IE7 came out. Lots of pieces in IE7
are designed to thwart this (by stopping people from creating windows that
obscure the padlock icon)
<Pau1> And we even see real bank sites putting padlocks into their html
pages, which tends to teach users to accept that as an indicator. Shouln
<staikos> [31]http://www.staikos.net/~staikos/isitencrypted.png
Rob: have two cases.
<malware> Pau1, right. Those banks should really not be doing that.
Rob: 1) building on surfacing the domain name out of SSL server certificate.
Problem still remains with old HTTP sites not signing their traffic.
<Pau1> So a best practices guideline should point that out.
Rob: will need a set of recommendations on how to represent the security
identifier for this HTTP site.
<malware> Pau1, agreed
Rob: some sites will scramble the URL to fiddle with the Address bar to give
the impression of a standard HTTP site.
<scribe> ACTION: Rob Formalize the use case of an attacker messing with the
information in the address bar and confusing the user. [recorded in
[32]http://www.w3.org/2006/11/14-wsc-irc]
Created as ACTION-29; provisionally allocated to tlr in order to track
action until Rob joins group.
Michael: we have cases where parts of forms (from content providers) will
add "lock" icons to their content ... thus diluting the meaning of such
icons that are meant for the browser "chrome".
<PHB> The problem I see is misdirection of the user, telling them its safe
whan its not, in particular the issue of FAVICONS,
<malware> staikos's png is exactly what I was talking about
<malware> [33]http://www.staikos.net/~staikos/isitencrypted.png
<rfranco> status bar is another example...
<staikos> I use that site regularly :)
Tyler: FAVICONs are just one example. there are other areas that are over
takeable as well - so need chrome, but FAVICONs aren't the only target.
<staikos> very often the case that APs use invalid or expired SSL
certificates
<Zakim> rfranco, you wanted to raise another use case
Tyler: have to get to a point of NOT presenting un-reliable information as
if it were reliable.
Rob: agree. We also need to accept some of the realities of how the Internet
is today.
Rob: use case 2: give users better information about content they have
downloaded that is not text (e.g. script, .exe)
... rather than have debate about launching these things (which is another
issue), can the user understand where the information ame from?
<tlr> ACTION: msmith9 to formalize the use case of content providers using
the same icons as are typically used in the "chrome area" and thus diluting
the meaning of such visual aids [recorded in
[34]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-9 - Formalize the use case of content providers
using the same icons as are typically used in the \"chrome area\" and thus
diluting the meaning of such visual aids [on Michael Smith - due
2006-11-21].
<staikos>
[35]http://www.skype.com/download/skype/macosx/downloading.html?download=Dow
nload+now <--- look at the evil instructions that Skype gives in this page
<PHB> reply to staikos - too many restrictions means we end up training
users to circumvent them
MEZ: security people who have designed interfaces before have concentrated
on attacks
<staikos> exactly
<staikos> and too many circumvention mechanisms means they will all be used
... Are we going to discuss PKI and information from this? ...
billd: other forms of authentication (one time password, PIN)
Tyler: how much does that step into not creating new protocols?
... since they are not in the browser yet
MEZ: not in the browser is not the same as not in the protocol.
<Zakim> phb, you wanted to say should talk about the user part of the
context, ie wetware, what is in their head
<staikos> the concepts of cardspace and wallet seem to really -really- help
users
<staikos> KDE users are completely addicted to KWallet, and that's the
simplest implementation of the concept I can imagine
PHB: user context is not the context on the machine but the user experience
context in the user
... user's head.
... hundreds of usernames and passwords are unweildly and un-rememberable
within a user's "context"
Hal: sites I use INfrequently I am inclined to use the SAME password while
sites I use heavily (and thus remember) I am inclined to use something else
MEZ: reviewing items from the charter:
... GOALS/SCOPE
... NON GOALS/OUT OF SCOPE
... Background/References
... Validation/User testing
... USE CASES/SCENARIOS
<PHB> There seems to be a methodology here differential use case analysis
<PHB> You specify a pair of good/bad use cases
<Zakim> tjh, you wanted to ask about HTTP headers
<PHB> Requirement is satisfied when you are able to distinguish them
Hal: I see no use cases where there is no chance of attack
MEZ: on tjh's question about defining new HTTP header fields for additional
information - this feels to be out of scope as it is close enough to
extending protocols.
Hal: highest priority should be those that a single organization can
implement without requiring another organization - and these can provide
incremental benefit.
MEZ: not sure if that privileges or disadvantages organizations with a
larger scope
Tyler: we talked about it being nice to have chrome ... but we don't have
it.
... would it be good to state that we should provide chrome?
tlr: see deliverable 3
?: working with chrome is not good enough - because if it shows up on the
screen, it's going to be considered trusted.
Tyler: existence of the "secured area" needs to be both in the mind of the
user and in the browser ... so has to be consistent.
Sunil: if browser did all of this - we still have the problem of each
service provider/content provider wanting to show something different or
value-add.
MEZ notes use cases can cover ATTACKS, NON-ATTACKS, and Content practices.
<Zakim> malware, you wanted to talk about making behavior consistent across
browsers
Michael: consistency across browsers - agree - that this will not be useful
if not consistent.
... advice for this is that the group as a whole should get as many browser
vendors as possible involved.
... value of the feature must be clear to the browser vendors (so they will
invest in providing it)
... in desktop space, pretty much one browser is used.
... in the mobile space, there are MANY more browsers. And there are other
constraints.
MEZ: more categories for use cases: protocols, sec context, browsers/VAs
Michael: mobile devices: Nintendo DS, palm phones
tjh: Sony PSP contains a browser
<tlr> ACTION: msmith9 to find mobile browser vendors to recruit to group
[recorded in [36]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-10 - Find mobile browser vendors to recruit to
group [on Michael Smith - due 2006-11-21].
Michael Smith later noted that he felt uneasy about this action item. It is
closed in the issue tracker.
Hal: there seem to be some use cases involving a shared computer.
Sunil: or the kiosk situation
MEZ: and kiosks within enterprises
Hal: and user portability (without carrying their device)
<Pau1> One of my coworkers is the "mobile device platform coordinator" for
MIT's IS&T department. He was also the founder of a former mobile device
company. I can commit him to be a reviewer in this area.
<scribe> ACTION: Hal Formalize a use case for using a browser on a shared
device (e.g. kiosk device). Examples of kiosks intra-enterprise, hotel
lobbies, Kinko's, libraries. [recorded in
[37]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-11 - Formalize a use case for using a browser on a
shared device (e.g. kiosk device). Examples of kiosks intra-enterprise,
hotel lobbies, Kinko\'s, libraries. [on Hal Lockhart - due 2006-11-21].
Billd: how well is security context information managed with the user to
make it useful?
... is there a way to convey a level of trust in that session?
Hal: should define, by enumeration, what is meant by security context
infomratoin
<PHB> The idea of 'Member since' in certs has come up a few times
<scribe> ACTION: Hal List, by enumeration, what is meant by security context
information [recorded in [38]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-12 - List, by enumeration, what is meant by
security context information [on Hal Lockhart - due 2006-11-21].
MEZ: existing authorities can provide additional context information.
<stephenF> FYI: sent a mail about that xpath stuff, as promised
[39]http://lists.w3.org/Archives/Member/member-wsc-wg/2006Nov/0018.html
Billd: have seen reasonable authorities generating so-noted "bogus" certs
... there should be some level of trust capable in these entities - right?
<tlr> stephen, please send e-mail to public list
PHB: would be unhappy if this group started talking about how CAs work or
how the CAs validate information that goes into certificates.
<staikos> definitely
<staikos> suggestions of usefulness of these things would be very valuable
PHB: but if this group wants to talk about information to put INTO the
certificate ... that would be good.
... examples - logotype, or MemberSince information
tlr: back to kiosk use case for a bit - and on what information is passed
between users.
... assume we have a browser that recognizes one user at the time ... to
keep us from getting into issues of user-to-user "bleed over" of
information.
<stephenF> tlr, done - btw is there a URL for the irc log?
Hal: but we have some things that are coming along for authentication that
are only useful if a user's system is not compromised (or used by multiple
people)
Tyler: would be nice if CAs could indicate what algorithm to use in
extracting the relevant information from certificate chains.
PHB: this gets tricky based on certificate type, and CA vendor's practices.
... Verisign has not commented on certain aspects of Policy OID discussions
because it hasn't seen value in it.
Tyler: on some banking sites - you login and then get re-directed to another
system that has a different certificate (because the system is a different
one than the first one)
... would be useful to be able to indicate that this is, really, the same
entitty.
<tlr> ACTION: tyler to elaborate on multiple certificates & domains for
session servers case [recorded in [40]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-13 - Elaborate on multiple certificates & domains
for session servers case [on Tyler Close - due 2006-11-21].
Tyler: what is used right now is end entity information.
PHB: would recommend using the certificate serial number information
<malware> tjh: mentions work of Amir Hertzberg
<malware> [41]http://www.cs.biu.ac.il/~herzbea/
Tyler: would be good if CAs could describe how to do it reliably
<malware> Tyler, is that the person you meant to refer to?
PHB: note above about using certificate serial number is patented
<stephenF> phb, got a patent # for that?
<Pau1> Isn't a CA bridge usually target for use when a number of
organizations can't agree on a common root CA?
Chris: what certificates are available and valid within the company is now a
cost for them (costing them resources to maintain). They are now creating a
"CA Bridge" to help address this.
tlr: case of having two session servers where critical context information
varies between session servers. What should be invariant in order to be
useful?
<PHB> stephen, the assignee is VeriSign. don't remember the inventors. Think
its from peter William's time
<scribe> ACTION: Hal write up use case of session servers and having
critical information invariant in order to be useful. [recorded in
[42]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-14 - Write up use case of session servers and
having critical information invariant in order to be useful. [on Hal
Lockhart - due 2006-11-21].
<PHB> like if people really wanted to all copy the way we do things we might
talk about putting the patent on the table, but I really don't think that is
a good idea
<tlr> I thought the action that got added as ACTION-14 was on Tyler?
Billd: CA Bridge would seem to change the degree of trust in that site?
<tlr> (And is actually ACTION-13?)
(ACTION-14 was indeed a duplicate of ACTION-13, and therefore closed
immediately.)
<Pau1> It sounds like they are using CA Bridge model as a way of
partitioning the management of certificates. The model can also be used to
keep CRLs small. But I can't imagine that a bank is running into issues with
the size of their CRLs.
<PHB> remember that the one useful function of the USPTO is to keep bad
ideas out of standards.
Mez: concerned about kiosk use being out of scope
tlr: kiosk - machine is shared, and browser state NOT cleared between
different users using.
... this is what I meant to be out of scope - because it is clearly a misuse
of the tools.
tjh: but how does a user know not to use a kiosk or not?
<PHB> [Would like to suggest that we distinguish a scenario and a situation,
we have a small number of scenarios (alice gets email, goes to Web site) and
a larger number of situations (kiosk, web browser, mobile, roaming, etc]
tlr: you have no way of knowing ... thus no way of trusting ... thus out of
scope because it cannot be a known "TCB"
<tlr> ACTION: Zurko to produce use case story for kiosk case that is in
scope (action can be discharged by declaring defeat) [recorded in
[43]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-15 - Produce use case story for kiosk case that is
in scope (action can be discharged by declaring defeat) [on Mary Ellen Zurko
- due 2006-11-21].
Tyler: one way to get some of the kiosk scenarios out of scope is a
discussion of viruses. The next user is getting access to information much
like a virus would.
maritza: people who would do online banking at a kiosk are the same that
would fall for a phishing attack...
... since they do not have a mental model of what is secure and not secure
... why not include such issues?
tlr: it is a different problem of whether a MACHINE (that I walk up to) is
"secure" from the problem of understanding if a page displayed on that
machine is "ok".
... this is about scoping down to what we can accomplish.
Billd: within the available protocols, is it possible to determine if you
are on a shared system or not?
... within the current capabilities, it seems we cannot do it.
Sunil: one extreme is airport kiosk ... this seems too hard.
... but there are other situations (enterprise kiosks) that could be assumed
trusted in some sense ... how about these?
<stephenF> on kiosks - if the browser were to declare itself as one in some
way the user understood...how to do that might be in scope?
<PHB> Point of information, is possible to know if you are on a trustworthy
kiosk if you have TOFKAP and know one trustworthy node that can verify
TOFKAP status.
<stephenF> me disappearing again for ~30 mins
Billd: back to existing standards - TOFKAP is a proprietary mechanism and so
it doesn't appear to be something we can base upon.
PHB: perhaps this is a point that we can just note that there are things
that other groups are doing and doing better than we could do
... thus we would not want to go into that here.
... (on the issues of trusted computing)
Michael: we will not rely on anything proprietary.
<tlr> reconvene at 15:25
<tlr> To minute a hallway conversation: The real question around kiosks is
whether we should make the assumption that user agent state is limited to
one user (or one session, for that matter), or whether that assumption
should be relaxed into state-leaking kiosks and an investigation about what
these mean for security contexts -- think context linked to browser history.
Mez: during the break, considered how to proceed for next couple of hours.
... walked around the space - will be useful as we start to write the use
cases.
... would be good to get a list for things now:
... security context information
... protocols
... browsers
Hal: we haven't exhausted the things that could be improved by better user
interface
Billd: if we drill further down on enumeration - would other stuff bubble
up?
Mez: yes.
Hal: ok, that sounds reasonable
Mez: let us enumerate security context information
... URL
... SSL in effect, what properties of it
... any data we have about current situation that did not come the current
website
... browser history
... configured trust roots
... referring page
Hal: would not configured in trust roots
Yakov: cookie in browser, request headers
... Use case - document-based security context (something in the HTML/XML
document).
<rfranco> FYI, my return to the call is delayed another 20min, sorry
<scribe> ACTION: Yakov Formalize the use case of flowing security
information as a part of the document mark up (as in XML marked up content
information). [recorded in [44]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-16 - Formalize the use case of flowing security
information as a part of the document mark up (as in XML marked up content
information). [on Yakov Sverdlov - due 2006-11-21].
Malware: security context info: your web of trust - people you trust and
sites those people trust
... if you go to a site, you would have some way of knowing that someone
else you knew was on that site.
Hal: Netcraft toolbar (which can give additional information about sites
landed on)
malware: web of trust maps to talking to someone in the real world, and
based on their input, go and use it.
Mez: is there something to these being from a trusted channel versus an
untrusted channel?
Tyler: notes a bookmarking addition that logs annotations about sites
visited (and are displayed in chrome area when sites are re-visited)
Malware: mozilla working on some type of annotation mechanism too
Mez: might be good for a demo - can we do those?
tlr: we can share URLs - but not live web demos via W3C infrastructure.
<tlr> (but happy to use infrastructure if anybody has something available)
<scribe> ACTION: Tyler Give a demonstration of "pet name" annotation of
bookmarks plug-in [recorded in [45]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-17 - Give a demonstration of \"pet name\"
annotation of bookmarks plug-in [on Tyler Close - due 2006-11-21].
more sec context info:
<malware> the mozilla mechanism is something they have described as
"microsummaries", for putting dynamic text into bookmarks
HTTP basicAuth headers
<malware> [46]http://wiki.mozilla.org/Microsummaries
<malware> Myk Melez did the work on that, I think
<Yakov> Should we separate "dynamic" context (like HTTP headers) versus
persitent (cookies)?
Hal: don't agree to limiting it to information coming from the site.
See also: [47]list that was edited during this session
<malware> I am interested in the idea of the pet-name or microsummary
getting the annotation over the network instead of just locally stored
<malware> though I recognize such a mechanism would have security issues of
its own
reputation service
past introductions from friends (e.g. in email)
<malware> but microsummaries are actually getting data over the network,
actually
automatic re-direction (that the browser was re-directed here rather than
the user requesting)
Billd: there is the attribute of password protection or not (protocol
protection attributes)
PHB: the more general case - when people typing in information that is
sensitive to them, they need to understand that it is going to be handled
securely.
... difference between Basic authentication and Digest authentication (and
there is NOTHING to tell the user what is going to be used)
<Yakov> leaving earlier today
Tyler: from workshop - there was a paper noting that there is no difference
between Basic and Digest because Digest can be cracked so easily
<Mez> take care Yakov
Tyler: issue is who I am giving data to (not what they do with it - because
one cannot control what is done with it)
Billd: with SSL used, can change cipherset such that encryption NOT used. So
this site would look good, not really be good.
... should be able to figure out underlying mechanism used.
<tlr> ACTION: Doyle to formalize the need to be able to understand/visualize
the "strength" of SSL protection in place [recorded in
[48]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-18 - Formalize the need to be able to
understand/visualize the \"strength\" of SSL protection in place [on Bill
Doyle - due 2006-11-21].
<staikos> there are discussions to make some of these "warnings" impossible
to circumvent
<tlr> staikos, want to be on the queue?
<stephenF> on ssl - there was a suggestion to build in "evidence" generation
at the IETF last week, dunno if accepted (hopefully not) but it came from a
reputable source
<staikos> let's here what PHB says first :) It's a bit difficult to talk
with the group over the phone
Michael: there are many different scenarios and logic paths in handling SSL
connections.
<stephenF> URL for that ssl evidence thing:
[49]http://www3.ietf.org/proceedings/06nov/slides/tls-1.ppt
malware: what should be done and what should not be done is sometimes
unclear.
Hal: for the minutes - when you ask about this - you hear that pop-up boxes
are "bad", you also hear that users just click through pop-up boxes.
PHB: the Internet is insecure by default.
... should not tell people when they are insecure (because this is the
default) ... should only tell when secure. This is a change in perspective.
<stephenF> phb, when were you last secure? :-)
<Zakim> staikos, you wanted to mention that there are discussions to make
some of these "warnings" impossible to circumvent
<PHB> I am secure when the probability of loss times the expected amount of
the loss is within acceptable parameters.
Staikos: popping up the question that user is possibly insecure and what do
they want to do is likely in need of change.
<stephenF> phb, so sometime in 1995 then:-)
Staikos: if we look at these cases, perhaps we'll learn more.
<PHB> This last happened on January 19th 2001
malware: this gets back to consistency between browsers again.
<staikos> Fully agreed with Michael
<staikos> one browser is considered "broken" if it can't view a site that
other browsers can
malware: if can't get to one site from one browser, user will interpret this
as a browser bug, not a fault in the site.
Hal: another item - IP address.
<stephenF> my question is whether we want to think about locally trusted
Tyler: some sites are starting to offer "general location" of server based
on IP address - list it
<stephenF> devices, e.g. phone etc.
Billd: this is not secure - because the IP address can be spoofed
PHB: we have used IP address to deny services before.
<stephenF> just on irc still btw
<Zakim> stephenF, you wanted to ask about locally trusted devices
<stephenF> yes - sometimes people talk about using trusted local
<stephenF> stuff (e.g. phone), we might want to just note that for
<stephenF> now
Michael: there is the notion of combining various sources to build up a
base.
Billd: Example - site that you visited before, but the cert has expired ...
you might still trust it. ... that sounds feasible
<stephenF> (advertisement: xkms can nicely ignore expiry:-)
<malware> maybe something like a progress bar to indicate the level of
security (aggregating all the different factors)
Billd: methods of authentication - id/passwords; others
<malware> or like gauge that indicates how high battery level on your laptop
is
Billd: shared secret knowledge (personalization info, pet name, picture,
etc.)
<malware> thermometer is the simplest analogy, I guess
PHB: is there a need to note ANTI-PATTERNS?
PHB: anti-pattern: supplying "shared public knowledge" (e.g. mother's maiden
name, zipcod)
some discussion about anti-patterns being placed into the recommendation,
not the note.
<PHB> Thomas: did we come to closure on the date of the F2F 2.0? Just noted
that there is a MAAWG meeting in San Francisco 29-31 Jan which means that is
most likely when the san fran APWG will be.
<tlr> phb, I thought their next meeting is in June?!
<tlr> Dublin?
<tlr> "their" = APWG, not MAAWG
<PHB> They have a european meeting and 2 north america
<tlr> (right now, 30/31 Jan has the smallest number of conflicts)
<stephenF> maawg are here june 5-7, 2007
<stephenF> maawg are in San Fran, jan 29-31, 2007
<scribe> ACTION: tim formalize a user-facing use case for WS-Security (e.g.
use of WS-SecureConversation) [recorded in
[50]http://www.w3.org/2006/11/14-wsc-irc]
<trackbot> Created ACTION-19 - Formalize a user-facing use case for
WS-Security (e.g. use of WS-SecureConversation) [on Tim Hahn - due
2006-11-21].
tjh: said use (ACTION-19) would lend credence to listing WS-Security
attributes as security context information that would be useful.
... what about AJAX-style communications between client and server?
tlr: this is HTTP and some type of structured content that flows within the
content area
PHB: view AJAX as a form of constructed content.
... when a page comes from one source, it might be trustable or more
trustable than if it comes from here, there, and everywhere.
<malware> I suggest that for sake of precision that we don't use the term
"Ajax"
<tlr> +1 to malware
<Zakim> malware, you wanted to talk about using "XHR" = XmlHttpRequest
instead of Ajax
<stephenF> ok that's me done for the evening - if you include a summary
agenda slot tomorrow, I'll dial in to the audio for that otherwise I'll be
on irc tomorrow
<staikos> JSON - JavaScript Object Notation
malware: the term Ajax is imprecise. use XHR - it means asynchronous
communication using XmlHttpRequest.
<staikos> uses ECMAScript syntax as a mechanism for serializing objects
tyler: context info: has the page completed loading?
Mez: this seems to exhaust our brainstorming on this list/enumeration
... how about looking at browser/user agent list next.
Hal: charter says "on the web"
tjh: so does that mean anything that speaks HTTP protocol?
Hal: that seems necessary but not necessarily sufficient as a definition
Billd: include HTTPS as well
Mez: list browsers
Opera
Mozilla
IE
Konquerer
Netscape
<staikos> Safari
Safari
<Pau1> Pocket IE
<staikos> Series 60 Browser
Firefox
<tlr> blazer
<staikos> There are numerous KHTML/WebKit based browsers now, just like
numerous Gecko based browsers
iCAB
Camino
Camino is Gecko-based
Shiira
curl
wget
elinks
Notes
EclipseRCP
<tlr> add amaya it's a browser as well
phone: e-mail clients are using web-engines for rendering e-mail.
<staikos> tjh: that was me btw :)
rfranco: even things like Quicken are using IE object to display content,
but chrome is handled by the program.
<staikos> the question is, does the application allow navigation to
uncontrolled content
<staikos> in Email, this is the case
<staikos> in applications, not necessarily the case
malware: some of the other vendors are not investing in standards work so
uncomfortable listing them.
<malware> [51]http://en.wikipedia.org/wiki/List_of_web_browsers
<malware> [52]http://en.wikipedia.org/wiki/Comparison_of_web_browsers
<malware> my comment that tjh refers to was specifically in relation to
vendors of mobile browsers
malware thank you for clarifying
<malware> further for the record, I very much would like to see as many
browser vendors as possible getting involved in the work of this group
tlr: recommend categorizing types of browsers -- what are the different
constraints on user interfaces? ...
... think mobile phone, think screen reader, think braille line ...
Hal: key question is who/what is in control of the display of the security
context.
<tlr> tyler, can you make that "constrained UI" instead of "constrained
I/O"?
<malware> [53]http://en.wikipedia.org/wiki/Microbrowser
<malware> above is list of mobile browsers
Hal: heavy client on the list or not depends on who controls the rendering
and who controls the chrome.
Mez: does the notion of portlets and proxies play here?
Hal: this is back to not all the content on a page coming from one place.
tlr: the general idea of aggregated content (not limited to XHR, but XHR is
an example)
<Zakim> malware, you wanted to talk about "combined" pages
<scribe> rob, please try to summarize that statement into the IRC - I missed
it.
<staikos> anyone have a Mac to demonstrate?
<staikos> Hit F12
<Pau1> Konfabulator works on Mac or Windows.
<staikos> [54]http://www.apple.com/macosx/features/dashboard/
<staikos> yes :)
<staikos> can you guys email me dinner?
<Pau1> FTP (food transport protocol)
<malware> staikos, will send you some tortillas in exhange for KDE stickers
Mez: beginning to wrap for the afternoon
<staikos> I still don't even have a stuffed Konqi
Mez: still looking for an editor
... should there be a wiki for this stuff or not?
tlr: we have dealt out a lot of action items - good application of a wiki.
However, an editor must grab that stuff and put it in specification format
and polish it.
Tyler: I will write if someone will help supervise
tlr: will help with technical
Tyler: chosen as Editor.
<tlr> ... for note
Meeting adjourned.
Summary of Action Items
See [55]tracker.
_________________________________________________________________
Minutes formatted by David Booth's [56]scribe.perl version 1.127 ([57]CVS
log)
$Date: 2006/11/21 15:12:02 $
References
Visible links
1. http://www.w3.org/
2. http://www.w3.org/2006/WSC/f2f1
3. http://www.w3.org/2006/11/14-wsc-irc
4. http://www.w3.org/2006/11/14-wsc-minutes#agenda
5. http://www.w3.org/2006/11/14-wsc-minutes#item01
6. http://www.w3.org/2006/11/14-wsc-minutes#AgendaBashing
7. http://www.w3.org/2006/11/14-wsc-minutes#w3c101
8. http://www.w3.org/2006/11/14-wsc-minutes#scheduling
9. http://www.w3.org/2006/11/14-wsc-minutes#item02
10. http://www.w3.org/2006/11/14-wsc-minutes#ActionSummary
11. http://www.w3.org/2006/WSC/f2f1.html
12. http://www.w3.org/2006/WSC/w3c101#(1)
13. http://www.w3.org/2006/11/14-wsc-irc
14. http://www.w3.org/2002/03/RRSAgent
15. http://www.w3.org/2005/10/Process-20051014/policies.html#WGArchiveMinorityViews
16. http://www.w3.org/2002/09/wbs/39814/wscweekly/results
17. http://www.w3.org/2002/09/wbs/39814/wscspring07/
18. http://www.w3.org/2002/09/wbs/39814/wscspring07/results
19. http://www.w3.org/2002/09/wbs/39814/wscspring07/
20. http://www.w3.org/2005/Security/wsc-charter
21. http://www.cabforum.org/
22. http://www.w3.org/2006/11/14-wsc-irc
23. http://www.w3.org/2006/11/14-wsc-irc
24. http://www.w3.org/2002/09/wbs/39814/wscspring07/
25. http://www.w3.org/2006/WSC/Group/track
26. http://www.w3.org/2002/09/wbs/39814/wscspring07/results
27. http://www.w3.org/2006/11/14-wsc-irc
28. http://www.w3.org/2006/11/14-wsc-irc
29. http://www.w3.org/2006/11/14-wsc-irc
30. http://www.w3.org/2006/11/14-wsc-irc
31. http://www.staikos.net/~staikos/isitencrypted.png
32. http://www.w3.org/2006/11/14-wsc-irc
33. http://www.staikos.net/~staikos/isitencrypted.png
34. http://www.w3.org/2006/11/14-wsc-irc
35. http://www.skype.com/download/skype/macosx/downloading.html?download=Download+now
36. http://www.w3.org/2006/11/14-wsc-irc
37. http://www.w3.org/2006/11/14-wsc-irc
38. http://www.w3.org/2006/11/14-wsc-irc
39. http://lists.w3.org/Archives/Member/member-wsc-wg/2006Nov/0018.html
40. http://www.w3.org/2006/11/14-wsc-irc
41. http://www.cs.biu.ac.il/~herzbea/
42. http://www.w3.org/2006/11/14-wsc-irc
43. http://www.w3.org/2006/11/14-wsc-irc
44. http://www.w3.org/2006/11/14-wsc-irc
45. http://www.w3.org/2006/11/14-wsc-irc
46. http://wiki.mozilla.org/Microsummaries
47. http://www.w3.org/2006/WSC/security-context-info-sources.txt
48. http://www.w3.org/2006/11/14-wsc-irc
49. http://www3.ietf.org/proceedings/06nov/slides/tls-1.ppt
50. http://www.w3.org/2006/11/14-wsc-irc
51. http://en.wikipedia.org/wiki/List_of_web_browsers
52. http://en.wikipedia.org/wiki/Comparison_of_web_browsers
53. http://en.wikipedia.org/wiki/Microbrowser
54. http://www.apple.com/macosx/features/dashboard/
55. http://www.w3.org/2006/WSC/track
56. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
57. http://dev.w3.org/cvsweb/2002/scribe/
Hidden links:
58. http://www.w3.org/2002/09/wbs/39814/wscspring07/
--------------------------
[1]W3C
WSCWG face-to-face
15 Nov 2006
See also: [2]IRC log
Attendees
Present
See [3]14 November minutes
Regrets
Chair
Mez
Scribe
tlr, PHB, billd
Contents
* [4]Topics
1. [5]intro for the day
2. [6]chartered deliverable #2
3. [7]scheduling second face-to-face meeting
4. [8]2nd rec -- anti-spoofing techniques
5. [9]next steps
_________________________________________________________________
intro for the day
MEZ: not quite there to talk about rec-track stuff; would like to recap some
stuff from yesterday's discussion ...
IRC log from yesterday: [10]http://www.w3.org/2006/11/14-wsc-irc.html
(There will be a more readable HTML rendering of that.)
<stephenF> is there a keyword in yesterday's log we can search on?
MEZ: Goals ...
... non-goals ...
... assumptions ...
... use cases/secenarios ...
... user test / verification ...
... sec ctx avail ...
... browsers / UAs ...
... content practices ...
<stephenF> (this is the TOC for the note? if so, good)
MEZ: attacks ...
... non-attacks ...
(this is what MEZ is scribbling on the whiteboard)
??: Add in-scope to "goals", out-of-scope to "non-goals"
MEZ: ... flesh out some of the discussion more ...
... good start on avaiable context ...
... some stuff on use cases ...
... got tyler as editor ...
<stephenF> I'd be interested in knowing if any non-goals were agreed
yesterday (anytime, not necessarily now)
<stephenF> ok, good
MEZ: what are the stages we plan on doing? How do we validate and/or
convince ourselves that we come up with useful recommendations?
... kinds of things I can think of ...
... expert review by HCI community ...
... can do those on paper goods ...
... example scenarios ...
... try to gather expert feed-back ...
... other end is user testing ...
... could be paper-based or code/mockup based testing ...
... some HCI folks actually prefer paper-based since people feel their
feed-back is more useful ...
... all this will require example scenarios ...
... and then there's Phil's early direction: theories and principles ...
... that can range from 7+-2 short-term memory ...
... through "dialogue boxes are evil" ...
... through safe staging ...
... related to idiot boxes ...
... might need to pull in basic theories as basis for discussions ...
hal: maybe proposed mechanisms, mock up alternatives ...
... rapid prototyping common in UI development, showing stuff to users ...
(more discussion about usability testing)
<stephenF> (I'm getting more from the IRC than the audio, so I'm going to
IRC-only mode now)
MEZ: as standards body hard-pressed to do better than industry or
researchers ...
<malware> concise definition of "safe staging" anywhere?
MEZ: there is substantive amount of reserach papers ...
... getting test subjects is hard ...
<Yakov> I am also having problems with the audio
<stephenF> it wasn't so much problems, but lack of added-value compared t
the excellent scribing
malware: good definition of safe staging?
mez: don't make users make security decisions when they're not ready to
... if you make them make a decision, it'll be a bad one ...
phb: idiot boxes are problem for many reasons ...
... instead of providing good and usable interface, press liability to user
...
billd: dilutes further information that might be important
tlr: use cases ought to be useful for usability testing
mez: yeah, they'll probably be useful
... worry that sometimes security engineering is targeted towards defending
stuff against unknown attacks ...
hal: there might be unknown attacks in the use cases
maritza: Would like use cases feed into scenario-based user testing ...
... one of the thing have been thinking about a lot is how to present use
cases to user ...
... "decide if site is secure using whatever information you get" ...
... or test some kind of task and then look how securely they do them ...
... if you do it the first well and they fail, that's good information ...
... but if the first one succeeds, it doesn't tell you the mechanism works
...
mez: that comes up a lot in usability testing ...
... lab vs in-the-wild bias ...
... comes back much more strongly when testing for security ...
... security by itself is never main goal ...
maritza: if someone is watching you, you'll always want to be seen paying
attention ...
Scribe misses some remarks from MEZ.
tjh: besides published headlines about people walking around streets and
giving passwords up for a candy -- is there reliable research?
mez: there is a lot of data out there
<stephenF> "out there" == "where?"
mez: attitudes and what they mean ...
<scribe> out there == research literature
<Pau1> Angela who? I couldn't hear the last name of the researcher.
<stephenF> good if better literature pointers are done, better on the list
<scribe> ACTION: Zurko to put together set of background references
[recorded in [11]http://www.w3.org/2006/11/15-wsc-minutes.html#action02]
<trackbot> Created ACTION-20 - Put together set of background references [on
Mary Ellen Zurko - due 2006-11-22].
<scribe> ACTION: maritza to help MEZ with ACTION-20 [recorded in
[12]http://www.w3.org/2006/11/15-wsc-minutes.html#action03]
<trackbot> Created ACTION-21 - Help MEZ with ACTION-20 [on Maritza Johnson -
due 2006-11-22].
<Pau1> [13]http://www.cs.ucl.ac.uk/staff/a.sasse/
(discussion about relevant literature)
mez: Need to do some of the usability testing, we'll see how much we can.
Hal: There's issue around recs working on every platform ..
... sipmle example: Things that you click on are in different places on
different platforms ...
mez: good point
phb: stuff that I've been reading on usability is all on testing ...
... have yet to find a book about usability engineering ...
... books say "you design thing, then you test it" ...
... would like to see design principles ...
mez: the design for usability discpline is called: ...
... DESIGN ...
... there's always testing in the life cycle ...
... there's usability design discpline ...
... roles and personas come from that end of spectrum ...
... UI design part craft, part art ...
phb: lots of stuff on the "craft" level?
... what's the model of the user, the mental facilities, etc
mez: design doesn't happen that way
... people aren't like code ...
phb: maximum cap not definable, but you can do a good model of the minimum
user ...
tlr: there's a difference between what level we should recommend stuff on,
and what level things get tested on
tyler: recommend specific widgets?
hal: there's a level of detail we're probably not going below of ...
... part of the process ought to be how specific we can afford to be ...
... we need to find the point where we ought to specify things ...
malware: one example we had is very simple -- see EV certificates ...
... CA browser forum work ...
... in that case, didn't evolve from spec, but evolved from MS saying we'll
implement in a certain way ..
... instead of lock icon and address bar, green background ...
... decided before spec came along ...
... don't remember whether it's in the spec ...
... there's agreement between browser vendors to have certain level of
consistency ...
... in MS case, it's white around address bar, changing to light green ...
... in Opera's case, outline around the screen?
hal: do sth like that for SSL?
malware: yellow
... think it's not totally inappropriate to do things kind of high-level --
say things about colors ...
... but don't go into too much of a detail ...
... there's room for specific recommendations, in particular when based on
solid usability insights ...
... in that case, can get accepted by browser vendors ...
... stuff that needs to be consistent ...
... high-level spec to ensure that things are consistent ...
... if there's no spec, will just talk to each other to see what to do ...
phb: IE decided to adopt same icon as Firefox for RSS/Atom feeds ...
... people do recognize that there's interest in standardization & using
similar cues ...
... if that's better done offline (private agreement) or better done from
center ...
... don't know ...
... when you do anything like logotype, at least define increments ...
... for logotype, might give range of specific sizes, e.g. ...
... menu of possible sizes ...
... reduce space of possibilities ...
billd: cues are important to standardize on ...
... cues back are really important -- "this is a shaky certificate" ...
... don't have the cues on your own computer, general sense ...
mez: There's research on attention and security -> reading list
maritza: firefox does URL bar thing, but nobody knows what to look for
... assuming that we do decide on some standard -- when or how is it
introduced to the user ...
... users knowning what is going on is important for effectiveness ...
tjh: it's word of mouth or folklore
mez: for standards, it's product uptake
tlr: consistency might help user education
<stephenF> gotta go lecture back in ~1 hr
maritza: didn't know what yellow bar was for, hadn't made connection
tjh: certainly won't work things from release notes
hal: if you've got a standard, then you can advertise
tyler: use this WG to have browser makers agree
... is opera going to discuss results from this WG with development process?
Malware: we'll need to get the guy who implements security stuff involved
...
... Yngve ...
... opportunity to get back to product people ...
<Zakim> malware, you wanted to talk about how to make users aware of
security features through UI and to talk about feed icon
malware: how do you make users aware?
... came up with regard to security stuff ...
... users often don't know what something means ...
... one of solutions that have been used ...
... paper clip isn't liked by users -- anti-pattern? ...
... hard to put sth into applicaiton to alert users ...
... brilliant ideas around? ...
... user education about products without relying on online help ...
... users don't go out of their way to educate themselves ...
... feed icon is actually trademarked by mozilla ...
... they tried to exercise control over its use ...
... things that are intended for widespread use shouldn't be under control
of one entity ...
<Yakov> out for 15min
discussion betw malware and tjh about feed icon
tjh: other forms of cueing?
mez: lots of research on this problem
... but there's a lot of reasons why not in products ...
maritza: commenting on clippy ..
... people want to learn about security according to surveys ...
... but don't really buy it ...
tjh: there are ways to get things out
tyler: we might find out that if you need documentation, then it's moot
... studies show that things need to get into interaction ...
... in order to work ...
<Zakim> tlr, you wanted to suggest we come back to the "create something"
tlr, billd: if standard works and is adopted, then user education won't be
our problem
mez: goals/non-goals better as summary step?
[14]http://www.w3.org/2006/WSC/track/actions/open
<scribe> ACTION: bwporter to produce voice browser use case? [recorded in
[15]http://www.w3.org/2006/11/15-wsc-minutes.html#action04]
<trackbot> Sorry, couldn't find user - bwporter
<scribe> ACTION: porter to produce voice browser use case [recorded in
[16]http://www.w3.org/2006/11/15-wsc-minutes.html#action05]
<trackbot> Created ACTION-22 - Produce voice browser use case [on Brandon
Porter - due 2006-11-22].
mez: break early ...
... talk about next deliverables ...
... half-hour break now ...
reconvene at 10:42
<scribe> hi george, welcome
<staikos> hello
<staikos> :)
<scribe> ScribeNick: PHB
PHB appointed scribe by royal appointment
Second face-to-face meeting
Thomas: Answers from most participants in the group but 5...
... Answers that we do have: Jan 30th and 31st is best, only 2 conflicts ...
Proposed: Jan 30th to 31st on West coast.
<Pau1> Oh well, I'll be in Provo at a meeting at Novell.
... We checked the APWG and there is no conflict, no meeting that month ...
... Thanks to Hal for the invite. ...
RESOLUTION: next face-to-face 30/31 January in San Jose, hosted by BEA
<tlr> thanks to BEA.
chartered deliverable #2
<staikos> The phone is much clearer today
MEZ: should note be before the rec
Mez: need to talk about all three since have a heartbeat on all of them in
the charter
... Discuss best practices for usable auth ...
... Touched a bit yesterday ...
... range of potential outcomes in tersm of specificty of best practices
... Thomas made bes attempt at formulating ewhat they might looo like
... Principles, worked examples for verifying, reusable assets
Hal: what do you mean by these (RSS icon)
Mez colours for signalling etc
Thomas: shouldn't look for colors at only signalling mechanism -- be clear
about what we address
Mez: as a worked problem ...
... people have looked at use of colour
... CHI Computer human interface - put the computer first
Hal: MAN machine interface
... So now its called HCI
Are practices like patterns?
Hal: have heard people rant about how awful a web page is without giving
reasons why it is awful
MEZ Earliest guidelines on menu placement were an inch thick.
... but once you have toolkit no need for those
... toolkits ensure conformity
<maritza> [17]http://www.useit.com/papers/heuristic/heuristic_list.html
Maritza points us to Jacob Nielsen's at URL above
Mez: Nielsen is good,
... I may take litterature with poetic license
... got some usefule(?) data points
... no place for that in note appropriately, may be spot in the
recomendations
Mez writeth: REC #1 Security Context List / Best Practice Principles
Thomas: Secuirty context information, how is that context information
displayed today if at all
... where are we? is presentation effective/ineffective
... certs are particularly bad... whagt is in dire need
... mapping that information into a level that can be understood
Thomas admist he cannot do 128 bit key fingerprints in his head
Hal: its not for that
Thomas: look at what is in the wild and what starting point is
Tim: look at the minimal set of context to discuss
<staikos> and we have no useful means to send fingerprints out-of-band
<tlr> tyler, can you send me your list?
Mez: there will be a minimal set, and other stuff
<Zakim> tjh, you wanted to ask if we have a security context list and what
is a MINIMAL list of security context information (per the charter).
PHB also need the user context, what is the user trying to achieve here?
scribe: their problem is'am i safe', 'is this the same party I saw in the
past', the objectives are user centered
Tim: agrees user perspective is important
... need to be able to express construcxts
... like don't send password over unencrypted link
<stephenF> +1 to phb's "same party as before" point
Hal: we can't say what the user really wants to know 'am I secure'
Bill: some of the time the link can be presented as protection but there is
no protection
... have this black and white presentation that does not match reality
... things say 'its good' when its not
Hal: this is easy to solve, if servers turn off encryption then client does
not present as secure
... IE now ships with SSL 2.0 turned off
Tim: How do I define safe
<staikos> KDE4 has SSL 2.0 removed completely in SVN
<hal> need to recognize that we cant really give the user the information
they want: Am I safe?
<hal> we can inform them about various properties which can lead to being
safe, but the browser does not have all the necessary data
<tjh> phb: we may not be able to answer "am I safe" - but perhaps we could
answer "you're configured safe according to what A, B, or C thinks is safe"
<Pau1> PHP - so it sounds like you are recommending a set of best practices
in this area that will be consistent across all the browser vendors.
PHB said something he will add later
Mez: We can't not a good starting point
Hal: I am not saying we can't give good info
... people don't want to be told about the minutiae ... data going
unencrypted over the network
PHB earlier: People can't be told 'I am safe' but we can tell them 'Bruce
Schnier thinks you are safe, or PHB, or...'
Mez: Users don't have a security experts model but they do have a model
<stephenF> If we could tell them "you're as safe as yesterday" that'd be
something
bill just going back into the protocol
scribe: certs are useless to the user 9today). wanta go to a site
... information could be presented in much beeter format
... all user sees is dialog boxes they ignore, dilutes the user experience
Rob from IE: is it fair to say users dont have an acceptable security
baseline
Bill yeah
Tyler: At hp we think in terms of users current expectations
<rfranco> Correction to PHBs note above
Tyler: anything they dsee as an exception is a problem
... exception is the password field using star characters when link is not
encrypted.l
<rfranco> "is it fair to say that users don't know when they are at an
acceptable security baseline"
<staikos> very nice observation
<staikos> rfranco: I think so
Tyler: phrasing it in terms of use
... expectations
<Zakim> PHB, you wanted to wife tech admin issue
Thomas: Throw usability and usefulness
PHB: also the issue of third party
... too many requests for expert advice when the web breaks for someone
Thomas: best practices
... Current practice: show the whole URL
... HTTP response headers what is done now
... nothing
Hal need to check IANA
Thomas: Cookie information
Mez dialogiue boxes
Hal unless you have policies says nothing
Rob Franco: what?
<staikos> Cookies are prompt-by-default in KDE
Hal: Nothing vcisible these days to say cookie has arrived
Chris: mysterious to user
PHB info is there but not useful
malware: there is a setting you can pu on to get a dialogue box
Thomas: I don't think thats the aspect we need to look at
Thomas: cookies are used for authentication, trigger display of a shared
secret, user is at their bank again
Mez there are restrictions on cookie interchange
<staikos> The cookie interchange algorithms are getting very complex (and
thus error-prone) too
all kind of useful cookie context indicators and ways they might be used as
indicators
Hal: There are some specific cases where the cookie could be useful if it
could be interpreted but they are opaque to the user so not useful
Mez: On to the next one
... Refering page
Hal: not displayed, is on the history of the back button
... how do things get in history
<Mez> +me says sorry George, that's phil taking notes
Hal: see everything
<Yakov> exiting... will re-join the meeting at 2pm
PHB back button should not cause redirects forward
<staikos> The back button is actually a very challenging issue
tim how do you explain to your wife
PHB: I tell her thats the way the web is,
<tlr> Starting to edit list at:
[18]http://www.w3.org/2006/WSC/contextinfo.html
<staikos> PHB: In fact I think we should not put pages that cause redirect
into the history at all
Mez going to make recomendations that stand up to attack
<malware> staikos, about loud typing, probably you are hearing phb, who's
scribing (brother sort of seems to attack his keyboard...)
Mez: will get some wrong
... but we don't have to expect to get 100% right
Thomas: there is life after recomendation, can track errata, issue edited
recommendations
Mez: something to consider
Thomas: might have extended maintenance mode
Hal: much more likely is recomendations will be overtaken by events, people
change attacks
... sendmail has lots of code to deal with ancient
... needs
PHB we have a dialectic system
MEZ: URL
Tyler: realy long urls to defeat attacks
Hal right justification, not left
<malware> PHB: a browser that has better security features is at a
competitive advantage
<malware> (I think that's what he said)
Mez character set defensive mechanisms?
Thomas: techniques against equal looking IDNs?
Mez yes thats one
Hal hope most people have changed their access system...
... problems on server side by parsing URLs ...
... construct a policy that matches something and people then create strings
Thomas: i was talking about Paypal with a cyrilic a
<staikos> why use a cyrillic a when www.paqypal.com" is probably sufficient?
Thomas: dealt with today with restrictions on TLDs for which IDNs will be
displayed
PHB problem is not just IDNs
Thomas: people read domain names the way they read text, they don't look for
errors
... anything that depends on proof reader skills is going to fail
<Paul> exiting...will be back between 2:30-3:00pm
PHB fixes the projection screen using his degree in nuclear physics
Mez there is the s in https: the yellow thing people do
Bill no real binding of SSL to a certificate
Hal: all the properties of the session
... separate out SSL on or off and other properties of the session
SSL on/off the PADLOCK !!
<Mez> Mez wants to know why George puts good ideasin a place the notes won't
carrry forward
Maritza colours
<staikos> not a good idea yet :)
Tyler: the dialog boxes you get
Hal that goes in the next box
Bill can enable doesn't tell you its off
Tyler warning when not on an sssl site
mez this other dialog box that tells you when you are going secure and
everyone disables
Mez beginning of the validity period I don't get that one
PHB: there is an operational reason for not validbefore -- fielding of
up-to-date CRL
Bill: in ssl so there is no interface or mechanism that says what is the
level of encryption I am usi ng
Mez you are right, should be logging
Mez is there if you dig
Bill needs to be there
Tyler phill got lost showing a cert property
PHB the Danny Weitzner test, if UI is not usable by DJW in quarter of an
hour then reject
Hal: session properties in that box
... definitely want to know what type of crypt
Bill these are not necessarily certificate properties
Hal: reason I proposed the split i did is that you propbaly need a binary
split and then detail
tyler: info on cipher not presented sould be down one, firfox reveals this
<Zakim> PHB, you wanted to suggest a box split
<staikos> would like to agree with PHB but no need to take phone time for
that :)
<Zakim> malware, you wanted to about testing across browsers
PHB Merge the boxes so we don't conclude we need to represent SSL on off
when the question is am I safe
malware: Need to teswt on more than just the browser you are familiar with
... best current practices needs to be any widely used/available browser
Hal: point was to identify that which there is at least one example of
Bill: get back to the box in the breaqkout there is stuff from certificates
currently bundled with SSL
Mez this is not the last pass
Hal/Bill discuss trust
Mez: you going anywhere?
Hal its up there
Mez take it away
<Zakim> PHB, you wanted to point out presenting base64 attribute does not
communicate much
PHB trust level is displayed in IE7, address bar shows the issuer
malware: we have a three level indicator, but don't remember the details
<tlr> ACTION: msmith9 to find out more about Opera's numeric trust indicator
[recorded in [19]http://www.w3.org/2006/11/15-wsc-minutes.html#action06]
<trackbot> Created ACTION-23 - Find out more about Opera\'s numeric trust
indicator [on Michael Smith - due 2006-11-22].
PHB there are several add on plugins display trust
Tyler: fiefox does strange things with the lock icon, greyed out states and
such.
<staikos> phone went dead?
<staikos> hm well my comments: the n padlocks attempts proved disastrous
(for KDE too) and going back to simple indicators is best in our experience.
<staikos> I'll dial back in after lunch
Thomas mismatch betwen domain name and subjectaltname is displayed
<Zakim> PHB, you wanted to need for debugger interface
PHB we got here because people needed a debugging caqpability flor their own
sites. Should peobably have explict mode for this
Mez may be puchin bounds of the charter
Thomas: key into bookmarks with petnames as existing practice?
Mez its research, big field...
... protoypes? where is the line? ...
.. even if have colum need to fill it in ...
... widely available addons? ...
thomas maybe no experimental things...
... but let's put down our collected knowledge
mez no we are not i have a lot we are not putting down
Tyler: need experimental things to inform working draft
... can easily list addons for firefox
Tyler overridable warning, in IE7 this is not completrely overridable
<scribe> ACTION: tyler give the URL of the antiphishing category for
Mozilla/Firefox extensions [recorded in
[20]http://www.w3.org/2006/11/15-wsc-minutes.html#action07]
See ACTION-30.
Need to state that we have thought of the debugging mode requirement and
explicitly put it out of scope.
Bill classification of certs in three classes
Hal: these classes are not currently agreed
PHB thats why we have CABrowser forum
<hal> I believe that tyler proposed "did not come from the site" as a
general criterion for all the infomation, not as a specific row of the table
Thomas edits configured trust roots box
<hal> since he steped out, I cant ask him right now
<hal> btw, I disagrre with using this as a criterion, untrustworthy info
should also be considered at least at this stage
Mez there is a place you can go to look at them
Maritza the user does not know who is pre-trusted
PHB: additional ones can be added without user asking
tyler: there are no policies even
... these are accidents of history
hal: while you were out...
... thought that you wanted to provide a general criteria rather than
something that applies to specific row
... row about additional data on site that dis not come from the site
deleted
tim bookmarks,
mez have a way to display
tim does any browser tell you the last time you visited
tyler don't know any browser that will tell you that you are at a previously
bookmarked page
mez more info, can I look at my cache?
malware: if you open a console window...
tyler: your password manager
phb you can do that
tyler i can...
... you can get a list of all your cookies...
hal lots of incomprehensible details
tyler history gets updated as you browse
maritza: list of sites you have already filled in form information for
haql: you can see this locally?
maritza: one of the tabs is saved forms
mez reputaion
phb there are lots of antiphishing toolbars
mez not production
tyler IE7 and fireforx have these built in
malware: opera also has this feature
thomas adds to the matrix
mez past introductions from friends
hal nothing....
rob franco: wanted to detail the phishing filter...
... for benefit of posterity does not check every url. ...
phb thats still reputation data
robfranco wanted to make sure privacy community got the full picture and we
do protect privacy
hal: do you check agains for different url on the same domain name
rob yes for geocities!
scribe: maybe not for other properties, don't need to check bofa
mez redirection path
hal flashes in the address bar
tyler; we are doing potential? now only looking at what is curently being
used
mez: we are just filling in the first collum...
... was encouraging us to take a strict columnar approach so we can complete
before 430
hal: would suggest not even takling col 2 without the use cases
mez html page: spam filter like techniques ????
tyler: some phishing managers do this type of thing.
rob that is right if a site is unknown and has suspicious
mez target uri?
tyler the action uri for a form you are going to submit
thomas: mouse over hyperlink gives some this info
hal: javascript can override this behaviour for evil intent
PHB IP address...
... sometimes see ths come up.
... more thinkig in terms of reputation data keyed off IP
tyler: IE has long had a feature that classifies sites nby if its on your
intranet internet...
rob IE has a security zone based on a set of client heuristics, (describes)
...
... urls without a dot always come up as intranet ...
... home joined systems dont have intranet
<tlr> ACTION: Thomas to set up Wiki for group use [recorded in
[21]http://www.w3.org/2006/11/15-wsc-minutes.html#action08]
<trackbot> Created ACTION-24 - Set up Wiki for group use [on Thomas Roessler
- due 2006-11-22].
<tlr> ACTION: Thomas to set up CVS access for Tyler [recorded in
[22]http://www.w3.org/2006/11/15-wsc-minutes.html#action09]
<trackbot> Created ACTION-25 - Set up CVS access for Tyler [on Thomas
Roessler - due 2006-11-22].
mez notes need editor context pulls the contributon together.
mez notes charter of two recomendations and that they may be combined
2nd rec -- anti-spoofing techniques
user interface, trusted path (shared secret) credentials, passwords,
question - web user agent to user?
<tjh> question on clarifying Recommendation two example of saying securing
path from web user agent to user.
<tjh> maritza: yes, between browser and user.
browser personalization, the practices to setup a "secure" session...
... examples limitations to scripting capabilities, dynamic, active content
to manipulate user interfaces. Security information presented on the screen
<Tyler>
[23]https://addons.mozilla.org/search.php?q=phishing&type=E&app=firefox
<Tyler> That's a search for all anti-phishing addons for Firefox
mez personalization of the chrome, visual that provides a "secure" handshake
tlr notes action with browser that provides feedback to the user in a user
friendly form
tjh notes network monitors security context information and use of seperate
tools. seperate channel
<tjh> create some form of monitor that watches such security context
information for connections and displays in some separated way.
mez notes that out of channel would not work SSL
tlr make the information available and in the right place
mez notes security context of personalization, "shared" secret. discussion
on what is a secret. passwords, keys
tlr one deployed mechanism: secret where first layer is based on cookies,
tls and cookies that authenticates the user to the sight and then stronger
authentication applied...
... avoid site that looks like banking site, and replay attack
<tlr> ACTION: zurko to dig out papers about authenticating browser password
entry dialogues to users [recorded in
[24]http://www.w3.org/2006/11/15-wsc-minutes.html#action10]
<trackbot> Created ACTION-26 - Dig out papers about authenticating browser
password entry dialogues to users [on Mary Ellen Zurko - due 2006-11-22].
<stephenF> breaking off now, will rejoin irc before end
Issue comes up about portablity of shared secret
if shared secret is tied to a browser on a particular machine
<tlr> ACTION: Hal to review requirements from workshop record - due
2006-12-05 [recorded in
[25]http://www.w3.org/2006/11/15-wsc-minutes.html#action11]
<trackbot> Created ACTION-27 - review requirements from workshop record [on
Hal Lockhart - due 2006-12-05].
tjh asks about the use of a proxy to help the user to stay in safe internet
areas
hal notes the desire to standardize data provided by white / black list
providers
hal suggestion, overhaul cookies and cookie management, since cookies
contain a lot of security data.
scribe: cookies can be used to set up attacks
tlr client authentication - exchange credentials and then get cookie.
support deployed base of credentials opposed to useing something like SAML
and the benefits that a SAML token can provide
tyler trust of site based on usage of the site, refering page and site that
you use all the time your bank, site that "trusted" agent gave to you
mez previous idea was securty stuff to show that the user had security -
moving to stuff to show security
tjh build up the security level not useing shared secret - site puts up
something to spoof shared secret
tlr classes of shared secrets
<tjh> tlr draws a picture showing communication from server to human/user,
from server to browser/user-agent, and from user-agent to human/user
tjh techniques to render information securely 1 - shown, 2 not spoofed...
... notes "secure" information should not be spoofed ...
tlr notes interactive ceremonies as security handshakes that take place as a
form or secure form is brought up
tyler information that only comes from particular areas on the screen or
reserved areas that are not available to web content
<tjh> tyler use a second or other device to give feedback to user IF site
contacted is one that was expected. Lack of that other device giving
feedback would indicate a
<tjh> ... possible problem.
how to use two factor or out of band single factor, cell phone, email
hal better support and integration of different forms of credentials and
management
mez - don't get to the web site in the first place
<Tyler> secure password based cipher suite for TLS
scribe: go to online mail, if the remote side cannot demonstrate knowledge
of the shared key then the handshake progresses
Tlr address and shared secret because you have done business with this site
before. expect that the site has knowledge of the shared secret and is used
to complete the TLS session
tlr trusted path from user agent to user is also required in this case.
next steps
<tlr> ACTION: Thomas to clean up minutes [recorded in
[26]http://www.w3.org/2006/11/15-wsc-minutes.html#action12]
<trackbot> Created ACTION-28 - Clean up minutes [on Thomas Roessler - due
2006-11-22].
Summary of Action Items
See [27]tracker.
_________________________________________________________________
Minutes formatted by David Booth's [28]scribe.perl version 1.127 ([29]CVS
log)
$Date: 2006/11/21 15:12:02 $
References
1. http://www.w3.org/
2. http://www.w3.org/2006/11/15-wsc-irc
3. http://www.w3.org/2006/11/14-wsc-minutes
4. http://www.w3.org/2006/11/15-wsc-minutes#agenda
5. http://www.w3.org/2006/11/15-wsc-minutes#item01
6. http://www.w3.org/2006/11/15-wsc-minutes#item02
7. http://www.w3.org/2006/11/15-wsc-minutes#f2f2
8. http://www.w3.org/2006/11/15-wsc-minutes#item03
9. http://www.w3.org/2006/11/15-wsc-minutes#item04
10. http://www.w3.org/2006/11/14-wsc-irc.html
11. http://www.w3.org/2006/11/15-wsc-minutes.html#action02
12. http://www.w3.org/2006/11/15-wsc-minutes.html#action03
13. http://www.cs.ucl.ac.uk/staff/a.sasse/
14. http://www.w3.org/2006/WSC/track/actions/open
15. http://www.w3.org/2006/11/15-wsc-minutes.html#action04
16. http://www.w3.org/2006/11/15-wsc-minutes.html#action05
17. http://www.useit.com/papers/heuristic/heuristic_list.html
18. http://www.w3.org/2006/WSC/contextinfo.html
19. http://www.w3.org/2006/11/15-wsc-minutes.html#action06
20. http://www.w3.org/2006/11/15-wsc-minutes.html#action07
21. http://www.w3.org/2006/11/15-wsc-minutes.html#action08
22. http://www.w3.org/2006/11/15-wsc-minutes.html#action09
23. https://addons.mozilla.org/search.php?q=phishing&type=E&app=firefox
24. http://www.w3.org/2006/11/15-wsc-minutes.html#action10
25. http://www.w3.org/2006/11/15-wsc-minutes.html#action11
26. http://www.w3.org/2006/11/15-wsc-minutes.html#action12
27. http://www.w3.org/2006/WSC/Group/tracker
28. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
29. http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 21 November 2006 16:06:11 UTC