- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 15 Feb 2007 12:14:18 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes of our face-to-face meeting on 30 January have been
approved. They are publicly visible here:
http://www.w3.org/2007/01/30-wsc-minutes
I'm including a text version below.
Thanks to Tony Nadalin, Bob Pinheiro, and George Staikos for scribing.
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
WSC WG face-to-face San Jose
30 Jan 2007
[2]Agenda
See also: [3]IRC log
Attendees
Chair
Mez
Scribe
Nadalin, tlr, Bob, staikos
Contents
* [4]Topics
1. [5]Intro
2. [6]Agenda
3. [7]Note
4. [8]Section 8
5. [9]break
6. [10]section 8.2, poorly defined role for chrome
7. [11]8.3
8. [12]Petname demo
9. [13]Extended Validation Certificates
10. [14]9.1
* [15]Summary of Action Items
_________________________________________________________________
Intro
Introductions around the table.
Agenda
<tlr> [16]http://www.w3.org/2006/WSC/drafts/note/
<Tyler> [17]http://www.w3.org/2006/WSC/drafts/note/Overview.html
We are lucky as we are going to get a "word" from the editor on the note
We will get through the note by end of aternoon break
We will then have some lovely demos
Will talk about a safe browsing mode proposal
Tomorrow we will "swing" around and talk about recomendations
<tlr>
[18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0206.html
<beltzner> proposed revised schedule for the Note:
[19]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0190
Disscussions on document time line
When to do first public working drafts
<tlr> editor's draft just means that there hasn't been a decision of the
group to publish the thing
need to get a date for public working draft, target April ?
full editor's draft "may" posible in April, working draft may be a out a
little
a separate mailing list is setup for comments on Working Draft
With working draft a patent call for exclusions is done
3rd F2F in June, is this the correct timing ?
3rd F2F maybe Dublin, is that too far ?
Will we have a 4th F2F ?
target November for LC
<staikos> Note: travel from Toronto to Dublin gets much easier after June 17
Discussions on testing
hal: Can this be done remote ?
need a facility that can handle inviting prople and the process, need some
useability folks
November is a traget for testing, so need to start now
Rachna will lead the testing phase
So what will be the population of the testing?
are we going to document results or are we going to put that into best
practice
So maybe both ?
George: has been "hacking" a brain dead browser, so no legacy, very basic
... this may be a great bed for testing
<staikos> also this browser is portable to Windows, Mac OS, and Linux
What kind os scenarios we will test aginst ?
<tlr> [20]http://www.w3.org/2005/10/Process-20051014/tr.html#cfr
Question over testing, so do we need add an addtional testing cycle ? as we
are doing testing early and we may learn things that may make us go back
Do we have "wiggle" room if we have issues durring LC ?
Stuart: What happens if the charter gets in our way, couls we address this?
Thomas: yes there is room and ways to do this
Note
tyler: a "word" (or maybe open doc) from the editor
... if you can't see your chnages in the doc, please contact me
tyler: please look at the wiki to see if there are any questions
... sections 2-8 seem to be in good shae, please read this over
... section 9 still has open issues and need s more work
tyler: once section 9 is complete this would be a good editor's draft
mez: please document your changes on the wiki
thomas: issue tracking through tracker
<tlr> ACTION: thomas explain issue raising process on public mailing list
[recorded in [21]http://www.w3.org/2007/01/30-wsc-minutes.html#action01]
<trackbot> Created ACTION-93 - Explain issue raising process on public
mailing list [on Thomas Roessler - due 2007-02-06].
tyler: done
mez: do folks have a real understanding of tje "note"
thomas: this is what we are going to address/do so need to make that very
clear to public
Section 8
mez: tyler did most of content to this section
<tlr> [22]http://www.w3.org/2006/WSC/drafts/note/#problems
thomas: wants to change the title ...
... maybe change section into what is working and what is not working ...
hal: section is all about chrome, and thus no problems with anything else
but chrome
thomas: maybe "review of status quo" would be a better title
tyler: if there is anything that is true about the 'staus quo" that is not
there already please input
phb: thinks that crypto is stable in status quo
<tlr> ACTION: hallam-baker to draft subsections for 8 about "compelling user
interface", crypto [recorded in
[23]http://www.w3.org/2007/01/30-wsc-minutes.html#action02]
<trackbot> Created ACTION-94 - Draft subsections for 8 about \"compelling
user interface\", crypto [on Phillip Hallam-Baker - due 2007-02-06].
tyler: please point out opinion vs. fact vs. fiction
stuart: what is the "status quo" section really about ? user interface ?
tyler: section prior describes the scope
... we have in/out of scope sections
stuart: I'm really confused
... what is the basic goal of the user ?
tyler: look at the use case section
hal: there is more to user interface than the chrome so need to have that
info
thomas: some of the use cases need a clearer question, example 6.14
... need to add addtional questions in section 6
mez: are we up to 8.1 YET ?
<tlr> ACTION: stuart to review use cases, suggest reorganization, ...
[recorded in [24]http://www.w3.org/2007/01/30-wsc-minutes.html#action03]
<trackbot> Created ACTION-95 - Review use cases, suggest reorganization, ...
[on Stuart Schechter - due 2007-02-06].
please everyone work on use cases !!!
tyler: overview of section 8
... describes the problems with section 7
... split into 4 areas
... section 8 is about different levels of attacks
... 8.2 is about the indicators in the chrome
... 8.1 is about the spoofing the chrome
hal: need some definitions here
<bwporter> I'm noting that everything is focused on user->site trust... but
there are other issues like user personal information... cookies, password
management, form auto-fill
<bwporter> there is also the problem that user->site isn't sufficient as
certain web pages show content from other sites embedded (ads primarily)
<bwporter> not sure where the right point in the agenda to bring this up?
thomas: need a glossary
mez: Tim main goal in life is to define a glossary
<tlr> ACTION: hahn to draft initial outline of glossary [recorded in
[25]http://www.w3.org/2007/01/30-wsc-minutes.html#action04]
<trackbot> Created ACTION-96 - Draft initial outline of glossary [on Tim
Hahn - due 2007-02-06].
mez: can we notify folks of actions ?
thomas: send email
hal: lets use the RFC 2828 Internet Security Glossary as the base
tyler: 8.3 is about the folks don't understand the indicator's
... the current chrome is not chrome...
... need definition of chrome ASAP ...
phb: if we don't know what chrome how can we explain this to users
... it's poorly defined
... confused on the indicators meanings
<beltzner> definition of "chrome" from Wikipedia: "The visible graphical
interface features of an application are sometimes referred to as "chrome".
They include graphical elements (widgets) that may be used to interact with
the program. Common widgets are: windows, buttons, menus, and scroll bars.
Larger widgets, such as windows, usually provide a frame or container for
the main presentation content such as a web page, email message or drawing.
Smaller ones usually act
thomas: folks here seems to have a misunderstanding of section 8
<staikos> Do I understand that we have a "poor understanding of the poor
understanding portion" of the document?
<staikos> haha
thomas: part of what is meant is a separation of what is under the contol of
the user and what is under the control of the attackers
mez: let's suggest real wording chnages
thomas: proposed restructure of section 8
<tlr> [26]http://www.w3.org/2006/WSC/drafts/note/#problems
mez: call to order
tyler: section 8.4 is about where the chrome never gets noticed by the user
<bwporter> Recommendation: Rename section 8 to "Analysis of problems with
browser chrome"
hal: there may be other things besides the chrome so maybe add a new section
phb: too focused on technology, and need to focus on how to focus the user
interaction/tasks
... need new section for user interactions/tasks
tyler: add new subsections to 9.1 to cover phb's issues
<yngve> phillip has a very good point about how intrusive a security or a
non-security indicator can be.
<yngve> Example: how quickly do people turn off the "you are now
entering/leaving a secure site" dialog? My opinion: very quickly.
thomas: 8 is focued on the visual desktop, and we need to get folks on
useability issues
... other user agents besides the desktop
tyler: anyone use a agnet besides desktop, like a mobile browers ?
thomas: no mobile folks here...
... maybe other small/mobile browsers ...
<yngve> I do not usually work with/on a phone, but security informayion
usability on phones is a problem due to less area for the chrome, currently
not solved.
break
<bwporter> Recommendation: It may be helpful to restruction section 8 to
organize the information as follows
<bwporter> a) Content<->chrome boundary
<bwporter> b) User perceptions of chrome
<bwporter> c) Analysis of individual chrome elements
<beltzner> tjh: the chaos you're hearing is that we're on break
<tjh> ok, thanks.
<beltzner> Recommendation: building on what PHB suggested, we might wish to
either add a section or a subsection which illustrates the user's mental
model as they walk through a common, generalized case of accomplishing a
task. Perhaps that goes in S9?
<tjh> unfortunately, after all that - I must drop to take another call.
mez: any other issues with section 8 ?
<staikos>
[27]http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors<---
flow chart for our algorithm
<beltzner> staikos, I changed your document so that the screenshot is
actually shown inline
Note should call out stuff that is the chrome that really should not show
user and what stuff the user really needs to see
mez: any proposal to restructure section 8 needs to be concrete
<tlr> PROPOSED: Content-Chrome boundary; User perception of Chrome;
Usability of individual elements
<beltzner> [28]http://pastebin.mozilla.org/3341
<scribe> new outline proposed
<beltzner> [29]http://pastebin.mozilla.org/3341 updated
thomas: seems to make it more clear
... so an issue is what the user understands and what user thinks is
controlled by the chrome and what is controlled by the browser
<beltzner> * (8.1.2)
<beltzner> boo
<beltzner> [30]http://pastebin.mozilla.org/3344 updated
thomas: modification to proposal
... first talk about how things work today and then focus on the problems
that this has caused
tyler: does not want us to focus on the controls but focus on the high level
problem
tyler: explains current
beltzner: problem -- padlock contributes to more
... express the theme, give a single example, then break out control by
control ...
... people suggest the latter might be an easier way to read the document
...
stuart: maybe some controls aren't repeated the way they should be
... like having a whole load of examples under certain things; makes it
clearer that problem is endemic ...
... if you break it down by control, it's control-centric, and you lose the
three problems that are universal ...
brad: works pretty well for some of the things, but if you want "supposed to
do, perception, gaps", you don'T want to separate these
stuart: there's another view of the world in which you take a user example
...
... first look at this, then at that ...
... process-centric view of the world ...
... what are we supposed to be telling users?
... if they want to have an expectation ...
... process-centric view is lost in both ways to present the thing ...
... not necessarily a defect ...
... can't do three perspectives at once ...
... that's there ...
mez: think that somebody needs to volunteer to restructure the information
in this section, if it's to be restructured
tyler: maybe defer until we are through the actual content?
agreed
tyler: <summarizes 8.1>
rob: is the "outer chrome off screen" attack feasible with current browsers?
... note should reflect what state of the world of first-generation browsers
is ...
... second generation browsers also susceptible ...
... there's first vs. second gen attacks ...
... particularly because consumed more broadly ...
... want to understand size of the gap ...
... not presenting realistic picture ...
brad: negative coordinates seem to work with IE6
beltzner: if you can, it's a security bug
... should be fixed everywhere except in linux/gtk ...
staikos: we spent an entire week on this
<staikos> (in 2002)
<staikos> 5 years ahead!!
<scribe> ACTION: beltzner to seed and drive process to document
current-generation undocumented safeguards in wiki [recorded in
[31]http://www.w3.org/2007/01/30-wsc-minutes.html#action05]
<trackbot> Created ACTION-97 - Seed and drive process to document
current-generation undocumented safeguards in wiki [on Mike Beltzner - due
2007-02-06].
tyler: mention names?
tlr: I think documenting is fine as long as it's factual; also, we've got
the affected parties in the room
mez: 8.1.2, then lunch
<scribe> ACTION: Thomas to track Rachna adding references for 8.1.2
[recorded in [32]http://www.w3.org/2007/01/30-wsc-minutes.html#action06]
<trackbot> Created ACTION-98 - Track Rachna adding references for 8.1.2 [on
Thomas Roessler - due 2007-02-06].
beltzner: issue with pop-ups that mimic chrome
tyler: 8.1.3?
rachna: definition of chrome -- relationship to security information
delivered inside page?
franco: (explains IE practice -- somebody else please fill in)
tyler: the user agent could display information within the same coordinates
...
... visually extending the chrome that way might be a problem ...
rachna: block page
tyleR: different problem
<scribe> ACTION: thomas to track Rachna to draft text for section 8,
covering "block pages" [recorded in
[33]http://www.w3.org/2007/01/30-wsc-minutes.html#action07]
<trackbot> Created ACTION-99 - Track Rachna to draft text for section 8,
covering \"block pages\" [on Thomas Roessler - due 2007-02-06].
tyler: 8.1.3 is about pop-up windows which don't show the usual chrome;
visited web site can render content that can behave exactly like chrome, but
with site-chosen behavior
brad: is that allowed in modern browsers?
tyler: yes, I tested it
rob: remove which pieces of chrome?
tyler: yeah
rachna: umh
tyler: none of the usual things under the window title
rachna: that's not "no chrome"
rob: create popup method that lets you paint window inside window ...
... but what you're looking for is a popup window that's just the title bar
...
... could have address bar and stuff ...
... situation in which v2 browsers hvae done some things ...
... know that gerve did work in firefox ...
tyler: that doesn't actually work
... at least in firefox 2 ...
rob: ie7 ...
beltzner: ... does the right thing
yngve: if pop-up is opened without address bar, you have collapsed one,
possibly yellow indicating that it's secure ...
... case with Opera as of at least version 8 ...
... don't remember exact version ...
... but problem is that collapsed address bar may be a little bit too small
and easy to ignore ...
... not permitting a collapsed address bar at all? ...
... at the moment not getting everybody to agree on that ...
... finely tuned pop-ups ...
... precise pixel-size pop-ups ...
... that don't get displayed properly ...
tyler: to verify on IE7, all chrome indicators present?
rob: windows from the internet zone always have status and address bars ...
rob: title bar is another one ...
tyler: so some address bar widget is on every window?
rob: some yes, including lock icon in the address bar ..
... if you are at confirmed phishing site, red, and page becomes error page
...
... yellow for suspicious ...
... typically get the lock icon in the status bar as well, not sure why you
don't get it in the demo ...
... information bar about things that were stopped ...
stuart: why is it in the page area?
rachna: it's more visually distinct in IE7 than in Firefox ...
tyler: indicator slightly better in IE7 ...
rob: thing to keep in mind, I'm at a site I expect to be at, something's odd
stuart: positive v. negative indicators?
rob: implicit, not well-broadcast
... no conditioning for legitimate sites to possibly have that positive
indicators ...
... found that a lot of users have come to ignore info bar ...
... would expect that you don't need to interact with info bar in order to
continue browsing; people ignore it ...
tyleR: people could paint "verified by visa" in that style
section 8.2, poorly defined role for chrome
real chrome, not spoofed, what are problems
all indicators displayed in chrome are chosen by attacker, can fool the user
put better motivation into the text, like you spoke it
attacker has only some control, so how can attacker choose what is seen?
discussion with IE for how EV cert is displayed
EV cert displays name of CA, organization name
yngve: anything we can do in URL bar? some info that atacker has full
control over
mez: what do we mean by control
text string that shows up on screen is put there by attacker
tlr: nervous about mixing attacks where the attacker choses arbitrary stuff
and attacks where the attacker has to go through administrative processes
and the like
stuart: disagree with assumption that attacker can put any pixels out there
need to id who you are talking to
PHB: not too much phishing going on where there is any authentication; most
is where there is no authentication
can't make it imposible for attacker to get cert; but can make it much
harder
MEZ: propose alternatives for the text?
hal: attacker can choose confusing url constructions;...
... our charter is about displaying secure info accurately, what is
displayed in URL isnt in?
<tlr> s/hal: is/hal: our charter is/
8.2.3 attacker can choose url in other ways
web page can choose to show any logo it chooses
clarify that webpage is making decision about what to display
if network attack, display may not have anything to do with website
what is intent of fabricant?
<tlr> ACTION: thomas to propose alternative wording for 8.2.3 [recorded in
[34]http://www.w3.org/2007/01/30-wsc-minutes.html#action08]
<trackbot> Created ACTION-100 - Propose alternative wording for 8.2.3 [on
Thomas Roessler - due 2007-02-06].
<Mez> Tyler, is there a ref for Favicon? If so, can it be added?
is there a favicon reference
<tlr> ACTION: zurko to suggest favorite favicon reference [recorded in
[35]http://www.w3.org/2007/01/30-wsc-minutes.html#action09]
<trackbot> Created ACTION-101 - Suggest favorite favicon reference [on Mary
Ellen Zurko - due 2007-02-06].
<yngve> Wikipedia [36]http://en.wikipedia.org/wiki/Favicon
8.2.4 padlock atttacker choosees whether is on or off
attacker can use ssl certificate? no attackers decision, can tell browser
whether to turn on or off
<tlr> ACTION: tyler to switch order of 8.2.3 and 8.2.4 [recorded in
[37]http://www.w3.org/2007/01/30-wsc-minutes.html#action10]
<trackbot> Created ACTION-102 - Switch order of 8.2.3 and 8.2.4 [on Tyler
Close - due 2007-02-06].
site author's actions will influence how browser displays things;
8.2.5 rehash of 8.2.2 firefox repeats host name taken from url; is the one
attacker chose; with javascript can override
any indicators in major browsers not in note, except status bar
<tlr> ACTION: beltzner to propose descriptive text on firefox anti-phishing
UI (for 8.2) [recorded in
[38]http://www.w3.org/2007/01/30-wsc-minutes.html#action11]
<trackbot> Created ACTION-103 - Propose descriptive text on firefox
anti-phishing UI (for 8.2) [on Mike Beltzner - due 2007-02-06].
<tlr> ACTION: tyler to extend 8.2.1 by tab title [recorded in
[39]http://www.w3.org/2007/01/30-wsc-minutes.html#action12]
<trackbot> Created ACTION-104 - Extend 8.2.1 by tab title [on Tyler Close -
due 2007-02-06].
<tlr> beltzner: notification / information bar
<tlr> rachna: other dialogues
<tlr> ACTION: beltzner to propose text on notifiaction / information bar
[recorded in [40]http://www.w3.org/2007/01/30-wsc-minutes.html#action13]
<trackbot> Created ACTION-105 - Propose text on notifiaction / information
bar [on Mike Beltzner - due 2007-02-06].
what is chrome? diaglog boxes should be included
<tlr> ACTION: Zurko to start discussion on mailing list to draw chrome items
out and get analysis completed [recorded in
[41]http://www.w3.org/2007/01/30-wsc-minutes.html#action15]
<trackbot> Created ACTION-132 - Start discussion on mailing list to draw
chrome items out and get analysis completed [on Mary Ellen Zurko - due
2007-02-13].
everything that people are bringing up are things attacker is choosing to
make display
phishers with certs are a non problem today
8.3 whole semantics around url depends on whether padlock is present
<tlr> ACTION: beltzner to propose clarifying language for 8.2.5 [recorded in
[42]http://www.w3.org/2007/01/30-wsc-minutes.html#action16]
<trackbot> Created ACTION-106 - Propose clarifying language for 8.2.5 [on
Mike Beltzner - due 2007-02-06].
8.3
8.3 user perceptions - summarized 3 of major results of user studies
cite the 3 studies
<beltzner> ACTION: beltzner to create a library of testcases / examples of
attacks listed in section 8 [recorded in
[43]http://www.w3.org/2007/01/30-wsc-minutes.html#action17]
<trackbot> Created ACTION-107 - Create a library of testcases / examples of
attacks listed in section 8 [on Mike Beltzner - due 2007-02-06].
cite user studies for each point being made
<tlr> ACTION: thomas to track rachna to contribute more studies for 8.3
[recorded in [44]http://www.w3.org/2007/01/30-wsc-minutes.html#action18]
<trackbot> Created ACTION-108 - Track rachna to contribute more studies for
8.3 [on Thomas Roessler - due 2007-02-06].
padlock icon - users believe it means security is present but studies show
they don't really understand
does padlock come up for any ssl? if domain matches cert
<beltzner> the steps required to get the padlock in KDE are here:
[45]http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors
note contains much of padlock mechanisms; should make bigger point of what
user studies show
<yngve> Opera differentates padlock levels (1-3). domain must match for
level 3 (if using strong crypto). non match means level 1 (and in v9 no
padlock)
<tlr> ACTION: brandon to propose more elaborate text for 8.3.1 ("padlock
icon") [recorded in
[46]http://www.w3.org/2007/01/30-wsc-minutes.html#action20]
<trackbot> Created ACTION-109 - to propose more elaborate text for 8.3.1
(\"padlock icon\") [on Brandon Porter - due 2007-02-06].
should stuff on mechanism be here?
blacklist is out of scope
do we want to go deeper to mention what state browsers is being displayed
with padlock icon
<tlr> Use section 7 to drill down on what SSL icon *really* means; processes
used to verify icons.
8.3.2 rewrite of first 3 sentences
issue is "earlier components are subordinate to later components" what does
subordinate mean
host names: like first names, last names
how can host name be presented to user? we're not interested in solutions
now
<tlr> beltzner: users believe the first part of a domain name is important,
when it's not
<beltzner> I think the problem is that 8.3.2 is worded in a needlessly
complex manner, as opposed to saying "users think that the first string in a
domain name is important or controlled, and it isn't"
<beltzner> or what tlr said
<tlr> rachna: it's any string in it
<scribe> new section 8.2 what can you do given attacker has control over
specific strings
<tlr> phb: needs to be URL attacks, not just host name attacks -- new
section in 8.2
<beltzner> ACTION: tyler to create new subsection under 8.2 to classify
types of attacks [recorded in
[47]http://www.w3.org/2007/01/30-wsc-minutes.html#action22]
<trackbot> Created ACTION-110 - Create new subsection under 8.2 to classify
types of attacks [on Tyler Close - due 2007-02-06].
do browsers cut off beginning of url
<tlr> ACTION: tyler to track rob tracking URL scrolling issues [recorded in
[48]http://www.w3.org/2007/01/30-wsc-minutes.html#action23]
<trackbot> Created ACTION-111 - Track rob tracking URL scrolling issues [on
Tyler Close - due 2007-02-06].
8.3.3 security tool bar chrome versus page distinction does not exist in
users mind
need to be clearer on definition of "most user"
<staikos> I don't really believe there is a valid "most user" :)
point of this section is identity things we need to improve on when making
recommendations, such as "chrome" and "page'
<bwporter> ACTION: brad to offer text suggestion around "many users"
[recorded in [49]http://www.w3.org/2007/01/30-wsc-minutes.html#action24]
<trackbot> Created ACTION-133 - Offer text suggestion around \"many users\"
[on Brandon Porter - due 2007-02-13].
<tlr> ACTION: thomas to rewrite 8.3.2 [recorded in
[50]http://www.w3.org/2007/01/30-wsc-minutes.html#action25]
<trackbot> Created ACTION-112 - Rewrite 8.3.2 [on Thomas Roessler - due
2007-02-06].
should 8.4.1 be in 8.3?
8.3.3. have def of chrome but not def of page
<tlr> ACTION: stuart to suggest "page" definition for Tim's glossary
[recorded in [51]http://www.w3.org/2007/01/30-wsc-minutes.html#action26]
<trackbot> Created ACTION-113 - Suggest \"page\" definition for Tim\'s
glossary [on Stuart Schechter - due 2007-02-06].
cant expect users to understand diff between page and chrome?
8.4 if user understand what indicators are, are there still problems? this
points out what user studies have shown
when browsing web, never really need to look at chrome, so what is the point
of putting stuff in chrome
<tlr> ACTION: thomas to track rachna suggesting alternative wording for
8.4.1 [recorded in
[52]http://www.w3.org/2007/01/30-wsc-minutes.html#action27]
<trackbot> Created ACTION-114 - Track rachna suggesting alternative wording
for 8.4.1 [on Thomas Roessler - due 2007-02-06].
8.4.2 hard for users to recognize when something is missing, so maybe adding
decorations for user to notice isn't effective
8.4.3 dialog boxes dont give user reasonable options, so users hit OK button
<yngve> About 8.4.3 there are at least as far as I can tell very few
reasonable choices. usually just proceed or stop. The only other option to
asking the user this would be to choose one of these, but which one,
combined with what explanations/indications are the ones that are best/most
secure for the user? If we err on the side of caution, the users might not
be able to do what they want to do and know are safe, while we may protect
them from a number of
<yngve> possible dangers. Let the users through with some UI indication and
they will beable to do what they want, but they are also free to ignore the
warnings and do something they will regret.
<beltzner> Tyler, [53]http://www.mozilla.com/firefox/its-a-trap.html
<tlr> scribenick: staikos
Petname demo
Pet name demo
Tyler: Pet name a is a firefox extension that can be downloaded from the
add-on site
... people have "relationships" in the real world and make associations with
those
... want to have the same associations on the web
... adds a lineedit toolbar. type in, ex: "dyndns" - goes to the appropriate
website
... shows "untrusted" in pet name field when site is unknown
... simply type in a text name to remember the site
... also reminds you that you have been at a site if you go there by
navigating links
... can add more information
mez: (missed question)
tyler: deployment experience
tyler: failings exist...
Hal: questions about all the input fields in the chrome
tyler: demos usage of firefox without url bar, only petnames + search + tabs
possible memory burden, like passwords
tyler: okay that it is guessable
But how many users will actually take time / effort to assign petnames?
No hard data on this
Banking is by far most popular usage
steep drop off beyond that in terms of usage
petname in url bar is slightly more spoofable (idea brought up by Mike)
tab title is a possible place to put the pet name
however petname applies site-wide, title is page-scope
generating chrome pattern skin to avoid pic-in-pic?
reports say they may not be working
wants to see a cartoon char in far-left of chrome
<beltzner> (cite: Jackson & Microsoft Research, recent study on EV certs
showed that even difference in chrome colouration didn't significantly
improve picture-in-picture recognition)
another problem; it's yet another chrome indicator and therefore users may
not look there actively
would like to see user/password entry fields out of content region
(see also: cardspace, kwallet, web wallet, ...)
could warn when sending passwords to new sites
keeping reliable info at bottom of region in particular to separate it from
things like urls that are provided from possibly untrusted content
rob: giving feedback on risky actions is good if we can find consistent ways
to do it, but the bottom of the page is risky
too many confusing widgets nearby
IE uses it for low-value notifications
(discussion of implementations of other systems)
form fill might be workable in the bottom but security notifications there
are risky
Stuart: why not using existing bookmark interface?
tyler: easy, I am!
petnames automatically creates a bookmark when you create a petname, and the
petname bookmark can be used for navigation
maritzaj: like the positive or interrogative boxes vs negative message boxes
tyler can keep talking if we want, but that means scribe has to keep typing
so vote is no
tyler: petnames is also great for banks that have multiple sites
uses information from the SSL cert
Extended Validation Certificates
See: [54]slides
PHB: scope of EV: limited
... ev is about accountability, which is not security, but enables security
...
... in the past: internet access was expensive ...
today we have: impersonation, can't see when it's safe or not safe, and DV
certs
DV certs solve some classes of problems
(DV = domain validated)
Ev objectives: increase accountability, confidence, and inform suspicious
users
biggest bank costs is not direct fraud, but customer help desk calls
stretch goal: protect naive user
mez: increasing confidence of users while not protecting them. excellent.
beltzner: improved user experience is not addressed strictly in EV
EV in IE7 demo
mez:display switches over between different data -- accessibility
guidelines?
rob: UI challenges exist, but our implementation does pass US govt
accessibliity requirements
phb: user experience changes are shallow, but testing shows that users
notice the UI indicator
... disagrees with the recent study bashing EV
rob: pic in pic attack is definitely real. we expect site ops to communicate
and educate users
pic in pic can be defeated with education
not all agree
One study showed that the red bar trumped the green one and that was what
stood out in memory
(debate ensues about how good the IE7 UI decisions were)
mez: we should get data on this
two studies are coming on this
one from CMU, one from usable security
reports conflict
in the past, training was hard because the UI was hard. better UI makes
training easier
back to the PHB show
CA-browser forum: defining minimum criteria for authentication
consists of most browser developers, most CAs
tyler: what about name collisions?
phb: name+jurisdiction is they primary key
is this vulnerable to trademark phishing?
obtaining the cert requires display of incorporation documents, address for
legal processes, display of accountability for that name
We have an accountability trail now
beltzner: this has been reviewed rigorously by authorities (ex: top legal
experts)
people will try to attack it
?
[55]http://www.pcworld.com/article/id,128674-c,onlinesecurity/article.html
Revocation changes with EV....
eventually OCSP is mandatory with ~1 hr update cycles
rob: we need to be positive in our report too. talk about all the great
improvements we've made.
beltzner: speaking slowly
... we would do better to separate UI EV aspects from the spec when we talk
about it...
... this demo mixes the two ...
... EV is a huge leap in information available ...
... green bar is a step up, but small step relative to what could be there
mez: tones will not be scribed in docs
rob: balance++
tyler: EV attempts to address phishing through cost increases
... this increases costs for everyone ...
... requires $100k/year to justify an EV cert ...
beltzner: EV spec doesn't need to be consistent with W3C. I am a big
opponent of current EV spec but hope to support it someday
... SMB issue is a special case, and market will improve costs
... EV is there to identify, not to verify ...
... does not address business practices ...
stuart: how does economy of scale apply?
phb: costs : paying the CA, but also the procedures involved
... complainers dont' even have SSL certs and are just making noise ...
... back to the regularly scheduled show ...
... "Opinion letter" ...
... allows extending the model to more than just the business name ...
... brands, logos, BBB rating, etc ...
... for non-inc businesses, could use "Merchant Acquirer Agreement" ...
... some issues exists ...
fancy logotype demo
... logotypes are not part of CA-Browser forum ...
... but they should use EV as a minimum security level ...
(details about the contents of EV spec)
tyler: EV spec focuses on true name - is this really the phishing problem?
... maybe the relationship is more of an issue ...
... "is this -my- bank" ...
(search for a usecase for the EV model)
6.12 maybe
... bob could share FSTC cases with us...
Bob: very narrow scope, maybe not relevant
PHB: (explanation of the OID system in EV roots. ref: CA-Browser forum)
beltzner: dont' know where it should go but we need "current limitations" in
the document
bwporter: cost burden is shifted in the different approaches
... where could it be shifted? ...
Tyler: can we quantify the user-burden?
mez: groupware is an analogy
<tlr> ACTION: zurko to contribute reference on cost/benefit questions in
usability [recorded in
[56]http://www.w3.org/2007/01/30-wsc-minutes.html#action28]
<trackbot> Created ACTION-115 - Contribute reference on cost/benefit
questions in usability [on Mary Ellen Zurko - due 2007-02-07].
Tyler: burden with petnames is small
<maritzaj> [57]http://www.w3.org/2006/WSC/drafts/note/
Discussion of section 9.1
maritzaj: things to keep in mind
... Affordance ...
... Lock icon clcikability is not clear ...
... Conceptual model - info should be displayed in a way that the user
understands that what s/he thinks is happening is actually happening ...
Tyler: says the conceptual model is the user model
... discussion of password *ing case...
(site could be stealing keys)
(https may not be in use)
hal: *s were never intended to indicate encryption or protection. it was
just an anti-shoulder-surfing-mechanism
mez: doesn't think it's been thought through
2.1 appears to apply
icons may be hard to describe though
may be too narrow - maybe use "indicators"
should be changed in the doc by Tyler
tlr: why should it only be 1 conceptual model?
mez: maybe there won't be just one, but there is no indication that -we-
-want- to put out multiple...
... compare to cars: we want to be able to have everyone operate safely,
even if they don't operate the same way ...
... discussion of mental model and whether or not to include it ...
... we should discourage indicators that lead to false mental models ...
... if conceptual model goes in, it needs to go in the glossary ..
(so why put it in if we can't define it anyway?)
... there is a definition there and seems to be UI-expert-friendly ...
beltzner: creating a mental model is an overwhelming task
... there appears to be a disconnect between what users think is happening
and what actually is happening ...
9.1.3
UI should be understandable (language, etc) to the user
it should not be written in SHA-1
introducing new terms in a limited sense can be good
9.1.4
from Raskin's book
habit formation happens, design around it
9.1.5: single locus of attention
then it's always in focus!!
<tlr> staikos thinks we should put the padlock and EV indicator in the mouse
pointer
256x256 pixels
;)
tyler: user can quickly forget what security indicator said
mez: we made it to 9.1.5!!!
<beltzner> staikos, meh, that's spoofable
beltzner: okay, then 512x512 pixels
we could put the url: bar in the mouse pointer too
Summary of Action Items
<trackbot> Created ACTION-93 - Explain issue raising process on public
mailing list [on Thomas Roessler - due 2007-02-06].
<trackbot> Created ACTION-94 - Draft subsections for 8 about \"compelling
user interface\", crypto [on Phillip Hallam-Baker - due 2007-02-06].
<trackbot> Created ACTION-95 - Review use cases, suggest reorganization, ...
[on Stuart Schechter - due 2007-02-06].
<trackbot> Created ACTION-96 - Draft initial outline of glossary [on Tim
Hahn - due 2007-02-06].
<trackbot> Created ACTION-97 - Seed and drive process to document
current-generation undocumented safeguards in wiki [on Mike Beltzner - due
2007-02-06].
<trackbot> Created ACTION-98 - Track Rachna adding references for 8.1.2 [on
Thomas Roessler - due 2007-02-06].
<trackbot> Created ACTION-99 - Track Rachna to draft text for section 8,
covering \"block pages\" [on Thomas Roessler - due 2007-02-06].
<trackbot> Created ACTION-100 - Propose alternative wording for 8.2.3 [on
Thomas Roessler - due 2007-02-06].
<trackbot> Created ACTION-101 - Suggest favorite favicon reference [on Mary
Ellen Zurko - due 2007-02-06].
<trackbot> Created ACTION-102 - Switch order of 8.2.3 and 8.2.4 [on Tyler
Close - due 2007-02-06].
<trackbot> Created ACTION-103 - Propose descriptive text on firefox
anti-phishing UI (for 8.2) [on Mike Beltzner - due 2007-02-06].
<trackbot> Created ACTION-104 - Extend 8.2.1 by tab title [on Tyler Close -
due 2007-02-06].
<trackbot> Created ACTION-105 - Propose text on notifiaction / information
bar [on Mike Beltzner - due 2007-02-06].
<trackbot> Created ACTION-132 - Start discussion on mailing list to draw
chrome items out and get analysis completed [on Mary Ellen Zurko - due
2007-02-13].
<trackbot> Created ACTION-106 - Propose clarifying language for 8.2.5 [on
Mike Beltzner - due 2007-02-06].
<trackbot> Created ACTION-107 - Create a library of testcases / examples of
attacks listed in section 8 [on Mike Beltzner - due 2007-02-06].
<trackbot> Created ACTION-108 - Track rachna to contribute more studies for
8.3 [on Thomas Roessler - due 2007-02-06].
<trackbot> Created ACTION-109 - to propose more elaborate text for 8.3.1
(\"padlock icon\") [on Brandon Porter - due 2007-02-06].
<trackbot> Created ACTION-110 - Create new subsection under 8.2 to classify
types of attacks [on Tyler Close - due 2007-02-06].
<trackbot> Created ACTION-111 - Track rob tracking URL scrolling issues [on
Tyler Close - due 2007-02-06].
<trackbot> Created ACTION-133 - Offer text suggestion around \"many users\"
[on Brandon Porter - due 2007-02-13].
<trackbot> Created ACTION-112 - Rewrite 8.3.2 [on Thomas Roessler - due
2007-02-06].
<trackbot> Created ACTION-113 - Suggest \"page\" definition for Tim\'s
glossary [on Stuart Schechter - due 2007-02-06].
<trackbot> Created ACTION-114 - Track rachna suggesting alternative wording
for 8.4.1 [on Thomas Roessler - due 2007-02-06].
<trackbot> Created ACTION-115 - Contribute reference on cost/benefit
questions in usability [on Mary Ellen Zurko - due 2007-02-07].
[End of minutes]
_________________________________________________________________
Minutes formatted by David Booth's [58]scribe.perl version 1.127 ([59]CVS
log)
$Date: 2007/02/06 13:03:47 $
References
1. http://www.w3.org/
2. http://www.w3.org/2006/WSC/f2f2
3. http://www.w3.org/2007/01/30-wsc-irc
4. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#agenda
5. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item01
6. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item02
7. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item03
8. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item04
9. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item05
10. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item06
11. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item07
12. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#item08
13. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#ev
14. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#discuss9.1
15. file://localhost/home/roessler/W3C/WWW/2007/01/30-wsc-minutes.html#ActionSummary
16. http://www.w3.org/2006/WSC/drafts/note/
17. http://www.w3.org/2006/WSC/drafts/note/Overview.html
18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0206.html
19. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0190
20. http://www.w3.org/2005/10/Process-20051014/tr.html#cfr
21. http://www.w3.org/2007/01/30-wsc-minutes.html#action01
22. http://www.w3.org/2006/WSC/drafts/note/#problems
23. http://www.w3.org/2007/01/30-wsc-minutes.html#action02
24. http://www.w3.org/2007/01/30-wsc-minutes.html#action03
25. http://www.w3.org/2007/01/30-wsc-minutes.html#action04
26. http://www.w3.org/2006/WSC/drafts/note/#problems
27. http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors
28. http://pastebin.mozilla.org/3341
29. http://pastebin.mozilla.org/3341
30. http://pastebin.mozilla.org/3344
31. http://www.w3.org/2007/01/30-wsc-minutes.html#action05
32. http://www.w3.org/2007/01/30-wsc-minutes.html#action06
33. http://www.w3.org/2007/01/30-wsc-minutes.html#action07
34. http://www.w3.org/2007/01/30-wsc-minutes.html#action08
35. http://www.w3.org/2007/01/30-wsc-minutes.html#action09
36. http://en.wikipedia.org/wiki/Favicon
37. http://www.w3.org/2007/01/30-wsc-minutes.html#action10
38. http://www.w3.org/2007/01/30-wsc-minutes.html#action11
39. http://www.w3.org/2007/01/30-wsc-minutes.html#action12
40. http://www.w3.org/2007/01/30-wsc-minutes.html#action13
41. http://www.w3.org/2007/01/30-wsc-minutes.html#action15
42. http://www.w3.org/2007/01/30-wsc-minutes.html#action16
43. http://www.w3.org/2007/01/30-wsc-minutes.html#action17
44. http://www.w3.org/2007/01/30-wsc-minutes.html#action18
45. http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors
46. http://www.w3.org/2007/01/30-wsc-minutes.html#action20
47. http://www.w3.org/2007/01/30-wsc-minutes.html#action22
48. http://www.w3.org/2007/01/30-wsc-minutes.html#action23
49. http://www.w3.org/2007/01/30-wsc-minutes.html#action24
50. http://www.w3.org/2007/01/30-wsc-minutes.html#action25
51. http://www.w3.org/2007/01/30-wsc-minutes.html#action26
52. http://www.w3.org/2007/01/30-wsc-minutes.html#action27
53. http://www.mozilla.com/firefox/its-a-trap.html
54. http://www.w3.org/2006/WSC/EV-WSC.pdf
55. http://www.pcworld.com/article/id,128674-c,onlinesecurity/article.html
56. http://www.w3.org/2007/01/30-wsc-minutes.html#action28
57. http://www.w3.org/2006/WSC/drafts/note/
58. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
59. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 15 February 2007 11:12:57 UTC