- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 17 Jul 2007 17:03:01 +0200
- To: WSC WG <public-wsc-wg@w3.org>
The meetings from our meeting on 27 June were approved and are
publicly visible:
http://www.w3.org/2007/06/27-wsc-minutes
Regards,
--
Thomas Roessler, W3C <tlr@w3.org.>
[1]W3C
WSC WG Weekly
27 Jun 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
MaryEllen Zurko, Thomas Roessler, George Staikos, Phillip
Hallam-Baker, Jan Vidar Krey, Yngve Pettersen, Chuck Wade, Tyler
Close, Johnathan Nightingale, Hal Lockhart, Luis Barriga, Bill
Doyle, Mike Beltzner, Rachna Dhamija
Regrets
Tim_H, Bruno_vN, Audian_P, Dan_S, Shawn_D, Maritza_J, Serge_E
Chair
Mez
Scribe
staikos, chuck
Contents
* [4]Topics
1. [5]administrivia
2. [6]minutes approval
3. [7]action item review
4. [8]letterhead discussion
5. [9]Synopsis of 3rd TIPPI Workshop
6. [10]next meeting
* [11]Summary of Action Items
__________________________________________________________________
administrivia
Mez: George [Staikos] is scribing today
Mez mentioned recent experience scribing for a call, and that it can be
challenging
... so, appreciates George very much
minutes approval
<TLR> [12]http://www.w3.org/2007/06/20-wsc-minutes.html
<TLR> so approved
Mez: Minutes from June 20th meeting approved
action item review
Mez: No actions closed due to inactivity
<TLR> ACTION-237 completed succesfully; no actions at risk.
Began "agenda bashing" discussion. It was suggested that we get someone
to brief this group on the recent TIPPI workshop.
<jvkrey> [13]http://crypto.stanford.edu/TIPPI/
PHB: Burt Kaliski and Dan Boneh are the workshop organizers/leaders
<Mez> Please discuss the TP Day agenda during one of your near-future
Group calls, and start a discussion on your mailing lists. Provide your
Group's input by 13 July 2007 to the Tech Plenary discussion list ...
<Mez> -- mailto:member-techplenary@w3.org
<Mez> This list is also archived at...
<Mez> -- [14]http://lists.w3.org/Archives/Member/member-techplenary/
<Mez> ... and is Member readable and writable.
<Mez> Feel free to provide input on agenda topics (e.g., future of
(x)HTML(n), video on the Web, efficient XML, etc.), or on the format
for sessions (e.g., panels, demos, lightning talks, etc.). Think about
topics that would have appeal to a wide variety of W3C folks.
<johnath> Sorry Mez, I missed a snip of that at the end - did you say
you will start this conversation by email?
johnath: my browser doesn't work so is there anything we want to get on
the agenda/
TLR: forward ideas directly or channel through Mez or TLR
Mez: not me
... updates from tyler and thomas on what to do before last call
... which groups should we liaison with? now is the time...
Mez initiated discussion of what needs to be done prior to last call.
Also, what other groups should we ask to review our document or liaise
with.
Tyler: controversial items: list of security information - more data
needed
... use cases don't provide basis for explanation and evaluation
Mez: Asks for more information and clarification?
TLR: Yes, there is info to add, but dont' want to block on that for
last call
<johnath> none from me - I think it captures the things I've considered
in my recs
Bill Doyle: We could go over the [use cases] again
Tyler: I took out 'exhaustive' keyword
... at f2f felt that people felt that this section was woefully
incomplete
... with a list, I could add them myself
... doesn't claim to provide -all- information, just a limited list of
what's in scope
Bill D: takes action to review it this week (tomorrow)
<TLR> ACTION: Bill to review list of security information this week
[recorded in
[15]http://www.w3.org/2007/06/27-wsc-minutes.html#action01]
<trackbot> Created ACTION-263 - Review list of security information
this week [on Bill Doyle - due 2007-07-04].
TLR: does not understand the meaning of some items in there
... maybe we need to expand on it
Tyler: I need to know specifically which items are at issue
TLR: will send a list
Tyler: do we need to rework the use cases for something that is easier
to build recommendations off of?
Johnathan: I don't like to bring up threats when I don't have solution
[to offer]
Mez: we're not specifically requesting threats/responses information,
what we have is in the Wiki and informal
Johnathan: It's weak to say in use cases "this applies to all use
cases"
<Mez> the top of the template says:
<Mez> All sections are required for FPWD. Use your best judgement on
filling them with appropriate content.
<Mez> I thought the latter would be enough room for people to say in
totally inappropriate sections - not applicable
TLR: Johnathan, I agree on robustness, but, for example, the fullscreen
usecase might be something to cover
[Ed: if I understood TLR correctly]
Mez: Not everything we cover needs to be in use cases
<Chuck> Does it help to address "vulnerabilities" as a more specific
topic than the broader and more ambiguous topic of "threats"?
<Rachna_> "Full screen mode" is currently not one of our use cases or
in our list of attacks.
<Mez> Rachna, shouldn't that be there? is it just a matter of adding
it?
<TLR> Rachna, indeed, that was my point. Some of the robustness things
might specifically *not* useful in such a context.
Mez: checklist is good but not mandatory
<Mez>
[16]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0188.html
Mez: threat tree is a reference - agreed to at f2f
<rachna_> [17]http://www.w3.org/2006/WSC/wiki/ThreatTrees
<Chuck> Part of the problem is that "attacks" are constantly evolving.
Tyler: Suggested postponing discussion until next meeting in 2 weeks?
<rachna_> Bill and Tyler, IMO, we should label branches that are out
scope or move them to a different section, rather than deleting them,
so that people know that we are aware of them.
<tyler> rachna, that sounds good
George Staikos: I am being distracted by various interrupts. I am
having difficulty scribing the conversation.
<Chuck> Ok, I'll fill in
<TLR> ScribeNick: chuck
<TLR> thanks Chuck
Mez: Put out call for liaisons with other organizations.
<rachna_> Digital PhishNet is Microsoft's version of APWG - they have
law enforcement membership (FBI)
Anything else for last call (Mez)??
<hal> Thomas did you get the name of that group mentioned yesterday
that we should liaise with?
<TLR> Hal, I guess the closest there is to "the group" would be Project
Concordia or Liberty Alliance as such.
<rachna_> other potential orgs to liason: IETF, gov agencies (FTC,
FDIC/FFIEC)
letterhead discussion
Mez: Moving to discussion of Secure Letterhead, handoff to PHB
<Mez> [18]http://www.w3.org/2006/WSC/drafts/rec/#letterhead
PHB: Secure Letterhead provides a secure means for cryptographically
binding logos to the cert and also for associating the cert with the
actual parties. Secure Letterhead is based on established standards,
primarily from IETF. Also existing industry practices from cert issuers
(e.g., VeriSign) support these mechanisms.
PHB: Secure Letterhead can display issuer logo as part of browser
chrome. Can be used with DKIM as well. This allows email clients to
display DKIM cert info and issuer logotype when presenting email
message to user.
PHB: Three types of logotypes: subject, issuer, and "community."
Community logos are meant to imply membership or accreditation; goes
beyond issuer's representations. Any display of logos needs to be
accredited in some fashion. Phillip plans to make a proposal to
CABForum that will represent a baseline for presenting logotypes.
<Mez>
[19]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Reco
Templ
Mez asks PHB about conformance language; observes that this appears to
be missing from draft of Secure Letterhead proposal
<Mez> Requirement | Good Practice
<Mez> The statement against which we expect an implementation to
declare conformance. Requirements correspond to a MUST, Good Practices
correspond to a SHOULD
PHB expanded his comments on conformance language, introducing "may,"
"should," and "must." He also noted some concerns about trademark
issues that relate to graphical images. Probably should reference
CABForum as a source of requirements.
Tyler raises questions about passive indicators in chrome, given that
all studies seem to show marginal benefit.
PHB: This is probably not your first line of defense in phishing. One
use of logotype certs provides a tie-in to other solutions, like Card
Space, which can introduce more active controls with proper indications
to users. Went on to note that this can also be used in a customer
support context, and provided an example of telephone dialogue with
customer support rep, who might ask customer what their browser is
currently displaying. Customer support is a major cost for financial
institutions, and so this may help improve impact on customer support
resources. Phillip went on to indicate that usability tests need to be
considered in a broader context that reflect months of use, and
familiarity, as well as training.
Johnath: Difficult to provide meaningful feedback on this document
without the conformance language—i.e., what does it mean to have a
compliant implementation? As an example, can this be implemented in
secondary chrome? Without this context, it is difficult to assess the
concreteness of this proposal.
Johnath: Example, can this be implemented in secondary chrome?
Concreteness of recommendation is difficult to asses.
Mez: Asks PHB to take action to update proposal to comply with all
template sections.
<TLR> ACTION: hallam-baker to complete secure letterhead template
[recorded in
[20]http://www.w3.org/2007/06/27-wsc-minutes.html#action04]
<trackbot> Created ACTION-264 - Complete secure letterhead template [on
Phillip Hallam-Baker - due 2007-07-04].
PHB: added that "accessibility" issues have been a concern with this,
and other high visibility features
PHB: noted that tech specs for logotypes can include alternative info,
such as sound recordings (sound bites or audio files). However, it
might be better to have browser read out cert info [to someone who is
visually impaired].
<Zakim> Thomas, you wanted to note there's sound trademarks
PHB: Further noted that there are no specs yet for how to display
community logotypes. There are also unknowns as to how an issuer
vouches for the community logo. This could have major issues with
liability for issuers.
<Mez>
[21]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Lett
erhead
<Mez> thank you phb
PHB: Observed that a section on accessiblity is included in both
template and proposal.
TLR: expressed a concern that we may need to dig into the accessibility
issues further. For example, how screen readers [for visually impaired
users] present information on security.
PHB: responded to Thomas by noting that it is difficult to require
subjects to include audio logos, but they can be required to provide an
x.509 distinguished name, which can be audibly read out to a user.
Yngve provided reference to use of sound bites from the [Sci-Fi]
literature
<yngve> Sciene Fiction reference was to L. E. Modesitt Jr. book "Flash"
<yngve> background is that "Rez" chords are used for product
placement/trademarks.
Synopsis of 3rd TIPPI Workshop
Mez: Asked Rachna if she could provide an update on TIPPI. She agreed
to cover this topic today.
<rachna_> [22]http://crypto.stanford.edu/TIPPI/
Rachna gave a bit of background on TIPPI Workshop. She considers it to
be one of the best conferences addressing this problem space due to
it's focus on practioners [not too academic].
Yahoo presented overview of their solution, and PassMark presented
their sitekey technique. Rachna gave a talk on usability testing that
addressed limitations of SiteKey. This led to a debate/discussion of
the benefits of SiteKey-like techniques based on these three
presentations. Bank of America's position seems to be that SiteKey is
useful because it has helped to increase user confidence in online
banking, and that users like it.
PHB: Questioned value of "increasing confidence" of users. If you don't
actually deliver improvements, then confidence can also be eroded. One
of the consequences of things like SiteKey is that you disrupt some of
the users' assumptions, and complicate the social engineering issues.
Rachna added that users have not been trained what to do when they
don't see their SiteKey.
PHB: investments in technologies (like SiteKey) may have become an
impediment to a realistic assessment of their effectiveness.
Rachna continued with topics from TIPPI. Malware papers were delivered
and discussed.
Rachna noted that ethical testing questions were discussed, and Tyler
asked for clarification as to how this affects in-the-wild testing.
Rachna noted tradeoffs between qualitative and quantitative data
Rachna (someone?) presented a paper on malware that hijacks sessions on
the users machine, and proposed some possible countermeasures involving
VM-baed approaches.
TLR: observed that malware attacks are a growing concern to European
banks.
Rachna: A U of Indiana researcher proposed a counter-measure that would
have the browser send history information to a relying web site. This
was viewed as controversial.
In summary, Rachna observed that the sense coming out of TIPPI 3 is
somewhat depressing. There's not much progress to report, while
problems continue to grow.
Tyler: asked about clarification on malware vs. phishing. Rachna
observed that phishing attacks are becoming much more intertwined with
malware attacks. There are lots more types of attacks, in part, because
of new techniques leveraging malware.
Tyler: is looking for insights into what distinctions we might be able
lean on in our work.
Rachna: agrees with Tyler that these do lead to important questions of
scope. The goals of the attackers are the same, independent of their
approach.
TLR: noted connection between root kits and higher level security
models. (Ed, having a hard time hearing TLR's editorialization)
Jonath: Refers to APWG stats that show increases in and evolution of
phishing attacks, but wonders about actual losses and whether there is
data on how effective phishing attacks really are. Rachna observed that
FIs tend to be very discrete about actual loss rates, so this
information is not generally available.
Chuck: Aside, APACS in the UK is one of the few official sources for
fraud loss rates. (ref: www.apacs.org.uk)
Jonath: Raises question of whether or not there are incentives to keep
reporting on how big the phishing problem is, but not how effective the
attacks really are? Could effectiveness be decreasing?
Beltzner: raised similar question about effectiveness of phishing
attacks. Do takedown measures help? What is effective seems to be
vague. We know black/white lists are not terribly effective, but do
they help at all? Rachna agrees that this is a very important set of
questions, with few answers readily at hand.
PHB: adds that concrete data is hard to come by. The losses are also in
the operational costs to reverse fraudulent transactions. The cost of
back end and customer support is what really concerns the banks. Banks
imply that they are making more money on online banking and they have
more users on online banking. Fraud is not currently the biggest
concern with online banking, but the fraud rates are rising fastest in
this area.
<johnath> +1 to tyler's question, and anyone who could answer it
<Mez> thomas, this was the last question, sorry
Tyler: we should be evaluating our recommendations and proposals in
terms of impact on customer support calls and costs. Do we have any
figures on the magnitude of these problems.
Rachna: does not have references to data, but it seems like an
important consideration
<rachna_> Mike, this is one public analysis I have seen on website
takedown on phishing (It doesn't answer your question though):
[23]http://www.cl.cam.ac.uk/~rnc1/weis07-phishing.pdf
TLR: suggests that we consider this as a topic for future discussion
and feedback.
Rachna did plug the work of WSC at the TIPPI conference—way to go!
next meeting
Mez: Brought meeting to a close. Noted that there will not be a meeting
next week due to U.S. Holiday.
Summary of Action Items
[NEW] ACTION: bill to review list of security information this week
[recorded in
[24]http://www.w3.org/2007/06/27-wsc-minutes.html#action01]
[NEW] ACTION: phillipp to complete secure letterhead template [recorded
in [25]http://www.w3.org/2007/06/27-wsc-minutes.html#action03]
[End of minutes]
__________________________________________________________________
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0218.html
3. http://www.w3.org/2007/06/27-wsc-irc
4. http://www.w3.org/2007/06/27-wsc-minutes#agenda
5. http://www.w3.org/2007/06/27-wsc-minutes#item01
6. http://www.w3.org/2007/06/27-wsc-minutes#item02
7. http://www.w3.org/2007/06/27-wsc-minutes#item03
8. http://www.w3.org/2007/06/27-wsc-minutes#item04
9. http://www.w3.org/2007/06/27-wsc-minutes#item05
10. http://www.w3.org/2007/06/27-wsc-minutes#item06
11. http://www.w3.org/2007/06/27-wsc-minutes#ActionSummary
12. http://www.w3.org/2007/06/20-wsc-minutes.html
13. http://crypto.stanford.edu/TIPPI/
14. http://lists.w3.org/Archives/Member/member-techplenary/
15. http://www.w3.org/2007/06/27-wsc-minutes.html#action01
16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0188.html
17. http://www.w3.org/2006/WSC/wiki/ThreatTrees
18. http://www.w3.org/2006/WSC/drafts/rec/#letterhead
19. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl
20. http://www.w3.org/2007/06/27-wsc-minutes.html#action04
21. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Letterhead
22. http://crypto.stanford.edu/TIPPI/
23. http://www.cl.cam.ac.uk/~rnc1/weis07-phishing.pdf
24. http://www.w3.org/2007/06/27-wsc-minutes.html#action01
25. http://www.w3.org/2007/06/27-wsc-minutes.html#action03
Received on Tuesday, 17 July 2007 15:03:15 UTC