- From: Thomas Roessler <tlr@w3.org>
- Date: Sat, 1 Sep 2007 14:52:18 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2007-08-22 were approved and are
available online here:
http://www.w3.org/2007/08/22-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
22 Aug 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
MaryEllen_Zurko, Bill_Doyle, Thomas, johnath, ifette,
Hal_Lockhart, Maritza_Johnson, luis, +1.703.671.aaaa,
Chuck_Wade, sduffy, serge, asaldhana, DanSchutzer, Tyler,
rachna, Tim_Hahn, jvkrey, +1.202.386.aabb
Regrets
Audian
Chair
MEZ
Scribe
hal, tlr
Contents
* [4]Topics
1. [5]Approve minutes from last meeting
2. [6]Newly completed action items
3. [7]Action items closed due to inactivity
4. [8]Agenda bashing
5. [9]Is page info summary a non-Goal?
6. [10]Usability evaluation of PII Editor Bar
7. [11]Rec Track conformance language - Error Handling and
Signalling
* [12]Summary of Action Items
__________________________________________________________________
Â
Â
<trackbot-ng> Date: 22 August 2007
<tlr> ScribeNick: hal
Approve minutes from last meeting
<tlr> [13]http://www.w3.org/2007/08/15-wsc-minutes.html
resolution: approved unanamously
Newly completed action items
Action items closed due to inactivity
Agenda bashing
tlr: suggest switching items 7 & 8
... should cover 9 for sure
mez: will move 9 up
Is page info summary a non-Goal?
<ifette> no
<Mez>
[14]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0123.html
tyler: need to apply usability principles
... in order to meet criteria should drop page info summary
... studies show little benefit
... could still put out doc saying what should be done
... but not part of rec
... not dilute efforts
... want readers to immediatly see benefit form following
recommendation
... invites simple criticisms
tlr: tyler have you looked at most recent draft?
tyler: no
tlr: I don't think we are claiming this section will help prevent
phising
... moving it to a note will consume as much time
... support keeping it in now
... need to consider restructuring infomaiton
... need to separate secondary from primary info
serge: what sort of security scenarios will this help with?
... users ignore it and it can be spoofed
... why leave it in?
chuck: attack scenarios change radically
... industry is always playing catchup
... allow users to prevent future attacks
... few people detecting attacks alert others
... providing better tools to the few will help the rest
<tlr> totally +1 to what Maritza says.
<Zakim> ifette, you wanted to talk about expert users having separate
tools and not needing something in the browser
maritzaj: offering improvements will be valuable and not too much work
- current is real bad
<Zakim> Mez, you wanted to suggest that if we continue to carry forward
Info bar we not do any usablity testing on it (as inspired by a comment
from tyler)
<Zakim> rachna, you wanted to suggest that assumptions should be
clearly spelled out in proposals
<tlr> actually, the "Additional Security Context Information", as it is
called in the latest draft.
<serge> We don't need to do any usability testing, because it's already
been done and shown that this is ineffective.
mez: suggest including it but not doing usability testing
rachna: would be useful to expert users
tyler: use by experts is why I propose moving not deleting - make it a
note
<Zakim> johnath, you wanted to try to pull good reasons for dropping it
out from bad
rachna: couldn't say so in rec instead of moving it ot note
<Mez> btw, Rachna, PII editor bar use eval is up after this discussion,
not last, as the original agenda suggested
<Mez> so stick around :-)
johnath: need to separate good reasons from bad
... effort may not be most important factor
<tlr> If arguing that a section puts the document into disrepute, it
would be refreshing if the argument was at least against the latest
draft.
johnath: if we feel we should recommend
... current page info is poor, does not prove better would not help
<tlr> oh yes, indeed. Tech-supporting my mother on a browser that I
don't run is *so* much fun.
bill-d: hard for hellp desks to deal with non-std page info
<Mez> Q: "The page info summary recommendation proposal
[15]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#pageinfosummary
should become a Note, similar to the Threat Trees work, and not be
included in our FPWD recommendations" (yes/can live with/no)
<tlr> no
mez: will do straw poll now
<Mez> Tim: no
<Mez> Michael M: no
<tlr> bill-d: no
<bill-d> no
<johnath> no
<sduffy> no
<ifette> No (Should *not* become a note, stay in rec)
no
<Chuck> no
<tyler> yes
<serge> yes
<Mez> abstain
<asaldhan> no
<maritzaj> no
<luis> neutral
<luis> no
<Mez> Dan: yes
<tlr> (confusion what is meant)
mez: vote in favor of leaving it
<tlr> ACTION: thomas to obtain disclaimer-style text for Additional
Security Context Information [recorded in
[16]http://www.w3.org/2007/08/22-wsc-minutes.html#action01]
<trackbot-ng> Created ACTION-282 - Obtain disclaimer-style text for
Additional Security Context Information [on Thomas Roessler - due
2007-08-29].
<tlr> With the observation that this might be reassigned to somebody
else.
Usability evaluation of PII Editor Bar
[17]http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFi
rstCut#head-19caf4993d486f3f77f40171acc200d22fbf016e
tlr: 2 or 3 observations
... in usability section some parts were so unclear they could not be
tested
... need to know if discussions have clarified this
<tlr>
[18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0127.html
tlr: need to look at difference between PII and current
<tlr>
[19]http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFi
rstCut
<tlr> [20]http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor
<tyler> [21]http://www.w3.org/2006/WSC/drafts/rec/#piieditor
tyler: wiki is not up to date
<Mez> PII EditorBar
<Mez> Requirements - this proposal assumes that:
<Mez> Users have the extension installed in their browser.
<Mez> Users are novice users- they are not security experts and
received no training.
<Mez> User Expectations- this proposal assumes that:
<Mez> Users will complete the bootstrap scenario, and they will select
petnames for sites they care about.
<Mez> When a user wants to fill out a web form, the user will enact the
attention sequence key to move from the web form to the editor bar.
<Mez> The user will notice when an illegitimate page requests
information that has previously been submitted to this website.
<Mez> The user will not submit data to a website that requests data
which has been previously submitted to that website.
confusion over what is current text
<Mez> The user will not be tricked by an illegitimate page that tries
to convince the user to create a new relationship with the site.
<Mez> The user will remember that they previously created a
relationship with this website and be suspicious, OR
<Mez> The browser will detect the reuse of a petname, because the user
will rename the same site with the same petname as used previously.
<Mez> Users will pick unique petnames, and they won't be tricked by PII
editor bar spoofing that attempts to mimic their customization.
<Mez> Relevant Literature
<Mez> What is known
<Mez> Can users use the activation sequence correctly? One prior study
(A Usability Study and Critique of Two Password Managers by Sonia
Chiasson and P.C. van Oorschot) indicates that users have trouble
remembering to activate an attention sequence, activating it at the
right time (e.g., when focus is in the text box), or in knowing when it
has been activated. For example, in the study of Password Multiplier,
they found that users would not know if they had entered the attent
<Mez> Are users willing to make site specific nicknames? From
deployments of the petname toolbar (e.g., at HP), we can get an
estimate of how many users gave a petname to what sites, and how many
chose the same petname for a given site.
<Mez> Unknown
<Mez> Will users be willing to use the attention sequence for each form
field? Shifting focus away from each field may require more effort than
the effort of typing, because it is cumbersome and a new skill (most
users do not use keyboard shortcuts and use the mouse to move between
fields).
<Mez> Will users correctly fulfill the behavioral expectations
described above and not succumb to spoofing attacks?
<Mez> Testing
<Mez> We require a prototype implementation of this proposal to do
further analysis, because much of the usability and security will
depend on specific design decisions.
<tlr>
[22]http://www.w3.org/2002/02/mid/08CA2245AFCF444DB3AC415E47CC40AFDD687
C@G3W0072.americas.hpqcorp.net;list=public-wsc-wg
<Mez>
[23]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0029.html
those to URIs point to the same message
tyler: will need to provide some user training before usability testing
rachna: possible to train part way thru or train some users and not
others
<serge> the Jackson study, it's in the Bookmarks
<johnath> mez - the picture in picture
rachna: sometimes training can hurt
<Zakim> johnath, you wanted to ask if that would artificially inflate
the success?
rachna: study of IE 7 is an example
joahath: need to at least do some with no training
<Zakim> ifette, you wanted to ask about realism of expecting training
for browsers?
joahath: to get realistic results
ifette: +1 to Johnath
<ifette> but nobody reads start screens
<johnath> rachna: true
rachna: could have some initial help screens
<Zakim> johnath, you wanted to reply to tyler
<ifette> +1 to no training
tyler: if decide no training, should apply to all tests
<serge> there's another issue: if we show them how to do it in the lab,
will they continue to do it at home
johnath: should be clear on what testing is trying to accomplish
tlr: critical piece is to be clear about what a particular test is
about
... not immediate decision
... suggest getting back to main thread
maritzaj: is this for everyone all the time or just certain situaitons
tyler: all the time for everyone
maritzaj: not unreasonable to assume some training
... problem with lock is most people don't know what it indicates
tyler: this apporach is not passive, interrupts user
<ifette> what they're talking about right now (what user action is
required, for all vs for some etc)
maritzaj: user needs to take initiatave first time
<Mez> [24]http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor
<tlr>
[25]http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor-useca
ses-bootstrap
tyler: not so look at doc - user is prompted for Pet name
<tlr> point of order, can we keep *this* discussion to essential
clarifications and move to the merits at one of the next calls, to
stick somewhat to the agenda?
ifette: very worried about interupting users flow or turn off feature
tyler: does not interrupt - form filler drives it
ifette: if I am on site and create new account and password will I be
interupted?
tyler: only if you use pass manager or form filler
ifette: worried about dictating UI
tyler: thats the purpose of WG
tlr: rather than getting into merits, just stick to clarifications
<tlr> The user will notice when an illegitimate page requests
information that has previously been submitted to this website. The
user will not submit data to a website that requests data which has
been previously submitted to that website.
tlr: clarification needed in usability evaluaton
<Mez> The user will notice when an illegitimate page requests
information that has previously been submitted to this website.
<Mez> The user will not submit data to a website that requests data
which has been previously submitted to that website.
rachna: wanted to list spoofing conditions that user might notice and
see if they do
<tlr>
[26]http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor-useca
ses-imposter
rachna: if user detects something fishy
... not describing scenario
tyler: propsal is completely intrusive, no user option
rachna: would like authors to define success
<tlr> ScribeNick: tlr
hal: if tyler's thing prevents people from typing in, not gonna spend a
lot of time ...
... but maybe is something else wrong? ...
... question is, set up test so it's strawman ...
... obvious part that should succeed will succeed ...
... that seems to be difficult issue ...
rachna: good point
tyler, rachna engage in speed talking contest
tyler: chuck reported people use form filler for banking passwords
<ifette> lol
tyler: take from that that form fillers etc are already used ...
<Zakim> ifette, you wanted to say it should be voluntary
ifette: if mandatory users will avoid in some way
rachna: need to test annoyance in UI testing
<scribe> ScribeNick: hal
tyler: will only know until we test
... believe users will have to interact, not just pictures
tyler: would like to sit do and be coached on Mozzilla APIs required
Mez: could do this at F2F
<Mez>
[27]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#error-handling
<tlr> Code sprint might be useful in *addition* to a f2f.
Rec Track conformance language - Error Handling and Signalling
tlr: if security is degraded in minor way don't interupt user
<rachna> signing off- I have to go to a mtg. Tyler let's continue this
discussion to get your comments into the usability text.
tlr: if serious change to security properties - interupt user, provide
help
... should be able to get back to where you left off
<tyler> Ok, you can call me at the office until Thursday
tlr: error interactions not popups, but error pages
... if user disables, ???
<tlr> [28]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2739434
mez: looks like section 3.1 follows this, serge do you agree?
<tlr> *cough* will fix the anchor ASAP
serge: don't know
tlr: lots of warnings that get ignored
... try to identify really bad security and force interaction
tlr: try to distingush between to cases
serge: need strong rare warnings for serious problems
<tlr> ACTION: serge to contribute references to support 5.3.1 [recorded
in [29]http://www.w3.org/2007/08/22-wsc-minutes.html#action02]
<trackbot-ng> Created ACTION-283 - Contribute references to support
5.3.1 [on Serge Egelman - due 2007-08-29].
<Mez> hal, want to scribe your comments?
hal: 2 comments
... propsal depends on ability to distinguish between cases, which will
be hard to establish emprically
... going back to where you were may be very hard, especially synching
btw web site and browser
tlr: agree with first, second - only back to prior user agent state not
web site
... start TLS negotiaiton - server shows good cert, but domain name is
wrong
tlr: have means to know what correct url is
tlr: suggest augment error page to contain live link to site
tlr: option to user to follow link
... constructing url must be possible from cert alone
tlr: must use safe method to access site
<Zakim> ifette, you wanted to note scary use case
<Zakim> Mez, you wanted to say make more general, if user has nicname,
use that (probably same as ian)
ifette: scary scenario - browser appears to endorse bad guy site
mez: DNS based identity is scary
tlr: agree attack would be possible
... 2 things to mitigate
... user needs ?? from authority
... would reference org not user
<Mez> DN's are scarey too, btw (org field, etc)
tlr: idea is to interrupt flow and check w/o leaking info to bad guys
bill-d: discussion on list - use known good DNS server - does that
solve problem?
<Mez> We're wrapping after this question; it's time folks
tlr: no - typical circumstance that they are intercepting at TCP level
<ifette> someone doing the zakim, rrsagent commands to draft minutes?
Summary of Action Items
[NEW] ACTION: serge to contribute references to support 5.3.1 [recorded
in [30]http://www.w3.org/2007/08/22-wsc-minutes.html#action02]
[NEW] ACTION: thomas to obtain disclaimer-style text for Additional
Security Context Information [recorded in
[31]http://www.w3.org/2007/08/22-wsc-minutes.html#action01]
Â
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [32]scribe.perl version 1.128
([33]CVS log)
$Date: 2007/08/29 19:18:59 $
__________________________________________________________________
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0138.html
3. http://www.w3.org/2007/08/22-wsc-irc
4. http://www.w3.org/2007/08/22-wsc-minutes.html#agenda
5. http://www.w3.org/2007/08/22-wsc-minutes.html#item01
6. http://www.w3.org/2007/08/22-wsc-minutes.html#item02
7. http://www.w3.org/2007/08/22-wsc-minutes.html#item03
8. http://www.w3.org/2007/08/22-wsc-minutes.html#item04
9. http://www.w3.org/2007/08/22-wsc-minutes.html#item05
10. http://www.w3.org/2007/08/22-wsc-minutes.html#item06
11. http://www.w3.org/2007/08/22-wsc-minutes.html#item07
12. http://www.w3.org/2007/08/22-wsc-minutes.html#ActionSummary
13. http://www.w3.org/2007/08/15-wsc-minutes.html
14. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0123.html
15. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#pageinfosummary
16. http://www.w3.org/2007/08/22-wsc-minutes.html#action01
17. http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCut#head-19caf4993d486f3f77f40171acc200d22fbf016e
18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0127.html
19. http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCut
20. http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor
21. http://www.w3.org/2006/WSC/drafts/rec/#piieditor
22. http://www.w3.org/2002/02/mid/08CA2245AFCF444DB3AC415E47CC40AFDD687C@G3W0072.americas.hpqcorp.net;list=public-wsc-wg
23. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0029.html
24. http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor
25. http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor-usecases-bootstrap
26. http://www.w3.org/2006/WSC/drafts/rec/Overview.html#piieditor-usecases-imposter
27. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#error-handling
28. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2739434
29. http://www.w3.org/2007/08/22-wsc-minutes.html#action02
30. http://www.w3.org/2007/08/22-wsc-minutes.html#action02
31. http://www.w3.org/2007/08/22-wsc-minutes.html#action01
32. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
33. http://dev.w3.org/cvsweb/2002/scribe/
Received on Saturday, 1 September 2007 12:52:24 UTC