- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 23 Jan 2008 18:14:12 +0100
- To: public-wsc-wg@w3.org
Minutes from our meeting on 2008-01-16 were approved and are
available online here:
http://www.w3.org/2008/01/16-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
16 Jan 2008
See also: [2]IRC log
Attendees
Present
Mary Ellen Zurko, Phillip Hallam-Baker, Ian Fette, Jan Vidar
Krey, Thomas Roessler, Yngve Pettersen, Johnathan Nightingale,
Dan Schutzer, Hal Lockhart, Bill Doyle, Maritza Johnson, Tim
Hahn, Anil Saldhana, Tyler Close
Regrets
Luis Barriga, Serge Egelman, Stephen Farrel, William Eburn
Chair
Mary Ellen Zurko
Scribe
Jan Vidar Krey
Contents
* [3]Topics
1. [4]Agenda
2. [5]ISSUE-128
3. [6]ISSUE-124
4. [7]ISSUE-125
5. [8]ISSUE-129
* [9]Summary of Action Items
__________________________________________________________________
Agenda
<ifette> link for minutes?
<Mez> [10]http://www.w3.org/2008/01/09-wsc-minutes.html
Mez: next item, approving minutes from last meeting
... Approved
... Weekly completed action items
<tlr> sorry about the minutes, seems they were stuck
<tlr>
[11]http://lists.w3.org/Archives/Member/member-wsc-wg/2008Jan/0009.html
<Mez>
[12]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0150.html
Mez: action items closed to due to inactivity, none. Some might be
closed later.
... Agenda bashing
... Issues 128, 124, 125, 129 have no next step
Mez: Please fill out the questionaire for the next f2f by this week.
[13]http://www.w3.org/2002/09/wbs/39814/wscf2fgoog2008/
Mez: Remind everyone there is a heartbeat requirement for xit and
usecases.
tlr: early February is a reasonably accurate date ;-)
<Mez> [14]http://www.w3.org/2006/WSC/track/issues/128
ISSUE-128
Mez: first item ISSUE-128, what is the next step?
<Mez>
[15]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Dec/att-0021/
rewrite-5-20071205.html
<Mez> [Definition: (normative) Strong TLS algorithms are defined as the
algorithms recommended by [ref-ALGORITHMS].]
Mez: A lot of discussion, but nothing summarizes it
yngve: Point out for "What is a secure page", I put estimates for what
encryption bit strength can be broken in a number of years... Can be
used as a foundation.
Mez: link ?
yngve: coming up
Mez: other proposals?
<yngve> [16]http://www.w3.org/2006/WSC/track/actions/285
johnath: maybe ping Stephen
<tlr> I believe this was Yngve's proposal:
[17]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
<yngve> References:
[18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
<johnath> yes - that looks like a lovely set of references to me
<tlr> The Dining Cryptographers' List
PHB2: It is not really something to do in usability.
Bill: I beleive the structure is in place to do this, in Apache for
example
PHB2: The usability document needs to reference the TLS recommendations
<yngve> [19]http://www.ietf.org/rfc/rfc4346.txt
<yngve> [20]http://www.ietf.org/rfc/rfc3766.txt
tlr: rfc 3766 sounds like the one
<tlr> ACTION: bill-d to draft language to reference RFC 3766 or
successors in a useful way [recorded in
[21]http://www.w3.org/2008/01/16-wsc-minutes.html#action01]
<trackbot-ng> Sorry, couldn't find user - bill-d
tlr: Something along the lines as "Only use algorithms in RFC3766 for
public key encryption"
<tlr> ACTION: doyle to draft language to reference RFC 3766 or
successors in a useful way [recorded in
[22]http://www.w3.org/2008/01/16-wsc-minutes.html#action02]
<trackbot-ng> Created ACTION-370 - Draft language to reference RFC 3766
or successors in a useful way [on Bill Doyle - due 2008-01-23].
Mez: anything else ?
... Next issue, ISSUE-124.
ISSUE-124
<Mez> [23]http://www.w3.org/2006/WSC/track/issues/124
<Mez>
[24]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#safebar-reliable
text
Mez: very visually oriented section. *Might* be something tricky about
this one.
... one way is to substitute "display" with "present"
tlr: Present vs display probably takes care of most of this issue.
... This sections needs to be cleaned up for normative language
... Would prefer someone else to do it
asaldhan: I can do editorial changes to it
<tlr> ACTION: anil to take a stab at ISSUE-124 [recorded in
[25]http://www.w3.org/2008/01/16-wsc-minutes.html#action03]
<trackbot-ng> Created ACTION-371 - Take a stab at ISSUE-124 [on Anil
Saldhana - due 2008-01-23].
<tlr> ACTION-371?
<trackbot-ng> ACTION-371 -- Anil Saldhana to take a stab at ISSUE-124
-- due 2008-01-23 -- OPEN
<trackbot-ng> [26]http://www.w3.org/2006/WSC/track/actions/371
ISSUE-125
<tlr> ISSUE-125?
<trackbot-ng> ISSUE-125 -- Safe Form Bar: on screen masking phrased in
terms of visual user agents -- OPEN
<trackbot-ng> [27]http://www.w3.org/2006/WSC/track/issues/125
<Mez> [28]http://www.w3.org/2006/WSC/track/issues/125
Mez: next item, ISSUE-125
... sounds like more of the same, visually oriented
<tlr> [29]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask
Mez: ?
... If we removed the "onscreen" in title, substitute present and
display
<asaldhan>
[30]http://lists.w3.org/Archives/Member/member-wsc-wg/2007Nov/0006.html
has brief discussion on this. tlr mentioning that it applies to voice
Mez: attack is visual
tlr: attack can also occur with a screen reader
<tlr> I don't understand what the requirements mean for non standard
GUI; I can see a high-level requirement usefully in the spec
<tlr> ACTION: thomas to propose high-level wording instead of 7.6
[31]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125
[recorded in
[32]http://www.w3.org/2008/01/16-wsc-minutes.html#action04]
<trackbot-ng> Created ACTION-372 - Propose high-level wording instead
of 7.6 [33]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
ISSUE-125 [on Thomas Roessler - due 2008-01-23].
<tlr> action-372?
<trackbot-ng> ACTION-372 -- Thomas Roessler to propose high-level
wording instead of 7.6
[34]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125 --
due 2008-01-23 -- OPEN
<trackbot-ng> [35]http://www.w3.org/2006/WSC/track/actions/372
<tlr> ACTION: mez to poll al G about shoulder surfing attacks in
context of assistive technologies [recorded in
[36]http://www.w3.org/2008/01/16-wsc-minutes.html#action05]
<trackbot-ng> Created ACTION-373 - Poll al G about shoulder surfing
attacks in context of assistive technologies [on Mary Ellen Zurko - due
2008-01-23].
ISSUE-129
Mez: next is, ISSUE-129
<Mez> [37]http://www.w3.org/2006/WSC/track/issues/129
Mez: "Should we say anything about scoring techniques?"
... We have had some discussion with regards to the padlock
<Mez>
[38]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0165.html
tjh: It should remain in the document
<Mez>
[39]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0156.html
tjh: how to express it, as a colour, number, or sound... ?
Mez: Another part of the thread, If there is a problem, a passive
notification is not enough, how can this be communicated?
... How can the site identity be destilled into a number?
... some concern about legal issues, related to a score
danschutzer: only certain things can be controlled. We would probably
want to restrict ourselves to some things; Secure connection, accessing
the site I think I am accessing
... cannot know about other things, such as compromized computer, or
server
yngve: we have 2 types of security context indictators in many browsers
1) padlock, 2) fraud warning.
... we have some checks for questionable sites, scammers, etc. using
blacklists or whitelists of sites
<tjh> maybe instead of "Page Security Score" it should be called
"Connection Confidence Estimate".
yngve: there are questions about privacy for these solutions
<Zakim> ifette, you wanted to explain the legal issue thread
ifette: The legal stuff
... If a browser says it is secure, that is full endorsement...
... If Bank A and bank B gets different scores, the one worse off might
go after the browser vendor
<MikeM> if browsers haven't been sued over padlock for past 20 years, I
don't see why we expect lawsuits over other indicators that are
actually better.
<johnath> MikeM: that's a comfortable position to take when you're
unlikely to be named in the suit, but I think Ian's point is that
including this language will hurt adoption
<Zakim> Mez, you wanted to say that I am glad we have something in xit
that addresses the space of the padlock
ifette: the padlock is not ambigous in the same way as these algorihms
tjh: I don't recall our draft saying anything about "Safe for
e-commerce" for page security score
PHB2: Large browser vendors were concered about the legal implications
of the padlock, that is why EV happened.
<ifette> Phil, are you saying that the legal concerns over the score
(or worries on behalf of browser vendors) are or are not founded?
<Zakim> ifette, you wanted to say it's not what statement we intend but
rather what the user interprets the statement as meaning
PHB2: the liablity here... IANAL... the liability of the party who
calculates/presents the information, and the party who provides the
information needed
ifette: worry about how people will interpret security scores when
comparing sites... Why is my page not as secure ?
<ifette> Potential next step would be to re-write this as something
that is a back-end feature that is presented only when changes in this
score are noted
ifette: if you are getting sued in any case, I see no benefit.
<ifette> But we're not writing new standards for stuff like that here
:-)
<ifette> we're getting O/T...
PHB2: Possible approach, use a third party trust service... can
minimize the legal risks
<Zakim> johnath, you wanted to reply to phil
<MikeM> decision in Austin was to allow 3rd parties to define scoring
algorthms and let market forces drive innvocation... only requirement
on the UA is to allow these 3rd party scoring plugins
johnath: The legal issues are important. If this is phrased as a MUST,
we will have to investigate the issues in order to remain standards
compliant
<Mez> I don't remember that decision mikem
<ifette> I thought we said that new protocols etc were out of scope
<ifette> e.g. new infrastructure
<ifette> at least this was the argument Tyler raised against malware...
<Zakim> johnath, you wanted to reply to tim
<tlr> ACTION: tjh to rewrite page security score section [recorded in
[40]http://www.w3.org/2008/01/16-wsc-minutes.html#action06]
<trackbot-ng> Created ACTION-374 - Rewrite page security score section
[on Tim Hahn - due 2008-01-23].
tjh: i can take an action item to summarize what came from the padlock
discussion
<ifette> I have to go in a minute, but if there is a straw poll put me
down in whatever category is most strongly against this proposal.....
<johnath> ifette: duly noted :)
Mez: all four issues covered
... will try to point out which sections of xit are more mature, based
on our review comments as a topic at the san jose f2f
... see you next week
Summary of Action Items
[NEW] ACTION: anil to take a stab at ISSUE-124 [recorded in
[41]http://www.w3.org/2008/01/16-wsc-minutes.html#action03]
[NEW] ACTION: bill-d to draft language to reference RFC 3766 or
successors in a useful way [recorded in
[42]http://www.w3.org/2008/01/16-wsc-minutes.html#action01]
[NEW] ACTION: doyle to draft language to reference RFC 3766 or
successors in a useful way [recorded in
[43]http://www.w3.org/2008/01/16-wsc-minutes.html#action02]
[NEW] ACTION: mez to poll al G about shoulder surfing attacks in
context of assistive technologies [recorded in
[44]http://www.w3.org/2008/01/16-wsc-minutes.html#action05]
[NEW] ACTION: thomas to propose high-level wording instead of 7.6
[45]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125
[recorded in
[46]http://www.w3.org/2008/01/16-wsc-minutes.html#action04]
[NEW] ACTION: tjh to rewrite page security score section [recorded in
[47]http://www.w3.org/2008/01/16-wsc-minutes.html#action06]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [48]scribe.perl version 1.129
([49]CVS log)
$Date: 2008/01/23 17:13:50 $
References
1. http://www.w3.org/
2. http://www.w3.org/2008/01/16-wsc-irc
3. http://www.w3.org/2008/01/16-wsc-minutes.html#agenda
4. http://www.w3.org/2008/01/16-wsc-minutes.html#item01
5. http://www.w3.org/2008/01/16-wsc-minutes.html#item02
6. http://www.w3.org/2008/01/16-wsc-minutes.html#item03
7. http://www.w3.org/2008/01/16-wsc-minutes.html#item04
8. http://www.w3.org/2008/01/16-wsc-minutes.html#item05
9. http://www.w3.org/2008/01/16-wsc-minutes.html#ActionSummary
10. http://www.w3.org/2008/01/09-wsc-minutes.html
11. http://lists.w3.org/Archives/Member/member-wsc-wg/2008Jan/0009.html
12. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0150.html
13. http://www.w3.org/2002/09/wbs/39814/wscf2fgoog2008/
14. http://www.w3.org/2006/WSC/track/issues/128
15. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Dec/att-0021/rewrite-5-20071205.html
16. http://www.w3.org/2006/WSC/track/actions/285
17. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
19. http://www.ietf.org/rfc/rfc4346.txt
20. http://www.ietf.org/rfc/rfc3766.txt
21. http://www.w3.org/2008/01/16-wsc-minutes.html#action01
22. http://www.w3.org/2008/01/16-wsc-minutes.html#action02
23. http://www.w3.org/2006/WSC/track/issues/124
24. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#safebar-reliabletext
25. http://www.w3.org/2008/01/16-wsc-minutes.html#action03
26. http://www.w3.org/2006/WSC/track/actions/371
27. http://www.w3.org/2006/WSC/track/issues/125
28. http://www.w3.org/2006/WSC/track/issues/125
29. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask
30. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Nov/0006.html
31. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
32. http://www.w3.org/2008/01/16-wsc-minutes.html#action04
33. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
34. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
35. http://www.w3.org/2006/WSC/track/actions/372
36. http://www.w3.org/2008/01/16-wsc-minutes.html#action05
37. http://www.w3.org/2006/WSC/track/issues/129
38. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0165.html
39. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0156.html
40. http://www.w3.org/2008/01/16-wsc-minutes.html#action06
41. http://www.w3.org/2008/01/16-wsc-minutes.html#action03
42. http://www.w3.org/2008/01/16-wsc-minutes.html#action01
43. http://www.w3.org/2008/01/16-wsc-minutes.html#action02
44. http://www.w3.org/2008/01/16-wsc-minutes.html#action05
45. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
46. http://www.w3.org/2008/01/16-wsc-minutes.html#action04
47. http://www.w3.org/2008/01/16-wsc-minutes.html#action06
48. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
49. http://dev.w3.org/cvsweb/2002/scribe/
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 23 January 2008 17:14:25 UTC