- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 17 Sep 2008 17:06:39 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2008-09-03 were approved and are
available online here:
http://www.w3.org/2008/09/03-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
03 Sep 2008
[2]Agenda
See also: [3]IRC log
Attendees
Present
ifette, Thomas, Bill_Doyle, jvkrey, +1.408.536.aaaa, joesteele,
yngve, +1.312.933.aabb, PHB, anil, Tyler, +1.917.338.aacc,
schutzerd
Regrets
johnath, mez
Chair
tlr
Scribe
yngve
Contents
* [4]Topics
1. [5]approve minutes
2. [6]action items
3. [7]browser security models vs indicators
4. [8]google chrome
5. [9]last call comments
6. [10]CR preparation
* [11]Summary of Action Items
__________________________________________________________________
<tlr> Scribe: yngve
approve minutes
<tlr> [12]http://www.w3.org/2008/08/20-wsc-minutes.html
<tlr> [13]http://www.w3.org/2008/08/27-wsc-minutes.html
<joesteele> agreed!
<tlr> RESOLUTION: minutes approved
tlr: minutes approved
<tlr> [14]http://www.w3.org/2002/09/wbs/35125/TPAC2008/
tlr:Reminder: All should register for the plenary, conference hotel
rate block expire soon
action items
<tlr> ACTION-499 closed
<trackbot> ACTION-499 Frame review of contnt transform guidelines
closed
<tlr> ACTION-505 closed
<trackbot> ACTION-505 Propose comment re https lnk rewriting,
client-side certs and channel bindings closed
<tlr> ACTION-504 closed
<trackbot> ACTION-504 Propose comment on mobileOK test; propose on list
with 24h objection period closed
<tlr> ACTION-500 closed
<trackbot> ACTION-500 Inquire phb about ev cert for test environment
closed
browser security models vs indicators
<tlr>
[15]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0001.html
tyler: cross-frame security in Javascript have no concept of security
level
... can allow MITM to insert controlling code by tricking user to
accept certificate then allow all traffic to second frame go unhindered
... meaning that security for the second frame/tab is shown using full
security
... attacker can listen in on keypresses etc. from hidden frame/tab
joe: Is victim.com bound to two different IP addresses?
tyler: Not necessarily, attack can be mounted at network level,
spoofing IP addresses
tlr: Worst case will be mixed content having low and high security
indicators
tyler: [In this case the] victim user is opening up the hole, for mixed
mode the attacker does it
tlr: so, mixed content in one frame is mixed content everywhere, which
isn't reflected in the current work. Ouch.
yngve: client cert authenticated connections
yngve: client cert authenticated connections are single way for
end-to-end auth both directions
... assume a server that requires client authentication ...
... MITM would not be able to handle that ...
... but can get control over a frame that is not authenticated [then
access the authenticted frame]...
tyler: client auth doesn't help
yngve: [No,] it won't!
tlr: so, we have one connection with client cert and one without. The
one without can script the one with.
yngve: yes
tlr: what do we do about it?
yngve: use security level or information in [Javascript/DOM] domain
matching
... cross-server communication is more difficult to [handle with such a
scheme] ...
tyler: can we suggest something about that?
tlr: can talk to HTML WG
tyler: might be hard to introduce more changes at this point
yngve: we (Opera) are discussing this [internally]
ifette: propose that everything that is scriptable must share the
weakest security indicator
tyler: suggested something along those lines in the email
... browser might give warning if it sees such inconsistency in
security level on same server
tlr: wsc-ui already make statements about handling of different
certificate classes for same server in short period
tyler: can ifette's suggestion work?
yngve: There will be a timing issue if user inspects security
indicators as they arrive on a page, but the attacker waits until real
action starts, [resulting in security lowered later]
<tlr> ACTION: ifette to draft spec language about downgrading
indicators to level of least-secure frame [recorded in
[16]http://www.w3.org/2008/09/03-wsc-minutes.html#action01]
<trackbot> Created ACTION-508 - Draft spec language about downgrading
indicators to level of least-secure frame [on Ian Fette - due
2008-09-10].
tlr: Two actions possibilities: within WSC use Ian's suggestion and
lower security level, and warn about such quick changes in certificates
... second: Suggest changes in policy in browsers, even if they have
recently agreed on new policies?
tyler: the authors are recommending not making finer grained "domains"
joe: What if the two certificates [(also the one used by the
attacker)]are *both* legitimate?
tlr: Nothing the spec trigger on it currently, and doing so might cause
problems
... Would create an incentive to only ever use a single certificate for
a server
tyler: We assume that CAs will not issue a certificate (AA or non-AA)
to a non-controlling entity
tlr: WSC-UI does not currently state that assumption
<tlr> ACTION: tyler to draft additional security considerations about
assumption that DV not issued wehn AA is available [recorded in
[17]http://www.w3.org/2008/09/03-wsc-minutes.html#action02]
<trackbot> Created ACTION-509 - Draft additional security
considerations about assumption that DV not issued wehn AA is available
[on Tyler Close - due 2008-09-10].
tlr: Should update security consideration section if necessary
tyler: Assumption in attack is that attacker can use a selfsigned
certificate to trick user
... One scenario if user have pinned a certificate, will have different
security levels for two frames
... second if user have not pinned a certificate
joesteele: if the state changes, there needs to be something in the
user's face
tlr: should ian's action include joe's suggestion, or should joe take
on drafting that?
<tlr> ACTION: steele to draft "security state change needs to be in
user's face" language [recorded in
[18]http://www.w3.org/2008/09/03-wsc-minutes.html#action04]
<trackbot> Created ACTION-510 - Draft \"security state change needs to
be in user's face\" language [on Joe Steele - due 2008-09-10].
google chrome
tlr: ifette to tell us about security UI
ifette: No idea if Google Chrome (Browser) is compliant at present
... think we may be mostly compliant, but not willing to make claims
... goal to minimize chrome area, reduces area available to indicators
... for HTTPS: address bar yellow, https green, lock on RHS of address
bar
... for EV, cert subject name displayed in address bar
phb: Playing around this morning
... messaging problem about paypal concerning the green bar
ifette: does not show green for EV at the moment [discussion about EV
and green]
... just checks the certificate
... No logotypes
... uses padlock, no favicons in the addressbar
... planning stricter handling of mixed secure/unsecure content
... Currently turn off security indication, changes padlock to "!"-mark
... have advanced option to choose allow all, allow images but not
script/CSS images overlaid by unsecure indicator, and block all mixed
content
... allows "paranoids" to block, or webmasters to check for miced
content
tlr: how about CR testing?
ifette: will fill in the matrix; Mez already asked
yngve: [Considering talking to other vendors] about getting to a
stricter mixed content policy
ifette: that kind of policy broke many sites when testing Google Chrome
tlr: asks ifette to ask for feedback about what spec parts will cause
problems
ifette: will go back and see if there was info about things that might
break heavily
<tlr> ACTION: ifette to fill in feature table with Google Chrome
information, generally come back with feed-back - due 2008-09-10
[recorded in
[19]http://www.w3.org/2008/09/03-wsc-minutes.html#action05]
<trackbot> Created ACTION-511 - fill in feature table with Google
Chrome information, generally come back with feed-back [on Ian Fette -
due 2008-09-10].
ifette: Will also go back and check if there are other implementation
difficulties that were not brought up during earlier dicussions
last call comments
<tlr>
[20]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
724
<tlr>
[21]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
724/2058
<tlr> LC-2058
tlr: propose making suggested editorial changes
<tlr> PROPOSED: to adopt resolution of LC-2058 as outlined
<tlr> RESOLVED: LC-2058 resolution accetped
<tlr> LC-2055
<tlr>
[22]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0007.html
<tlr>
[23]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
724/2055
tlr: reference to relaxed validation should have been removed
<tlr> RESOLUTION: LC-2055 resolution accepted
<joesteele> [reads LC-2059] ok -- looks fine
<tlr> RESOLUTION: LC-2059 accepted: adopt all changes
<tlr> ACTION: thomas to incorporate LC-2059 changes [recorded in
[24]http://www.w3.org/2008/09/03-wsc-minutes.html#action06]
<trackbot> Created ACTION-512 - Incorporate LC-2059 changes [on Thomas
Roessler - due 2008-09-10].
<tlr> LC-2088
[25]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
724/2088
tlr: Suggest that a few people read it and propose how to handle it
tyler: was some comments about petnames, can review that
<tlr> ACTION: tyler to propose response for petname-related parts of
LC-2088 [recorded in
[26]http://www.w3.org/2008/09/03-wsc-minutes.html#action07]
<trackbot> Created ACTION-513 - Propose response for petname-related
parts of LC-2088 [on Tyler Close - due 2008-09-10].
<tlr>
[27]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
724/2087
<joesteele> section 6.1.2
<tlr> "Subject logotypes derived from certificates SHOULD NOT be
rendered, unless the certificate used is an augmented assurance
certificate."
joe: think it should be MUST NOT
pbaker: think it should be MUST NOT
... thought we had done MUST NOT
yngve: No problem with MUST NOT
joe: One more comment, distinction between primary and secondary , was
there some intention to allow display in secondary?
phb: Not happy about displaying in secondary chrome. Don't think anyone
would be interested in buying logotype certificates that display only
in secondary chrome
tlr: Maybe add language about not using non-AA logotypes in UI
<tlr> ACTION: hallam-baker to propose change to 6.1.2 to accomodate
"SHOULD NOT" concern for logotypes, possibly relating to overall AA
language [recorded in
[28]http://www.w3.org/2008/09/03-wsc-minutes.html#action09]
<trackbot> Created ACTION-514 - Propose change to 6.1.2 to accomodate
\"SHOULD NOT\" concern for logotypes, possibly relating to overall AA
language [on Phillip Hallam-Baker - due 2008-09-10].
CR preparation
<tlr> ACTION-503 closed
<trackbot> ACTION-503 Frame discussion about interaction of navigation
policy and security indicators closed
<tlr> ACTION-496: no progress on Jan Vidar's side
<trackbot> ACTION-496 Fill out the Opera column in our features at risk
table notes added
<tlr> ACTION-496 reassigned to Yngve
<trackbot> ACTION-496 -- Yngve Pettersen to fill out the Opera column
in our features at risk table -- due 2008-09-17 -- OPEN
<trackbot> [29]http://www.w3.org/2006/WSC/track/actions/496
<tlr> action-502?
<trackbot> ACTION-502 -- Phillip Hallam-Baker to drive test case matrix
for 6.12 -- due 2008-09-03 -- OPEN
<trackbot> [30]http://www.w3.org/2006/WSC/track/actions/502
<tlr> [31]http://www.w3.org/2006/WSC/wiki/TestCases
phb: (action 502) some MAY cases that was hard to write testcases for
... not tests that says "you comply"
... not distinguishing between conformant not implemented and
conformant implemented
<tlr> ACTION-502 closed
<trackbot> ACTION-502 drive test case matrix for 6.12 closed
phb: test-certificate: can't get an EV certificate due to requirements,
but may be able to get one for W3C
tlr: Let's take talks of that offline
<tlr> [32]http://www.w3.org/2006/WSC/wiki/TestCases
tlr: people SHOULD read the wiki testcase node, ASAP
Summary of Action Items
[NEW] ACTION: hallam-baker to propose change to 6.1.2 to accomodate
"SHOULD NOT" concern for logotypes, possibly relating to overall AA
language [recorded in
[33]http://www.w3.org/2008/09/03-wsc-minutes.html#action09]
[NEW] ACTION: ifette to draft spec language about downgrading
indicators to level of least-secure frame [recorded in
[34]http://www.w3.org/2008/09/03-wsc-minutes.html#action01]
[NEW] ACTION: ifette to fill in feature table with Google Chrome
information, generally come back with feed-back - due 2008-09-10
[recorded in
[35]http://www.w3.org/2008/09/03-wsc-minutes.html#action05]
[NEW] ACTION: joesteele to draft "security state change needs to be in
user's face" language [recorded in
[36]http://www.w3.org/2008/09/03-wsc-minutes.html#action03]
[NEW] ACTION: pbaker to propose change to 6.1.2 to accomodate "SHOULD
NOT" concern for logotypes, possibly relating to overall AA language
[recorded in
[37]http://www.w3.org/2008/09/03-wsc-minutes.html#action08]
[NEW] ACTION: steele to draft "security state change needs to be in
user's face" language [recorded in
[38]http://www.w3.org/2008/09/03-wsc-minutes.html#action04]
[NEW] ACTION: thomas to incorporate LC-2059 changes [recorded in
[39]http://www.w3.org/2008/09/03-wsc-minutes.html#action06]
[NEW] ACTION: tyler to draft additional security considerations about
assumption that DV not issued wehn AA is available [recorded in
[40]http://www.w3.org/2008/09/03-wsc-minutes.html#action02]
[NEW] ACTION: tyler to propose response for petname-related parts of
LC-2088 [recorded in
[41]http://www.w3.org/2008/09/03-wsc-minutes.html#action07]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [42]scribe.perl version 1.133
([43]CVS log)
$Date: 2008/09/17 15:06:17 $
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0004.html
3. http://www.w3.org/2008/09/03-wsc-irc
4. http://www.w3.org/2008/09/03-wsc-minutes.html#agenda
5. http://www.w3.org/2008/09/03-wsc-minutes.html#item01
6. http://www.w3.org/2008/09/03-wsc-minutes.html#item02
7. http://www.w3.org/2008/09/03-wsc-minutes.html#item03
8. http://www.w3.org/2008/09/03-wsc-minutes.html#item04
9. http://www.w3.org/2008/09/03-wsc-minutes.html#item05
10. http://www.w3.org/2008/09/03-wsc-minutes.html#item06
11. http://www.w3.org/2008/09/03-wsc-minutes.html#ActionSummary
12. http://www.w3.org/2008/08/20-wsc-minutes.html
13. http://www.w3.org/2008/08/27-wsc-minutes.html
14. http://www.w3.org/2002/09/wbs/35125/TPAC2008/
15. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0001.html
16. http://www.w3.org/2008/09/03-wsc-minutes.html#action01
17. http://www.w3.org/2008/09/03-wsc-minutes.html#action02
18. http://www.w3.org/2008/09/03-wsc-minutes.html#action04
19. http://www.w3.org/2008/09/03-wsc-minutes.html#action05
20. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724
21. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2058
22. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0007.html
23. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2055
24. http://www.w3.org/2008/09/03-wsc-minutes.html#action06
25. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2088
26. http://www.w3.org/2008/09/03-wsc-minutes.html#action07
27. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2087
28. http://www.w3.org/2008/09/03-wsc-minutes.html#action09
29. http://www.w3.org/2006/WSC/track/actions/496
30. http://www.w3.org/2006/WSC/track/actions/502
31. http://www.w3.org/2006/WSC/wiki/TestCases
32. http://www.w3.org/2006/WSC/wiki/TestCases
33. http://www.w3.org/2008/09/03-wsc-minutes.html#action09
34. http://www.w3.org/2008/09/03-wsc-minutes.html#action01
35. http://www.w3.org/2008/09/03-wsc-minutes.html#action05
36. http://www.w3.org/2008/09/03-wsc-minutes.html#action03
37. http://www.w3.org/2008/09/03-wsc-minutes.html#action08
38. http://www.w3.org/2008/09/03-wsc-minutes.html#action04
39. http://www.w3.org/2008/09/03-wsc-minutes.html#action06
40. http://www.w3.org/2008/09/03-wsc-minutes.html#action02
41. http://www.w3.org/2008/09/03-wsc-minutes.html#action07
42. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
43. http://dev.w3.org/cvsweb/2002/scribe/
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 17 September 2008 15:07:15 UTC