- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 20 Dec 2006 09:55:15 +0100
- To: public-wsc-wg@w3.org
The minutes from last week's call were approved yesterday. A text
version is attached; a hypertext version is online here:
http://www.w3.org/2006/12/12-wsc-minutes
Regards and happy holidays,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC WG Weekly
12 Dec 2006
See also: [2]IRC log
[3]Agenda
Attendees
Present
Thomas Roessler
Mike Beltzner
Mary Ellen Zurko
Tyler Close
Praveen Alavilli
Stephen Farrell
Bill Doyle
Hal Lockhart
Paul Hill
Tim Hahn
Michael Smith
Phillip Hallam-Baker
Rishikesh A Pande
Mike McCormick
Tony Nadalin
Maritza Johnson
Guests
Rob Franco
Chair
Mez
Scribe
Praveen, tlr
Contents
* [4]Topics
1. [5]pick scribe -- proposed: Praveen
2. [6]approve minutes from last meeting -
http://www.w3.org/2006/12/05-wsc-minutes
3. [7]scope discussion - http://www.w3.org/2006/WSC/wiki/NoteInScope /
http://www.w3.org/2006/WSC/wiki/NoteOutOfScope
* [8]Summary of Action Items
_________________________________________________________________
pick scribe -- proposed: Praveen
<tlr> ScribeNick: Praveen
<tlr> RESOLVED: Praveen to scribe
Welcome to Praveen, AOL.
approve minutes from last meeting - [9]http://www.w3.org/2006/12/05-wsc-minutes
RESOLVED: minutes are approved
<tlr> ScribeNick: tlr
<tlr> whoops, looks like Praveen has connection issues
scope discussion - [10]http://www.w3.org/2006/WSC/wiki/NoteInScope /
[11]http://www.w3.org/2006/WSC/wiki/NoteOutOfScope
mez: would like to get through discussing scope today. Possibly defer goals.
... had some discussion ...
... out of scope, in scope, f2f and/or e-mail ...
<Mez> [12]http://www.w3.org/2006/WSC/wiki/NoteInScope
mez: encourage people to edit things directly
... scope partially based on discussion with Hal ...
... outer boundaries ...
... set outer edges of what's in scope or not ...
... what we're going to do ...
... tyler, different spin on that?
tyler: trying to remember what hal said ...
... had discussion during one of the conference calls ...
... goals are the things group is trying to achieve, non-goals are things
that might be achieved, but aren't targets by itself ...
... scope/out-of-scope setting boundaries ...
... obviously more discussion ...
mez: anything in particular missing in "in scope" ...
hal: what about things that ride on top of HTTP, but aren't HTML / XHTML
....
... SOAP ...
hal: web protocols ...
... obvious case, SOAP or HTTP ...
... leave it to others to justify things they deem in scope
stephenF: worth mentioning smaller devices ...
... be explicit that non-desktop is in scope ...
<malware> malware: along with phone, we have portable gaming devices such as
Nintendo DS
<scribe> ACTION: stephenF to add mobile device text to scope text in wiki
[recorded in [13]http://www.w3.org/2006/12/12-wsc-minutes.html#action01]
<trackbot> Created ACTION-50 - Add mobile device text to scope text in wiki
[on Stephen Farrell - due 2006-12-20].
<Zakim> malware, you wanted to contribute my 2 cents to "phones in scope"
discussion (and suggest, among other things, that generalizing to
"constrained devices" instead of "phone"...)
<beltzner> +1 to stephenF's idea; small devices are becoming more common,
have different design implications
malware: mobile handsets is more accurate description ...
... class of devices: *constrained* devices ...
... non-desktop-pc-browsers ...
... "constrained devices" catches the idea pretty well ...
stephenF: not too keen on "constrained" ...
... "mobile" ...
michael: not talking about devices that are mobile ...
malware: "mobile" ignores use cases, such as airline seat-backs ...
... we might explicitly rule constrained devices out-of-scope ...
... focus on desktop first, defer constrained ...
... "not focus on something" -- tacit acknowledgement that something is less
important ...
mez: not tacit, but explicit
malware: if we're going to do this work and get more people involved that
are more familiar with mobile web browsing use cases ...
... then might be worthwhile not to make them take second place ...
... by just saying display of security information across range of devices
...
<Tyler> Are we talking about constrained display devices instead of mobile
devices
<Zakim> PHB, you wanted to talk abut drawing line at VOIP phishing
phb: draw bright line between our work and VOIP phishing
... problem on the context side ...
... have been getting calls to own house that are phishing attempts ...
... don't get into stuff that relates to how switches operate ...
... rule this out of scope ...
mez: wish brad was here
<stephenF> mobile devices that run http etc is a good scope
beltzner: what would a voice phishing attack look like?
<beltzner> tlr: beltzner asked
phb: (explains example)
... e-mail spam and telephone ...
... people don't realize that sth is phone's telephone number ...
... banks have trained people to enter phone number into telephone
attendance system without listening for person ...
... can of worms ...
<beltzner> ok, thanks - noisy here, so I'll stay muted
<scribe> ACTION: Hallam-Baker to send proposed language on phones to mailing
lists [recorded in
[14]http://www.w3.org/2006/12/12-wsc-minutes.html#action03]
<trackbot> Created ACTION-40 - Send proposed alnguage on phones to mailing
lists [on Phillip Hallam-Baker - due 2006-12-19].
billd: gets back to previous discussion about constrained devices ...
... capabilities, phone browsers, embedded browsers ...
<stephenF> what that action on me or phb?
billd: more devices to come out, more on scope ...
tlr: 1. make sure you send mail when you make substantive edits to the wiki
... 2. what I hear is PROPOSED: (a) constrained devices in scope, (b)
telephone/voice interactions out of scope; maps to voice browsers
hal: let's be very clear where we draw this line
mez: haven't made decision, yet
... see potential for brad having opposing view to phil ...
phb: dns vs ss7 based approaches
<stephenF> just added "Mobile phones and other constrained devices that can
run a generic web browser are expicitly in scope under this heading as well
as standard desktop browsers." to the wiki - hack away at that!
<Praveen> phb: example of skype using DNS instead of tradinitional phone
line
tlr: voice browser is the thing on the other side of the phone line; it can
go out to the web
hal: careful about distinctions that might be indistinguishable
mez: agree
tlr: +1
hal: constrained devices ...
... uncomfortable with the term ...
... because it evolves ...
... choice is about how to deal with functional limits in interface ...
... "here's how you use things with that kind of functional limitation" ...
... or do "here's for desktop, here's for mobile" ...
<malware> some general characteristics of "constrained devices" that aren't
likely to change is that they have smaller screens than desktop/laptop PCs,
no keyboards, but touch screens or number pads
tlr: "constrained devices" is an argument in favor of the first choice of
argument -- be clear about constraints and how they affect recommendations
<stephenF> q to ask about 3rd parties
mez: let's have a look at "in scope" section,
[15]http://www.w3.org/2006/WSC/wiki/NoteInScope, anything contentious there?
... replace "display" by "communicate" ...
mez walking through list
beltzner: would like to see recommendation on communication behavior ...
... in order to avoid phishing attacks ...
... how to begin secure communication ...
<PHB> (The groups mentioned are the FSTC and APWG)
<scribe> ACTION: beltzner to propose draft language to capture "how to begin
secure communication" [recorded in
[16]http://www.w3.org/2006/12/12-wsc-minutes.html#action05]
<trackbot> Created ACTION-42 - Propose draft language to capture \"how to
begin secure communication\" [on Mike Beltzner - due 2006-12-19].
tyler: SOAP?
mez: use case from tim hahn[17]
http://www.w3.org/2006/WSC/wiki/DesktopDecoration
<beltzner>[18]http://diveintomark.org/archives/2006/12/07/rest-for-toddlers
(better HTTP error codes)
<Zakim> stephenF, you wanted to ask about 3rd parties
<scribe> ACTION: tyler to review DesktopDecoration [recorded in
[19]http://www.w3.org/2006/12/12-wsc-minutes.html#action07]
<trackbot> Created ACTION-44 - Review DesktopDecoration [on Tyler Close -
due 2006-12-19].
StephenF: last one "in scope" -- reputation services, third party sources in
scope?
... currently it's protocol-centric ...
mez: not suggesting that third party services be out of scope
stephenF: There might be proprietary services there
mez: don't spend a lot of time on proprietary services
stephenF: As long as it's not just intended to be PKI
mez: PKI in final bullet is example, not meant to scope entire bullet point
<stephenF> change I made is s/PKI/e.g. PKI, generic reptutation services/
tlr: pki in scope as concrete example; there might also be generic
recommendations
chair diagnoses violent agreement between tlr and stephenF
mez: .. more about general categories in scope ...
... presume that what's there is pretty good ..
... large categories missing ...
tlr: authoring / deployment guidelines should be in scope
mez: thought that was part of ACTION-42
<scribe> ACTION: roessler to work with beltzner on ACTION-42 to possibly
broaden it [recorded in
[20]http://www.w3.org/2006/12/12-wsc-minutes.html#action08]
<trackbot> Created ACTION-45 - Work with beltzner on ACTION-42 to possibly
broaden it [on Thomas Roessler - due 2006-12-19].
(some discussion about restating charter)
tlr: use cases, and how they're mapped to scope sections
mez: hope we'll get there soon
... any other things that should be in scope and aren't called out?
... going to out of scope
<Mez> [21]http://www.w3.org/2006/WSC/wiki/NoteOutOfScope
hal: hesitant; think the second bullet is a null category
... don't think there's a thing that's not potentially dangerous
mez: trying to draw a boundary. "It's null" or "it's in scope" is different
statements.
hal: Agree that something that's not dangerous is out of scope, but disagree
on def of "dangerous"
mez: worried about slippery slope of trying to get across security context
information for "4 o'clock"
hal: if the clock happens to use ssl ...
mez: potentially taking up valuable screen real estate
... turning security context information into noise ...
tlr: suggest we rule *in* *scope* the discussion of when security context
information is to be communicated, and when it might be detrimental
... note use the scope discussion as a proxy for this ...
mez: ok
hal: ok, but was thinking about having some stuff always on the screen
mez: well, this is going to basic design principles discussion ...
... tradeoffs are a different area ...
hal: historically, people have found very imaginative attacks; "not
dangerous" is fargile statement ...
<scribe> ACTION: roessler to add in-scope for appropriateness of
communication of security conext information [recorded in
[22]http://www.w3.org/2006/12/12-wsc-minutes.html#action09]
<trackbot> Created ACTION-46 - Add in-scope for appropriateness of
communication of security context information [on Thomas Roessler - due
2006-12-19].
<scribe> ACTION: zurko to yank "not dangerous" from out-of-scope [recorded
in [23]http://www.w3.org/2006/12/12-wsc-minutes.html#action10]
<trackbot> Created ACTION-47 - Yank \"not dangerous\" from out-of-scope [on
Mary Ellen Zurko - due 2006-12-19].
<Zakim> stephenF, you wanted to qualify the non-web protocols bullet
stephenF: there's a multi-protocol point to be taken into account
<scribe> ACTION: farrell to propose revised "non-web protocols" text for
NoteOutOfScope [recorded in
[24]http://www.w3.org/2006/12/12-wsc-minutes.html#action12]
<trackbot> Created ACTION-48 - Propose revised \"non-web protocols\" text
for NoteOutOfScope [on Stephen Farrell - due 2006-12-19].
billd: ??
<scribe> bill, please scribe what you said
<stephenF> I just changed the "non-web" bullet to: "Uses of non-web
protocols (such as ftp, smtp, pop3) that cannot affect the web security
context."
tyler: "calculation ..." -- is that ruling spam detection like techniques
out of scope?
mez: trying to rule that level of functionality out of scope
tyler: want to clarify that, would like to add text on it
phb: it's the main approach, but entirely tactical; always reacting to
latest attack of bad guys
... as soon as they come up with proposal, it's too late ...
rob: good point, if we're going to have these different anti-phishing
technologies, way to present to user needs to be consistent, ...
... with regard to the experience, that's something that we're saying is in
scope ...
... but actual heuristics that power engines are out of scope ...
... would also agree on that ...
mez: did want to rule out of scope visualization of this stuff
<stephenF> if that last was correct then I'm confused about it
<billd> take off-line and determine if it is possible to clarify the need to
keep certain parts of a session private or secure and in-scope protected by
security context an not worry about other components of a user session.
<PHB> This is the same approach we have for PKI, the results are in scope,
the way the results are arrived at is out of scope
<stephenF> for PKI the algs. are defined
<malware> Tyler, if you can, maybe type in your point in IRS
<malware> IRC
PHB: techniques to detect attack are out of scope, but way to present
results to user is in scope
stephenF: confused by that
... if there's some kind of heuristic behind it, how do you communicate that
it's out of scope?
<Zakim> malware, you wanted to suggest that we make sure we capture Tyler's
original point in the minutes
malware: thinks this is important, make sure it gets into minutes -- Tyler,
please type in more complete description of this point
tlr: +1 to rob; would like to see advanced heuristics out of scope, but
petnames-like approaches ("is the same") in scope
<stephenF> its ok that I'm confused btw :-)
<Tyler> I wanted to find out if the current "Out of scope" text puts spam
like detection, heuriistic techniques out of scope.
tlr: also, abstractions in scope ...
hal: "risky site" -- notion could change in future
rob: In IE, "suspicious" warning, "positively bad" warning
... likely to remain that way in IE ...
... want to talk about these two levels of warning ...
... understand which part of experience is effective ...
... which parts to merge and melt with ...
... bring things together to be more consistent, more effective ...
mez: action to amend in-scope to reflect this?
<scribe> ACTION: beltzner to amend in-scope to reflect consistency of user
experiences, warning levels, etc [recorded in
[25]http://www.w3.org/2006/12/12-wsc-minutes.html#action13]
<trackbot> Created ACTION-49 - Amend in-scope to reflect consistency of user
experiences, warning levels, etc [on Mike Beltzner - due 2006-12-19].
tyler: results about heuristics to add to bookmark page?
tyler: success measurements from browser vendors?
malware: can't speak for other browser vendors, but not willing to publish
outside marketing literature
mez: back to out of scope at next meeting; next meeting next week
... more on the e-mail list and next week ...
<stephenF> bye then
adjourned
<billd> bye
<malware> I didn't mean to say not willing, just possibly not willing to
share data about success of propriety features
<malware> And data about on this coming from vendors is likely to not
exactly be unbiased
Summary of Action Items
ACTION-50 - Add mobile device text to scope text in wiki [on Stephen Farrell
- due 2006-12-20].
ACTION-40 - Send proposed alnguage on phones to mailing lists [on Phillip
Hallam-Baker - due 2006-12-19].
ACTION-42 - Propose draft language to capture "how to begin secure
communication" [on Mike Beltzner - due 2006-12-19].
ACTION-44 - Review DesktopDecoration [on Tyler Close - due 2006-12-19].
ACTION-45 - Work with beltzner on ACTION-42 to possibly broaden it [on
Thomas Roessler - due 2006-12-19].
ACTION-46 - Add in-scope for appropriateness of communication of security
context information [on Thomas Roessler - due 2006-12-19].
ACTION-47 - Yank "not dangerous" from out-of-scope [on Mary Ellen Zurko -
due 2006-12-19].
ACTION-48 - Propose revised "non-web protocols" text for NoteOutOfScope [on
Stephen Farrell - due 2006-12-19].
ACTION-49 - Amend in-scope to reflect consistency of user experiences,
warning levels, etc [on Mike Beltzner - due 2006-12-19].
[End of minutes]
_________________________________________________________________
Minutes formatted by David Booth's [26]scribe.perl version 1.127 ([27]CVS
log)
$Date: 2006/12/19 22:29:47 $
References
1. http://www.w3.org/
2. http://www.w3.org/2006/12/12-wsc-irc
3. http://lists.w3.org/Archives/Public/public-wsc-wg/2006Dec/0069.html
4. file://localhost/home/roessler/W3C/WWW/2006/12/12-wsc-minutes.html#agenda
5. file://localhost/home/roessler/W3C/WWW/2006/12/12-wsc-minutes.html#item01
6. file://localhost/home/roessler/W3C/WWW/2006/12/12-wsc-minutes.html#item02
7. file://localhost/home/roessler/W3C/WWW/2006/12/12-wsc-minutes.html#item03
8. file://localhost/home/roessler/W3C/WWW/2006/12/12-wsc-minutes.html#ActionSummary
9. http://www.w3.org/2006/12/05-wsc-minutes
10. http://www.w3.org/2006/WSC/wiki/NoteInScope
11. http://www.w3.org/2006/WSC/wiki/NoteOutOfScope
12. http://www.w3.org/2006/WSC/wiki/NoteInScope
13. http://www.w3.org/2006/12/12-wsc-minutes.html#action01
14. http://www.w3.org/2006/12/12-wsc-minutes.html#action03
15. http://www.w3.org/2006/WSC/wiki/NoteInScope
16. http://www.w3.org/2006/12/12-wsc-minutes.html#action05
17. http://www.w3.org/2006/WSC/wiki/DesktopDecoration
18. http://diveintomark.org/archives/2006/12/07/rest-for-toddlers
19. http://www.w3.org/2006/12/12-wsc-minutes.html#action07
20. http://www.w3.org/2006/12/12-wsc-minutes.html#action08
21. http://www.w3.org/2006/WSC/wiki/NoteOutOfScope
22. http://www.w3.org/2006/12/12-wsc-minutes.html#action09
23. http://www.w3.org/2006/12/12-wsc-minutes.html#action10
24. http://www.w3.org/2006/12/12-wsc-minutes.html#action12
25. http://www.w3.org/2006/12/12-wsc-minutes.html#action13
26. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
27. http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 20 December 2006 08:55:06 UTC