W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Meeting record: WSC WG weekly 2007-04-11

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 19 Apr 2007 21:04:33 +0200
To: WSC WG <public-wsc-wg@w3.org>
Message-ID: <20070419190433.GA16664@raktajino.does-not-exist.org>

The minutes from last week's meeting have been approved.  They are
available online here:
  http://www.w3.org/2007/04/11-wsc-minutes
  
A text version is appended below the .signature.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>




   [1]W3C 


                    Web Security Context WG Teleconference
                                  11 Apr 2007

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          Mary Ellen Zurko
          Chuck Wade
          Thomas Roessler
          Rachna Dhamija
          Shawn Duffy
          Tyler Close
          Jan Vidar Krey
          Bill Doyle
          Hal Lockhart
          Maritza Johnson
          Bob Pinheiro
          Mike McCormick
          Luis Barriga
          Stuart Schechter
          Phillip Hallam-Baker
          Serge Egelman

   Regrets
          Tim Hahn
          Paul Hill
          Johnathan Nightingale
          Robert Yonaitis
          Mike Beltzner
          Bruno von Niman
          George Staikos

   Chair
          MEZ

   Scribe
          Hal

Contents

     * [4]Topics
         1. [5]approval of minutes from last meeting
         2. [6]closure of action items
         3. [7]Safe Browsing Mode
         4. [8]Virtual hosting and TLS related material
         5. [9]PII editor bar
         6. [10]UrlRecommendation
         7. [11]SharedPublicKnowledge
         8. [12]Contextual Password Warnings
     * [13]Summary of Action Items
     _________________________________________________________________

approval of minutes from last meeting

   <tlr> [14]http://www.w3.org/2007/04/04-wsc-minutes

   minutes approved unimanimously

closure of action items

   I would reather use my own mute

   <tlr> all agree, ACTION-154 ACTION-157 ACTION-160 ACTION-166

   tahnks

   <Tyler> [15]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals

Safe Browsing Mode

   <tlr>
   [16]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0217.html

   <tlr> PROPOSED: defer; Dan Schutzer to present at a later time

   topic deferred

   <ses> <---got only 90 minutes of sleep last night so may not be here in much
   more than electronic form only.

Virtual hosting and TLS related material

   <tlr>
   [17]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0051.html

   PHB: ssl as designed assumes one to one between IP addr and certificate

   host name checking is not checked carefully

   but when it it is it causes problems

   starting to cause problems

   with EV certificates

   <tlr> hal, for continuation lines, please use this syntax:

   <tlr> ... this goes on ...

   <tlr> ... and on ...

   ok

   <tlr> Also, please attribute what's said.

   <tlr> It'll all make you rlife much easier when you get to clean-up. ;-)

   scribe: fix is being deployed
   ... only on client side
   ... need server side support

   <Zakim> tlr, you wanted to ask what the recommendation in scope for us would
   be

   phb: clients support tls hostname extension

   <tlr> PHB: client providers ought to support TLS host name extension, server
   providers support use of that feature

   tlr: what about error condition - page reload?
   ... from airport hotspot

   (sorry can follow usecase can you type it)

   cant

   phb: related piece is can solve by being more lax in checking redirects

   <tlr>  tlr:  related, hotspots doing benevolent SSL MITM. Do we need a
   "override, but just send GET / HTTP/1.0" instead of doing the post here?

   phb: people don't type the "www" part of domain name
   ... so redirect gives error
   ... before you could get by
   ... now doing checking at TLS level, before redirect

   chuck: related issue mapping IP names to certs
   ... multiple servers or caching servers
   ... will break a lot of existing solutions
   ... will IETF fix solve all these

   phb: will not solve all the issues
   ... cause is checking things more carefully
   ... will see more errros if not careful
   ... another fix which could be used is wildcard domains
   ... currently prohibited by EV rules
   ... revocation can be an issue
   ... IETF fix allows multiple sites on physical servers

   chuck: problem EV certs my produce too many errors
   ... users will work around, undermine effectiveness

   <serge> Zakim mute me

   <Zakim> tlr, you wanted to ask about technical constraints that are in EV
   guidelines

   chuck: don't have answers

   tlr: + 1 to chuck
   ... question to phb are EV x.509 profile published

   phb: is a profile of PKIX profile

   tlr: can share pointer?

   <tlr> ACTION: hallam-baker to share pointer to CABforum profiling of PKIX
   [recorded in [18]http://www.w3.org/2007/04/11-wsc-minutes.html#action01]

   <trackbot> Created ACTION-189 - Share pointer to CABforum profiling of PKIX
   [on Phillip Hallam-Baker - due 2007-04-18].

   phb: propose we point to work of others, not design

   <tlr> ACTION: hallam-baker to attempt summary of discussion and proto recs
   re    EV    and    virtual    hosting    in    wiki    [recorded    in
   [19]http://www.w3.org/2007/04/11-wsc-minutes.html#action02]

   <trackbot> Created ACTION-190 - Attempt summary of discussion and proto recs
   re  EV  and  virtual  hosting  in  wiki [on Phillip Hallam-Baker - due
   2007-04-18].

   <Chuck> The CA Browser forum appears to have links to download the relevant
   documents  (cleverly  hidden)  at  the very top of their home page at:
   <[20]http://cabforum.org/index.html>

PII editor bar

   <tlr>
   [21]http://www.w3.org/2006/WSC/wiki/PersonallyIdentifiableInformationEditorB
   ar

   tyler: want to get indication to user when about to enter sensitive data
   ... user will type into editor widget
   ... login scenario
   ... remembers text used for login

   <tlr> I'd suggest calling the thing "Sensitive Information Bar" or some
   such.

   tyler: lets you select one to use
   ... moves cursor to editor widget
   ... provides indication that have provided password previously
   ... interupts normal flow if at different site
   ... next to it is petname tool
   ... can show no relationship to site
   ... or just msg talking to stranger

   BobP: question select password from pull down?

   tyler: no, will have list of sites in pull down

   bob: would see password?

   tyler: have some choices, could have it displayed or have stars

   bob: display could allow others to see it

   tlr: I would avoid PII term here
   ... call it your information entry
   ... interaction mode when entering data?

   tyler: other aspects
   ... try to implement failure case
   ... use of petname tool to identify site

   <tlr> I had suggested that a high-level description of this would be to (a)
   put users into different interaction mode when they think they are making
   another trust decision, and (b) leverage stored information to signal that
   user is actually repeating a prior security decision.

   <Zakim> Thomas, you wanted to note that the reliability issue is better
   dealt with in HTML WG and to also come back to PII discussion

   tlr: reason not to use PII brings up rathole, want to control when we treat
   these issues
   ... data can be not PII in some cases
   ... not accurate decsription of what we are talking about
   ... reminded me of HTML form idea of filling fields
   ... can deal with in w3 forms group

   tyler: not good idea to make html specific

   thanks

   tyler: need hal: cant do form fill combined with stars display

   sduffy: how determine previously trusted site

   tyler: petname tool does it - explicit user choice

   tlr: need to seperate abstract concept from detailed interface

   <tlr>  ACTION:  tyler  to update TrustMe proposal in wiki [recorded in
   [22]http://www.w3.org/2007/04/11-wsc-minutes.html#action03]

   <trackbot> Created ACTION-191 - Update TrustMe proposal in wiki [on Tyler
   Close - due 2007-04-18].

UrlRecommendation

   <tlr> [23]http://www.w3.org/2006/WSC/wiki/UrlRecommendation

   mez: in favor of short recommendations to discuss
   ... 1st is URLs
   ... talked about how they are used, mostly for security
   ... heard some browsers were doing more with contents of URL
   ... want to discuss this, what are browsers doing?
   ... have heard users cannot understand URLs
   ... few restrictions, no mechanisms to insure understandable by users
   ... 2 levels of risk
   ... low and no risk situations, can be identified?
   ... in this case can be presented for usability, not security
   ... in medium to hi risk, meaningful and robust presentations required
   ... what about display?

   <tlr> "Your flight has been cancelled."

   mez: only way to get at understandable properties in URL is from history of
   interation

   tyler: assumes part of URI is of interest to user, what part?

   mez: ties to something about authority faliliarity trustworthiness
   ... may note be substring

   tyler: better not to display URL
   ... want to pin down value if any of URL display

   tlr: you're mixing display and entry of URLs. I sense that it might be
   useful to have a generic "drop URL bar" discussion. Please draft a proposal.

   tyler: seems to be some overlap

   <tlr> ACTION: tyler to draft "let's drop the URL bar" proposal [recorded in
   [24]http://www.w3.org/2007/04/11-wsc-minutes.html#action04]

   <trackbot> Created ACTION-192 - Draft \"let\'s drop the URL bar\" proposal
   [on Tyler Close - due 2007-04-18].

   chuck: different take, nobody understands URLs, things get entered by click
   ... used to just be reference
   . may be providing lots of info, session, forms info

   scribe: some useless some dangerous
   ... need to consider what info is actually being provided
   ... sometimes intentionly invisible

   scribe: potentially complex
   ... what is boundary?

   mez: not just browsers location bar
   ... glad you brought in relationship between click link and URL value
   ... will update wiki

   <tlr> [25]http://www.w3.org/2001/tag/doc/state.html

   <tlr> I think I provided a high-risk example on IRC. "Your flight has been
   cancelled."

   mike: are display only cases which are hi risk, will provide examples on
   request
   ... main point most users ignore location bar
   ... but need to consider those who do
   ... browsers don't indicate domain
   ... consider https to be more reliable indicator than padlock

   <tlr>  ACTION:  mcCormick  to provide high-risk display-only use cases
   [recorded in [26]http://www.w3.org/2007/04/11-wsc-minutes.html#action05]

   <trackbot> Created ACTION-193 - Provide high-risk display-only use cases [on
   Michael McCormick - due 2007-04-18].

   hal: dont understand about https, only requires port 443

   mike: should get rid of favacon, makes it easy for phishers

   <tlr>  ACTION:  zurko  to refine UrlRecommendation - due 20 April 2007
   [recorded in [27]http://www.w3.org/2007/04/11-wsc-minutes.html#action06]

   <trackbot> Created ACTION-194 - refine UrlRecommendation [on Mary Ellen
   Zurko - due 2007-04-20].

SharedPublicKnowledge

   <tlr> [28]http://www.w3.org/2006/WSC/wiki/SharedPublicKnowledge

   mez: techniques for weak identification
   ... shared between sites, like mothers maiden name is anti pattern
   ... looking for input

   tlr: aim at generic case
   ... finding that cute icon distracts users from real security info
   ... anti pattern

   chuck: have scars

   <tlr> I'm taking that from the Emperor paper

   <ses> We could call out "presenting security steps that are necessary as
   sufficient" as something we'd want to advise against.

   chuck: need to be careful about how to characterize SPK
   ... used by orgs to additional confidence
   ... mother's maiden name is always bad
   ... but others may be usuable

   chuck: real issue is frequency of use
   ... key is whipping boy
   ... some people get irate over SPK term

   <ses> In response to the statement that SiteKey is used to authenticate
   clients, I would disagree. SiteKey is to reauthenticate people. (Once they
   believe the user of the browser is authentic, they THEN make a transitive
   assumption that the client belongs to the user)

   chuck: some effectively use data shared between user and site
   ... potential for social engineering - giving the illusion of confirming
   ... very complex, not always anti pattern, need to say what should be done

   mez: agree but should work in parrallel

   <tlr> ACTION: zurko to capture discussion on SharedPublicKnowledge in wiki
   and   refine   proposal   -   due   25   April   2007   [recorded   in
   [29]http://www.w3.org/2007/04/11-wsc-minutes.html#action07]

   <trackbot> Created ACTION-195 - capture discussion on SharedPublicKnowledge
   in wiki and refine proposal [on Mary Ellen Zurko - due 2007-04-25].

Contextual Password Warnings

   <tlr>
   [30]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0138.html

   tlr: based on article about warnings given in specific case more effective
   ... and article about how mashups get auth info
   ... user enters credentials for A at B
   ... browser could detect this case

   <ses> There's a paper by Microsoft at the next WWW that create a toolbar
   that looked for password reuse.

   tlr: looking for input

   <Mez_> hal: prohibits extremely common habit

   <ses> "A large-scale study of web password habits" by Florencio and Herley

   <Mez_> ... how do you manage 50 passwords?

   <ses> It supports what Hal is saying right now.

   <ses> (One problem with the proposal is that you don't know its the same
   password until it has been typed. A malicious site can send characters back
   one at a time as they are typed.)

   tlr: would learn past trust decisions, could suppress question the 2nd time
   ... space to optimise it

   <ses> [31]http://research.microsoft.com/~cormac/Papers/www2007.pdf

   <Zakim>  Thomas,  you wanted to note that we can talk about deployment
   techniques

   chuck: many problems at server side

   tlr: agree, charter allows deployment practice
   ... need concrete proposals

   chuck: need mutual security
   ... one sided approch is always vulnerable

   tlr: would like to hear specifics

   chuck: group is oriented towards client exclusively

   <tlr> ACTION: chuck to turn ramblings about deployment and server side into
   coherent   written   material   -  due  25  April  2007  [recorded  in
   [32]http://www.w3.org/2007/04/11-wsc-minutes.html#action08]

   <trackbot> Created ACTION-196 - turn ramblings about deployment and server
   side into coherent written material [on Chuck Wade - due 2007-04-25].

   bill: added section in ?? covering servers

   <Zakim> MEZ, you wanted to comment that we should try to make it smarter
   about trust domains

   <tlr> bill-d: offer to help Chuck with ACTION-196; section about web server
   and connection to user agent

   bill: comments to note discuss servers

   mez: can consider trust domains

   <tlr> ACTION: thomas to incorporate discussion about Contextual Password
   Warnings    into   Wiki   -   due   25   April   2007   [recorded   in
   [33]http://www.w3.org/2007/04/11-wsc-minutes.html#action09]

   <trackbot> Created ACTION-197 - incorporate discussion about Contextual
   Password Warnings into Wiki [on Thomas Roessler - due 2007-04-25].
     _________________________________________________________________


    Minutes formatted by David Booth's [34]scribe.perl version 1.128 ([35]CVS
    log)
    $Date: 2007/04/19 18:56:47 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0089.html
   3. http://www.w3.org/2007/04/11-wsc-irc
   4. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#agenda
   5. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item01
   6. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item02
   7. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item03
   8. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item04
   9. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item06
  10. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item07
  11. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item08
  12. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#item09
  13. file://localhost/home/roessler/W3C/WWW/2007/04/11-wsc-minutes.html#ActionSummary
  14. http://www.w3.org/2007/04/04-wsc-minutes
  15. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals
  16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0217.html
  17. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0051.html
  18. http://www.w3.org/2007/04/11-wsc-minutes.html#action01
  19. http://www.w3.org/2007/04/11-wsc-minutes.html#action02
  20. http://cabforum.org/index.html%3E
  21. http://www.w3.org/2006/WSC/wiki/PersonallyIdentifiableInformationEditorBar
  22. http://www.w3.org/2007/04/11-wsc-minutes.html#action03
  23. http://www.w3.org/2006/WSC/wiki/UrlRecommendation
  24. http://www.w3.org/2007/04/11-wsc-minutes.html#action04
  25. http://www.w3.org/2001/tag/doc/state.html
  26. http://www.w3.org/2007/04/11-wsc-minutes.html#action05
  27. http://www.w3.org/2007/04/11-wsc-minutes.html#action06
  28. http://www.w3.org/2006/WSC/wiki/SharedPublicKnowledge
  29. http://www.w3.org/2007/04/11-wsc-minutes.html#action07
  30. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0138.html
  31. http://research.microsoft.com/~cormac/Papers/www2007.pdf
  32. http://www.w3.org/2007/04/11-wsc-minutes.html#action08
  33. http://www.w3.org/2007/04/11-wsc-minutes.html#action09
  34. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  35. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 19 April 2007 19:04:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:47 GMT