- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 8 Aug 2007 14:53:46 +0200
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 25 July have been accepted, and are
available online:
http://www.w3.org/2007/07/25-wsc-minutes.html
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context WG Teleconference
25 Jul 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
Chuck_Wade, Tyler, MaryEllen_Zurko, serge, StephenF, luis,
Bill_Doyle, PHB, maritza, asaldhan
Regrets
Hal_L, Rachna_D, Shawn_D, DanSchutzer, johnath
Chair
mez
Scribe
serge
Contents
* [4]Topics
1. [5]last meeting's minutes
2. [6]agenda bashing
3. [7]RecRevisitingPastDecisions
4. [8]update from Tyler re wsc-usecases
* [9]Summary of Action Items
__________________________________________________________________
<trackbot> Date: 25 July 2007
<Mez> is Serge the scribe?
<tlr> yes
<tlr> Stephen will join from here.
<tlr> ScribeNick: serge
<tlr> yes, indeed
last meeting's minutes
<tlr>
[10]http://lists.w3.org/Archives/Member/member-wsc-wg/2007Jul/0007.html
<tlr> approved
agenda bashing
Mez: agenda includes demo infrastructure
... past decisions, editing rec document, use cases
serge: discussing results of study on phishing indicators
Mez: demo infrastructure, Audian isn't here, so we'll skip it
RecRevisitingPastDecisions
Mez: revisiting past decisions, tlr will lead this
<Mez> [11]http://www.w3.org/2006/WSC/drafts/rec/#pastdec
tlr: revisit past decisions so people don't continue to make stupid
decisions
... user agents accessing history of past security decisions
... interactive indicators to display where decision was made
... also allow users to access decisions impacting current context,
with option to revert
... allow users to inquire why it made such decisions and ability to
change them, or reset to defaults or other modes
serge: users don't understand the connection between actions and
consequences
tlr: more about trust anchors, identity indicators
... such as trusting a certificate, or cookies
... some decisions are reversable by closing the browser, which isn't a
good way of doing things
<Mez> ack forensics?
Chuck: forensics/computer crime comes into play here, e.g. capturing
browser history
... this proposal could have a role in future criminal investigations
<???> more forensic information may make people nervous.
<tlr> depends on who does the forensics. ;-)
<serge> but I don't think you're talking about capturing anything new?
... just presenting it better?
Chuck: capturing new information may make people uneasy
Mez: Shawn hasn't updated the document, we need more editing resources
... difficult to edit in stuff across proposals
... volunteers?
tyler: less text?
<tlr> +1 to MEZ
Mez: we still need structure in order to discuss these things
<tlr> -1 to keeping in the Wiki indefinitely
tlr: we need to extract meat from proposals
... 9 months into charter, what direction are we going?
<Mez> I would like to keep the three topics in sequence
<Mez> 1) editing help
<Mez> 2) organizing discussions
<Mez> 3) FPWD
tlr: how long to keep the wiki?
tyler: we shouldn't be forced to edit proposals that are fundamentally
bad
<serge> +1 to tyler
Mez: anyone willing to help edit?
<asaldhan> am new to editing. But I can assist
tlr: limited number of people on call, take this offline and discuss on
the mailing list
tyler: how will changing the text force the group to make decisions on
what to recommend?
tlr: we have concrete proposals, we need structure before we can make
useful decisions
... help to create objectives
<Mez> Anil, thank you for volunteering to help out with editing
tlr: editor should leave opinions outside of editing role
serge: we should be doing testing before any sort of editing
tyler: use what the group knows
stephenF: unreasonable to test before we have a document
<maritzaj> +1 to Tyler on applying what we know before going forward
tlr: not an academic exercise or product dev, it's a specification
Mez: discussions should focus on the whole, and the four categories for
structuring
... begin to have discussion on the categories
... primary SCI, seconday, robustness, and minizing trust decisions
maritzaj: lay out what we know so far
Mez: look at primary SCI proposals in wiki
<tyler> PIIbar
tlr: mixed documents, error handling
<tyler> what is the primary vs secondary distinction in SCI?
<maritzaj> primary as in it always displayed in the main UI?
tlr: for certificates
<serge> I assume you mean active vs. passive?
... active indicators interrupt the user's task, whereas passive ones
sit off to the side, where we hope someone will notice them
<maritzaj> would secure letter head be primary since it would
potentially always be in the chrome
<serge> this sounds like a good thing to add to the glossary!
<maritzaj> has anyone had a look at this break down
[12]http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFi
rstCut
<maritzaj> since it's divided amongst the three of us, we can pick 1-2
from each?
<maritzaj> for next week
tyler: maritzaj and serge should look at proposals to see what is
easier to address
<serge> *ahem* I've already brought that up
serge:this isn't a consensus issue! If there's a body of research
showing an idea will not work, it's a waste of our time to pursue
recommending it, regardless of how many people "like" the idea.
<maritzaj>
[13]http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFi
rstCut
tyler: trimming segments is the fastest route to making editing easier
maritzaj: we'll make recommendations on a few of them for next week
tlr: distinguish between academic consesnsus and moving things forward
... we should create recommendations based on our personal opinions to
complete the document rather than, you know, having any idea whether it
will actually work
tyler: trim the low hanging fruit
<serge> +1 to tyler
<maritzaj> +1 to tyler
serge:yeah, we've brought it up
... but people are stuck recommending stuff based on personal opinions,
and refuse to change those opinions regardless of how much prior
research has showed it to not work
<maritzaj> that's what i was on the queue to say
<Mez> so why can't one of you start talking about what does work
<Mez> so we can start with that, and move on to what doesn't?
<Mez> then we'll have a foundation for discussions
<maritzaj> most of the results make it easier to say what doesn't work
...
<maritzaj> unfortunately
<serge> we've discussed what does work,
... I can give some examples that have come up,
<Mez> reference the rec track document with the examples
<serge> but people just gloss them over, and then revert to
recommending stuff they like, rather than stuff that has shown to work
serge:As I understood it, we were all in agreement in Dublin about not
expecting users to interpret the lack of an indicator as a warning. In
that case we should be pursuing purely negative warnings. Almost every
proposal in the wiki relies on positive warnings which will either go
unnoticed or be spoofed. What happened? Do people no longer agree on
this principle? Has anyone bothered to read any of the research in the
Shared Bookmarks?
PHB: middle ground between structuring and proving, more opportunities
for merging proposals
... e.g. favicons and secure letterhead
<Mez> I agree, there are some of us that need the document better
structured - putting related items together
tlr: positive vs. negative indicators, we need agreement on success
criteria
serge:maritza, rachna, and I are doing that right now
<Mez> that's what I thought serge
<Mez> though again, I maintain hope that some of what you'll do will
also verify some subsets
<Mez>
[14]http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFi
rstCut
maritzaj: rachna, serge, and I are working on it, probably by next
Wednesday we can share some results
Mez: we'll start with primary SCI proposals
<serge> have we agreed on the definition of primary SCI?
<PHB> saying negative things will be the low hanging fruit
<PHB> :-)
serge: we need to define the four categories in the glossary
Mez: we'll work through primary SCI proposals, which should structure
discussions for a while
<Mez> tlr, please give me an action to put the categories in the
glossary
<tlr> ACTION: define categories in glossary [recorded in
[15]http://www.w3.org/2007/07/25-wsc-minutes.html#action01]
<trackbot> Sorry, couldn't find user - define
<tlr> gah
<tlr> ACTION: mez to define categories in glossary [recorded in
[16]http://www.w3.org/2007/07/25-wsc-minutes.html#action02]
<trackbot> Sorry, couldn't find user - mez
<tlr> ACTION: zurko to define categories in glossary [recorded in
[17]http://www.w3.org/2007/07/25-wsc-minutes.html#action03]
<trackbot> Created ACTION-273 - Define categories in glossary [on Mary
Ellen Zurko - due 2007-08-01].
<Mez> the mail where I initially defined the categories:
<Mez>
[18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0064.html
serge:just concluded a study on users' perceptions of current browser
phishing warnings. IE7 and Firefox use "active" warnings which
interrupt the users' tasks and force them to make decisions about what
to do. Prior research has shown that passive indicators are ignored or
not trusted (users can see the website, and if it "looks" like the real
thing, they trust it more than the indicators). We did a spear phishing
attack and found that the active warnings in Firefox and IE were very
effective, however there was no statistically significant difference
between using popup dialogs than not showing any warnings. Warnings
that failed were due to habituation (they looked like other warnings
users have seen). Also, no correlation with previously falling for
phishing scams or having credentials/accounts stolen and falling for
phishing attacks (and/or ignoring warnings) in our study.
Mez:When can you share the results?
serge:I'd prefer to wait until I have it submitted in September, though
I can answer questions
tlr: W3C has a confidentiality agreement
serge:But they can still share with all of their coworkers, etc.? It's
not just limited to members of the group?
tlr:Correct.
update from Tyler re wsc-usecases
tyler: no new work on use cases, sent out an email last week
... pulling stuff out for the note
... from issue 6
<luis> but then the wiki should never dissapear
<maritzaj> bye
<tlr> serge, please stay on the call
tlr: hmm?
Summary of Action Items
[NEW] ACTION: define categories in glossary [recorded in
[19]http://www.w3.org/2007/07/25-wsc-minutes.html#action01]
[NEW] ACTION: mez to define categories in glossary [recorded in
[20]http://www.w3.org/2007/07/25-wsc-minutes.html#action02]
[NEW] ACTION: zurko to define categories in glossary [recorded in
[21]http://www.w3.org/2007/07/25-wsc-minutes.html#action03]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [22]scribe.perl version 1.128
([23]CVS log)
$Date: 2007/08/08 12:52:49 $
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0259.html
3. http://www.w3.org/2007/07/25-wsc-irc
4. http://www.w3.org/2007/07/25-wsc-minutes.html#agenda
5. http://www.w3.org/2007/07/25-wsc-minutes.html#item01
6. http://www.w3.org/2007/07/25-wsc-minutes.html#item02
7. http://www.w3.org/2007/07/25-wsc-minutes.html#item03
8. http://www.w3.org/2007/07/25-wsc-minutes.html#item04
9. http://www.w3.org/2007/07/25-wsc-minutes.html#ActionSummary
10. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Jul/0007.html
11. http://www.w3.org/2006/WSC/drafts/rec/#pastdec
12. http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCut
13. http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCut
14. http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCut
15. http://www.w3.org/2007/07/25-wsc-minutes.html#action01
16. http://www.w3.org/2007/07/25-wsc-minutes.html#action02
17. http://www.w3.org/2007/07/25-wsc-minutes.html#action03
18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0064.html
19. http://www.w3.org/2007/07/25-wsc-minutes.html#action01
20. http://www.w3.org/2007/07/25-wsc-minutes.html#action02
21. http://www.w3.org/2007/07/25-wsc-minutes.html#action03
22. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
23. http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 8 August 2007 12:53:53 UTC