W3C home > Mailing lists > Public > public-wsc-wg@w3.org > February 2007

Minutes: WSC WG weekly 2007-01-23

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 6 Feb 2007 18:34:46 +0100
To: WSC WG <public-wsc-wg@w3.org>
Message-ID: <20070206173446.GA1918@raktajino.does-not-exist.org>

The minutes of the WSC WG's weekly meeting on 23 January have been
approved today.  They are available online here:

  http://www.w3.org/2007/01/23-wsc-minutes.html

Thanks to Brad Porter for scribing.

A text/plain version is included below.

-- 
Thomas Roessler, W3C  <tlr@w3.org>





                                  WSC weekly
                                  23 Jan 2007

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          beltzner,   Brad_Porter,   Chuck_Wade,   tlr,  Tyler,  staikos,
          Maritza_Johnson, mez, Bill_Doyle, Hal_Lockhart, Yakov_Sverdlov,
          +1.908.654.aaaa, BobPinheiro, PHB, Sunil_Agrawal, Tim_Hahn

   Regrets
   Chair
          mez

   Scribe
          brad

Contents

     * [4]Topics
         1. [5]Pick a scribe
         2. [6]Approve minutes from last meeting:
            http://www.w3.org/2007/01/16-wsc-minutes
         3. [7]action item review, see agenda
         4. [8]Use case: Debugging
         5. [9]Use case: TLSMiddleMan
         6. [10]Use case: CAAcceptance
         7. [11]Use case: Revisiting Past Decisions
     * [12]Summary of Action Items
     _________________________________________________________________



Pick a scribe

   <tlr> Scribe: brad

Approve minutes from last meeting: [13]http://www.w3.org/2007/01/16-wsc-minutes

   Minutes approved

   <tlr> RESOLVED: minutes approved

action item review, see agenda

   Action items closed

Use case: Debugging

   <tlr> [14]http://www.w3.org/2006/WSC/wiki/UserDebugging

   <beltzner> debugging use case:
   [15]http://www.w3.org/2006/WSC/wiki/UserDebugging

   Mez:  Debugging  use case is about making lower level security context
   information available in some fashion... applicable in use cases where
   someone is trying to help a user and needs lowerlevel information to assess
   what is happening
   ... Outside of the remote debugging category, group has generally said lower
   level information should not be available to user
   ... there are other cases such as browser evaluation where more details is
   helpful

   Mez: We also note that it seems outside our scope to specify how lower level
   details are presented
   ... but we don't want to do anything that precludes it

   Bob: Is there anything on the website that describes the process from use
   case->recommendation

   Mez: We don't have a document describing our process, W3C has a very large
   document on W3C Process

   TLR: Charter that describes general proceeding
   ... suggest for debugging use case that we take this one into the note with
   a remark that this is a use case we do not want to preclude

   chuck: might not want to throw this out so quickly... users do want to be
   able to get some 'confirmation'

   chuck: what we're talking about is not so different than clicking on the
   lock icon
   ... is there justification for putting a button in the chrome that means 'i
   want additional information and confirmation of this site and if you want
   3rd-party review, click here'
   ... this could be very useful to users and may be something that we would
   want in scope

   hal: I think we should say that this information should be only "on demand"

   <beltzner> bwporter: I think you're designing the ui and back-fitting the
   use  case; the motivation should begin with what the user wants, and I
   suspect that you're actually talking about a different use case than Mez

   hal: may want this data to analyze network configuration

   <Tyler> Do any of the arguments made in favour of debugging information
   require a consistent user interface across all web user agents? I think no.

   beltzner: we're splitting this from the original use case where the user
   wants help which is different from the use case where the user wants to
   verify or debug

   beltzner: we should focus on core and let browser vendors innovate at the
   edges

   chuck: this is an area where we need browsers to be consistent
   ... at one level this is a tool for users to gain additional confidence
   ... for example, my daughter was going through a credit application for a
   student loan... at that point, IE7 started complaining that the cert had
   been revoked
   ... i was at a standstill to try to figure out what was going on
   ... we have the debugging problem and the question -- what is the interface?

   tlr: i see this use case as a 'catch-all' that we should document that we do
   not want to preclude expert interface
   ... what i hear from chuck is a use case that is quite different from the
   'catch-all' use case
   ... would you be willing to write up that use case?

   <tlr> ACTION: chuck to document the debugging-related "positive" use case
   [recorded in [16]http://www.w3.org/2007/01/23-wsc-minutes.html#action01]

   <trackbot> Sorry, couldn't find user - chuck

   chuck: I would be willing to write it up, i think it has some overlap with
   what is already here, but it may help flesh out the different issues

   <tjh> there is a difference between "expert investigation" (sometimes called
   debugging) and "end user alerting"

   tyler: this might fit into the non-goals section that we removed... shall i
   add it back in?

   <tlr> tjh, right, that's the point

   mez: why don't you float it out and see if there is consensus?
   ... i hear some dissention about whether this is a non-goal or not

Use case: TLSMiddleMan

   <tlr> [17]http://www.w3.org/2006/WSC/wiki/TLSMiddleMan

   <Tyler> [18]http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM

   <tlr> [19]http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM

   tlr: question is what should happen if the TLS information doesn't match...
   recommend that this is something we should take up in the final document

   tlr: discussion on the mailing list that 'misconfigured' certificates like
   this might be 'ok'

   george: there are some cases where we allow a certificate to go through in a
   scenario that has to do with a horribly configured server
   ... we should deal with this directly
   ... if browsers aren't consistent, people just switch browsers

   mez: why would we consider certain types of security information worse than
   no security information

   george:  we start to reduce the number of different cases... closer to
   boolean
   ... isn't boolean today -- lockbox and dialogs today

   tyler: urls set up by https are setting an expectation that the session is
   going to be well configurated

   brad:  fail  fast  policy is simpler, easier for users, and cleaner to
   implement

   hal: believe the RFC states that you should flag an error explicitly

   <tlr>  ACTION: hal to dig out TLS RFC's normative language on mismatch
   between cert and domain name [recorded in
   [20]http://www.w3.org/2007/01/23-wsc-minutes.html#action02]

   <staikos> and definitely no-one is doing that now :-)

   <trackbot> Created ACTION-83 - Dig out TLS RFC\'s normative language on
   mismatch between cert and domain name [on Hal Lockhart - due 2007-01-30].

   <Tyler> Are we all happy with the wording of this use case in the Note?

   <Mez> Are we unhappy?

   phb: folks are also looking into a situation where a cert has multiple
   domains listed

   <tlr> Doesn't subjectAltName take care of that?

   <tlr> (or whatever it's called)

   <Tyler> Theres a TLS extension for handling Phil's case

   phb: ssl session needs to be set up before website domain is established

   mez: is there a link to something that describes this scenario?

   <tlr> ACTION: Hallam-Baker to produce material on name-based virtual hosting
   and TLS [recorded in
   [21]http://www.w3.org/2007/01/23-wsc-minutes.html#action03]

   <trackbot>  Created ACTION-84 - Produce material on name-based virtual
   hosting and TLS [on Phillip Hallam-Baker - due 2007-01-30].

   <tjh> perhaps an example there of what certificates contain (including
   wildcards) and what implications that has on systems/IP stacks, etc.

   <tjh> would be good

   chuck: picking up on phils point -- wildcarding has left browsers and users
   in a state of confusion... may be an opportunity here

   <staikos> phb: I believe that using SSL on a multi-domain host, thereby
   causing  domain mismatch errors would also be considered broken system
   administration and an error case

   mez: at a note level is there anything we want to address this?

   <tjh> should we offer best practices/guidelines for web masters/hosters for
   setting up certs along with their systems?

   chuck: will summaries core issues

   <Zakim> hal, you wanted to RFC 2818

   <tlr> ACTION: chuck to summarize issues around deployment of certificates in
   wildcard     /     virtual    hosting    situations    [recorded    in
   [22]http://www.w3.org/2007/01/23-wsc-minutes.html#action04]

   <trackbot> Sorry, couldn't find user - chuck

   <tlr> ACTION: wade to summarize issues around deployment of certificates in
   wildcard     /     virtual    hosting    situations    [recorded    in
   [23]http://www.w3.org/2007/01/23-wsc-minutes.html#action05]

   <trackbot> Sorry, couldn't find user - wade

   hal: RFC 2818 describes HTTP over TLS and does discuss processing by client

   <tlr> traackbot, initialize

   <tlr> trackbot, initialize

   <trackbot> Tracking ISSUEs and ACTIONs from
   [24]http://www.w3.org/2006/WSC/Group/track/

   <tlr> ACTION: wade to summarize issues around deployment of certificates in
   wildcard     /     virtual    hosting    situations    [recorded    in
   [25]http://www.w3.org/2007/01/23-wsc-minutes.html#action06]

   <trackbot> Sorry, couldn't find user - wade

   hal: section called "server identity" states client MUST check against URI

   <tlr> ACTION: thomas to prod chuck to summarize issues around deployment of
   certificates  in  wildcard  /  virtual hosting situations [recorded in
   [26]http://www.w3.org/2007/01/23-wsc-minutes.html#action07]

   <trackbot>  Created  ACTION-85 - Prod chuck to summarize issues around
   deployment of certificates in wildcard / virtual hosting situations [on
   Thomas Roessler - due 2007-01-30].

   phb: may be in an area where we're highlighting a problem in TLS
   ... we do not want to use chrome to fix a problem at the TLS layer -- layer
   conflict

   <Chuck> Changes to TLS, or to the way that http operates over TLShal

   phb: if out-of-scope for our work, we may still want to file a defect report
   with the TLS working group

   tlr: focus on getting material for note, and then decide whether to use the
   material on the note or on a defect report

   hal: just a comment that current text in TLS man-in-the-middle is very
   cryptic... is this use case a hack or normal behavior?

   tlr: meant to be a description of an interaction we need to consider

   tyler: do we need to answer the questions in the note or just document that
   these are questions we want to answer?

   hal:  we  should take a stance on whether this is correct or incorrect
   behavior

Use case: CAAcceptance

   <tlr> [27]http://www.w3.org/2006/WSC/wiki/CAAcceptance

   <Tyler> [28]http://www.w3.org/2006/WSC/drafts/note/Overview.html#unknown-CA

   <Tyler> "Click here to continue" as the CA name

   <staikos> we could give the hex bytes for the UTF-8 encoding of the O field.
   Do you trust "0x ......" :-)

   tlr: how should user interface look when encountering an certificate that is
   not signed by a trusted authority?

   hal: generally feel that given all the ways a certificate can fail we may
   find that each scenario needs to fail separately

   <staikos> oh boy that's a big task for KDE :-) we pop up far too many

   tlr: would like to ask browser vendor representatives to look through code
   and help categorize failure modes

   <tlr>  ACTION:  staikos to document what certificate validation errors
   Konqueror displays [recorded in
   [29]http://www.w3.org/2007/01/23-wsc-minutes.html#action08]

   <trackbot> Created ACTION-86 - Document what certificate validation errors
   Konqueror displays [on George Staikos - due 2007-01-30].

   tyler: second notion that each should be a separate use case

   <tlr> ACTION: yngve to document what certificate validation errors Opera
   displays [recorded in
   [30]http://www.w3.org/2007/01/23-wsc-minutes.html#action09]

   <trackbot> Created ACTION-87 - Document what certificate validation errors
   Opera displays [on Yngve Pettersen - due 2007-01-30].

   <Zakim> tjh, you wanted to ask if the "user agent" cannot tell a bug/config
   error from an attack/threat ... do we recommend "implied deny" or "implied
   permit"?

   <tlr>  ACTION: beltzner to document what certificate validation errors
   Firefox displays [recorded in
   [31]http://www.w3.org/2007/01/23-wsc-minutes.html#action10]

   <trackbot> Created ACTION-88 - Document what certificate validation errors
   Firefox displays [on Mike Beltzner - due 2007-01-30].

   tyler: extreme scenarios, but also rare occurences

   <PHB> Reply from EKR on the TLS issue: "There is an extension designed to
   support name-based virtual hosting.

   <PHB> See RFC 4366 S 3.1"

   <Tyler> and therefore important to be presented consistently across user
   agents

   <tlr>  ACTION:  thomas  to ask Rob to do the same for IE7 [recorded in
   [32]http://www.w3.org/2007/01/23-wsc-minutes.html#action11]

   <trackbot> Created ACTION-89 - Ask Rob to do the same for IE7 [on Thomas
   Roessler - due 2007-01-30].

   tjh: can user agent tell the difference between bug and configuration error?
   if user agent can't tell, can the user?
   ... implied deny or implied permit?

   <tlr>  ACTION: thomas to ask Rob Franco to document what certification
   verification      errors      IE7      displays      [recorded      in
   [33]http://www.w3.org/2007/01/23-wsc-minutes.html#action12]

   <trackbot> Created ACTION-90 - Ask Rob Franco to document what certification
   verification errors IE7 displays [on Thomas Roessler - due 2007-01-30].

   maritza: should there be a difference between the types of dialogs a user
   sees when they're accepting for one-time or for all-time?

   brad: in favor of taking a hard stance and not document every edge case

   tlr: helpful to understand what the browsers are doing... result might be an
   appendix saying this is what happens today

   brad:  agreed  on  knowledge-gathering,  frightened by evaluating each
   one-by-one in designing solutions

Use case: Revisiting Past Decisions

   <Tyler>
   [34]http://www.w3.org/2006/WSC/drafts/note/Overview.html#warning-lost

   <beltzner> Mez: do we have details on where within the BEA HQ we're supposed
   to go, btw?

   <beltzner> [35]http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners is
   where this info should go, maybe?

   <tlr> ACTION: thomas to start discussion about RevistingPastDecision on list
   [recorded in [36]http://www.w3.org/2007/01/23-wsc-minutes.html#action13]

   <trackbot> Created ACTION-91 - Start discussion about RevistingPastDecision
   on list [on Thomas Roessler - due 2007-01-30].

   <tlr> ACTION: hal to send more detailed geography info about meeting to
   member-visible list [recorded in
   [37]http://www.w3.org/2007/01/23-wsc-minutes.html#action14]

   <trackbot> Created ACTION-92 - Send more detailed geography info about
   meeting to member-visible list [on Hal Lockhart - due 2007-01-30].

   <tlr> I'm collecting stuff at [38]http://www.w3.org/2006/WSC/f2f2.html

Summary of Action Items

   [NEW]  ACTION: beltzner to document what certificate validation errors
   Firefox displays [recorded in
   [39]http://www.w3.org/2007/01/23-wsc-minutes.html#action10]
   [NEW] ACTION: chuck to document the debugging-related "positive" use case
   [recorded in [40]http://www.w3.org/2007/01/23-wsc-minutes.html#action01]
   [NEW] ACTION: chuck to summarize issues around deployment of certificates in
   wildcard     /     virtual    hosting    situations    [recorded    in
   [41]http://www.w3.org/2007/01/23-wsc-minutes.html#action04]
   [NEW]  ACTION: hal to dig out TLS RFC's normative language on mismatch
   between cert and domain name [recorded in
   [42]http://www.w3.org/2007/01/23-wsc-minutes.html#action02]
   [NEW] ACTION: hal to send more detailed geography info about meeting to
   member-visible list [recorded in
   [43]http://www.w3.org/2007/01/23-wsc-minutes.html#action14]
   [NEW] ACTION: Hallam-Baker to produce material on name-based virtual hosting
   and TLS [recorded in
   [44]http://www.w3.org/2007/01/23-wsc-minutes.html#action03]
   [NEW]  ACTION:  staikos to document what certificate validation errors
   Konqueror displays [recorded in
   [45]http://www.w3.org/2007/01/23-wsc-minutes.html#action08]
   [NEW]  ACTION: thomas to ask Rob Franco to document what certification
   verification      errors      IE7      displays      [recorded      in
   [46]http://www.w3.org/2007/01/23-wsc-minutes.html#action12]
   [NEW]  ACTION:  thomas  to ask Rob to do the same for IE7 [recorded in
   [47]http://www.w3.org/2007/01/23-wsc-minutes.html#action11]
   [NEW] ACTION: thomas to prod chuck to summarize issues around deployment of
   certificates  in  wildcard  /  virtual hosting situations [recorded in
   [48]http://www.w3.org/2007/01/23-wsc-minutes.html#action07]
   [NEW] ACTION: thomas to start discussion about RevistingPastDecision on list
   [recorded in [49]http://www.w3.org/2007/01/23-wsc-minutes.html#action13]
   [NEW] ACTION: wade to summarize issues around deployment of certificates in
   wildcard     /     virtual    hosting    situations    [recorded    in
   [50]http://www.w3.org/2007/01/23-wsc-minutes.html#action05]
   [NEW] ACTION: wade to summarize issues around deployment of certificates in
   wildcard     /     virtual    hosting    situations    [recorded    in
   [51]http://www.w3.org/2007/01/23-wsc-minutes.html#action06]
   [NEW] ACTION: yngve to document what certificate validation errors Opera
   displays [recorded in
   [52]http://www.w3.org/2007/01/23-wsc-minutes.html#action09]

   [End of minutes]
     _________________________________________________________________


    Minutes formatted by David Booth's [53]scribe.perl version 1.127 ([54]CVS
    log)
    $Date: 2007/02/06 17:31:59 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0147.html
   3. http://www.w3.org/2007/01/23-wsc-irc
   4. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#agenda
   5. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item01
   6. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item02
   7. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item03
   8. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item04
   9. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item05
  10. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item06
  11. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item07
  12. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#ActionSummary
  13. http://www.w3.org/2007/01/16-wsc-minutes
  14. http://www.w3.org/2006/WSC/wiki/UserDebugging
  15. http://www.w3.org/2006/WSC/wiki/UserDebugging
  16. http://www.w3.org/2007/01/23-wsc-minutes.html#action01
  17. http://www.w3.org/2006/WSC/wiki/TLSMiddleMan
  18. http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM
  19. http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM
  20. http://www.w3.org/2007/01/23-wsc-minutes.html#action02
  21. http://www.w3.org/2007/01/23-wsc-minutes.html#action03
  22. http://www.w3.org/2007/01/23-wsc-minutes.html#action04
  23. http://www.w3.org/2007/01/23-wsc-minutes.html#action05
  24. http://www.w3.org/2006/WSC/Group/track/
  25. http://www.w3.org/2007/01/23-wsc-minutes.html#action06
  26. http://www.w3.org/2007/01/23-wsc-minutes.html#action07
  27. http://www.w3.org/2006/WSC/wiki/CAAcceptance
  28. http://www.w3.org/2006/WSC/drafts/note/Overview.html#unknown-CA
  29. http://www.w3.org/2007/01/23-wsc-minutes.html#action08
  30. http://www.w3.org/2007/01/23-wsc-minutes.html#action09
  31. http://www.w3.org/2007/01/23-wsc-minutes.html#action10
  32. http://www.w3.org/2007/01/23-wsc-minutes.html#action11
  33. http://www.w3.org/2007/01/23-wsc-minutes.html#action12
  34. http://www.w3.org/2006/WSC/drafts/note/Overview.html#warning-lost
  35. http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
  36. http://www.w3.org/2007/01/23-wsc-minutes.html#action13
  37. http://www.w3.org/2007/01/23-wsc-minutes.html#action14
  38. http://www.w3.org/2006/WSC/f2f2.html
  39. http://www.w3.org/2007/01/23-wsc-minutes.html#action10
  40. http://www.w3.org/2007/01/23-wsc-minutes.html#action01
  41. http://www.w3.org/2007/01/23-wsc-minutes.html#action04
  42. http://www.w3.org/2007/01/23-wsc-minutes.html#action02
  43. http://www.w3.org/2007/01/23-wsc-minutes.html#action14
  44. http://www.w3.org/2007/01/23-wsc-minutes.html#action03
  45. http://www.w3.org/2007/01/23-wsc-minutes.html#action08
  46. http://www.w3.org/2007/01/23-wsc-minutes.html#action12
  47. http://www.w3.org/2007/01/23-wsc-minutes.html#action11
  48. http://www.w3.org/2007/01/23-wsc-minutes.html#action07
  49. http://www.w3.org/2007/01/23-wsc-minutes.html#action13
  50. http://www.w3.org/2007/01/23-wsc-minutes.html#action05
  51. http://www.w3.org/2007/01/23-wsc-minutes.html#action06
  52. http://www.w3.org/2007/01/23-wsc-minutes.html#action09
  53. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  54. http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 6 February 2007 17:33:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:45 GMT