W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Meeting record: WSC WG weekly 2007-06-20

From: Thomas Roessler <tlr@w3.org>
Date: Sun, 1 Jul 2007 07:23:48 -0700
To: public-wsc-wg@w3.org
Message-ID: <20070701142348.GT3529@raktajino.does-not-exist.org>

Minutes from our meeting on 20 June were approved and are publicly
visible:

  http://www.w3.org/2007/06/20-wsc-minutes

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>







   [1]W3C

                     Web Security Context WG Teleconference
                                  20 Jun 2007

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          MaryEllen_Zurko, Thomas, staikos, Tyler, anil, yngve,rachna,
          luis, maritzaj, audian, PHB, Chuck, serge

   Regrets
          Tim_H, Bill_D, Bruno_vN, Shawn_D, Johnathan_N, Mike_B,
          Jan_Vidar_K, Paul_H

   Chair
          Mez

   Scribe
          Anil

Contents

     * [4]Topics
         1. [5]Approval of minutes
         2. [6]inactive action items
         3. [7]Agenda bashing
         4. [8]checking in on current state of document
         5. [9]Recommendations sections discussion
     * [10]Summary of Action Items
     __________________________________________________________________


Approval of minutes

   Approve meetings from last meeting

   <tlr> [11]http://www.w3.org/2007/06/13-wsc-minutes

   meeting minutes approved

   <mezanyone has issues with the recently closed action intems

inactive action items

   <tlr> MEZ: ACTION-191 probably moot

   <tlr> MEZ: ACTION-216 probably taken care of, anything missing?

   <mezI close some items as inactive due to no due date on them

   <tlr> Tyler: ACTION-192 -- don't think I can take up another proposal

   tlr: Tyler, can you tell me about the complexity of the proposal

   <staikos> no

   <staikos> yes

   <Mez> hahahaha

   anil:tlr, u r audible but can u please pen what you just asked as a
   question to the group

   <Mez> what was it you wre trying to say staikos?

   <staikos> yes and no

   <Mez> to one question or two????

   tyler: can't handle the testing and ??? of two proposals

   <staikos> two one :-P

   <staikos> no?

   tyler: would like to leave the action items for some more time and Mez
   has issues with due dates not updated if the person has no time to deal
   with it.

   mez: action items that were inactive have been dealt with

Agenda bashing

checking in on current state of document

   <Mez>
   [12]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0157.html

   <Mez>
   [13]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals

   <rachna> I do

   Mez: it will be nice to know if people are planning to iterate on
   proposals that are not templatized yet (not make to the 1st draft)

   <tlr> RecRevisitingPastDecisions

   yngve: will work on my proposal (secure page proposal) but had some
   other stuff in the past 2-3 days

   Mez: may send out a mail summarizing
   ... it is important to carry forward
   ... any proposals/comments for the 1st draft

Recommendations sections discussion

   mez: tyler on PIIEditorBar

   <Mez> [14]http://www.w3.org/2006/WSC/drafts/rec/#piieditor

   <Zakim> Thomas, you wanted to ask whether shawn knows about this

   tyler: abandoned the wiki version to aid Shaun and (??? and which
   version are u going to use)

   Mez: tyler, i would like u to lead us on the PIIEditor

   <tlr> you type "+1"

   tyler: anybody new to this? Can u raise hands

   <Mez> I read the previous draft

   <tlr> or sth like that

   <tlr> I also read the previous one.

   <Mez> and I was aorund for the lightening discussion

   tyler: mez and tlr have read the previous drafts and others are new.
   ... i will walk thru. should I?
   ... (please fill in your details here plz)

   anil: can I have the uri where tyler is discussing?

   <tlr> [15]http://www.w3.org/2006/WSC/drafts/rec/#piieditor

   tyler: when you come to a web site, you want to be sure about the
   string that you are going to type into

   <Mez> who do we have here that's pure usability? Audian, others? Any
   comments on input field in the bottom of the browser chrome? (if I
   understood Tyler rightly)

   anil:tlr or tyler can you summarize what tyler is talking now later for
   the final minutes

   Mez: anybody here with UI experience?

   <Mez> staikos, this is early discussion. it's the time to bring out
   concerns, and what deployment experience we'd need

   <tlr> tlr: strikes me as similar to some terminal-based applications;
   3270 terminals in particular, but also other apps

   <Mez> chat clients do have input at the bottom of the window

   <staikos> safari has to statusbar

   <tlr> tyler: most important part is no take data entry outside content
   area

   tyler: it is better to get the input area outside the content area

   <Audian> safari has a cool way of 'folding down' a form field (from the
   top of the page)

   <Mez> I'm wondering if there are interesting interactions if you hang a
   pull down onto the bottom of a window; just another thought

   <staikos> that's a mac-general thing

   <Mez> I recognize that thisis a nit

   <staikos> for messageboxes

   tyler: any Qs before I walk in thru various use cases
   ... 5.1.4.2 section: bootstrap scenario

   <Zakim> Mez, you wanted to ask about attention keys, here and in safe
   browsing and to ask about looks like searches, and to see what happens
   when I put myself on queue twice

   Mez: Q1: how will u motivate users to use the PII bar?

   <rachna> attention sequences and safe browsing mode switches are
   interesting things to test in a study. There are no studies on this.

   tyler: I am trying to motivate the users to use it. They will be more
   comfortable in using the PII bar to get to their bank over other
   mechanisms.

   <staikos> CTRL+ALT+DEL is my favorite :-P

   <serge> actually, I think there have been studies on that,

   <PHB2> There is testing experience, it is just not public

   <serge> hang on, there's one I'm thinking of

   <PHB2> And the critertia under test is not necessarily whether it
   enhances security

   <Mez> Phil, that's good to know, but not very helpful, unless we can
   use it

   <PHB2> Rather it might be whether it sells the product

   tyler: I do not need an attention key such as ctrl-alt-del but rather a
   key that the browser knows that the PII needs to be activated

   <serge> ...looking for a URL

   <staikos> I agree with PHB2

   [16]http://www.w3.org/2006/WSC/drafts/rec/#piieditor

   PHB2: MS has changed the attention seeking sequence (c-alt-del) in
   Vista

   <rachna> I am confused. Is it ok if a user types their CC# into a
   spoofed PII bar (e.g., in the content of the website)?

   tyler: in bootstrap mechanism, they have a choice of working with prior
   set up relationships

   <Mez> staikos, ctrl alt del takes me back to orange book vmm security,
   so it's a bit of a nostalgia trip for me

   tyler: CC# will not be entered into the PII bar but I am expecting the
   PII bar to already know my CC#. A spoofed PII bar is not expected to
   know my cc#

   <rachna> I see. It will be interesting to test this type of safeguard.

   <serge> This is what I was thinking of:
   [17]http://www.courtneymoskowitz.com/chameleon.html they did some user
   testing on switching between security modes

   <Mez> nice; tx serge

   anil:I wonder if an analogy can be drawn to cardspace

   asaldhan: looks like PHB mentioned the same

   <rachna> serge, can you add that ref to shared bookmarks?

   <tlr> yep. I think PHB's problem can be solved elsewhere.

   <staikos> tyler, it's called .Mac :-)

   <Chuck> What about the problem that plagues all forms capture
   tools--namely that your browser is storing lots of sensitive info along
   with who you submit this info to, and this becomes a new vulnerability.
   An attack on the browser (which is exposed by being the tool you use on
   the Internet) can result in serious exposures of PII.

   <serge> yeah, sure, I'm updating the shared bookmarks right now anyway

   <PHB2> how do

   tyler: Firefox and other browsers (possibly) are working on users
   moving their bookmarks (and other custom information) across computers

   <PHB2> how do I log into .mac without being spoofed?

   <serge> I don't have the paper in front of me, so I can't really
   summarize the results. The full thing is in the Usable Security book

   <PHB2> If I can do that I caqn log into OpenID

   <Mez> in telling us why it was interesting, you gave the summary that's
   needed in sharedbookmarks

   <Mez> that's all you need; the reference, and a line on why we care

   <Mez> "user testing on switching between security modes" and that's an
   aspect of several of our proposals

   <serge> I think the book might be on my desk, I could add a bit more

   <Mez> even better!

   <serge> right, but the summary should probably mention the results

   yngve: Do we know what type of data that is going into the pii bar?

   <serge> e.g. "they found that users don't understand the different
   modes"

   <Mez> better to have it in with not enough data than not have it in at
   all. since it can be added to later. But either way, whateve ryou can
   do is good

   tyler: for now, it is data strings
   ... most pii identifiers are recognizable by humans

   <Mez> tlr, we should track those kinds of things. who we request
   reviews from.

   tyler: drop down of telephone number, email address etc

   <serge> is there any conceivable order in the shared bookmarks? or
   should I just add to the end of a relevant section?

   <Mez> tlr, here is good to track things like that

   <Mez> [18]http://www.w3.org/2006/WSC/wiki/RecProcess

   <Mez> please add it there

   <Mez> the review part, not the discussion/concern part

   <rachna> serge, the shared bookmarks is getting long enough that we
   should impose some order. it is hard to find what is there.

   tyler: the good thing about the PII bar is that the user tells the
   browser that it is ok to store this particular information
   ... no need for either the site or any popup to confirm

   <Mez> I've had problems findng stuff in the sharedbookmarks, as you saw
   in the f2f!

   tyler: chuck wade 2 months ago did a study that users were using
   password managers rather than typing in password on banks' websites

   <rachna> is there a reference to the study that Tyler mentioned on
   current use of password managers at bank websites?

   tyler: it may be better to continue with Mike McCormick on this Topic

   Chuck: Banks have considerable concern that they are dealing with not
   humans but some robot (Pwd Manager) that has entered the password

   <staikos> how do you ever solve that? Find NP-complete problems for the
   user to solve in order to log in?

   Chuck: There are reports of attacks at forms database in browsers.

   tyler: first concern: banks want to know that password is obtained from
   user action

   <staikos> Even more, why attack the form database when the connection
   is more weakly encrypted? At least it is in KDE.

   tyler: Answer is that user chooses the information from the PII bar and
   only then will that information gets into the text box on the site

   <staikos> The connection is easier to capture and easier to break -> no
   point in attacking the db

   tyler: Concern: we are building a database of information.
   ... Valid concern. The DB exists on the computer but not in order. The
   information will be on the browser cache.

   <Mez> while I agree with a lot of what you say staikos, I've been
   wondering about the "logic" of attacks lately

   <staikos> If the information is in the browser cache, there are big
   problems. However it definitely is in the VM somewhere

   anil:(Tyler, could you please add some information on this concern
   about the DB storing information)

   <Mez> we've been hearing about federal concern about directed attacks
   to add trap doors to products

   Chuck: I just wanted to add this concern to the discussion.

   <Mez> and I wonder why organized crime does that

   <Zakim> Thomas, you wanted to note that there's a lot of work on forms
   and that we'll have to consider the interaction

   <Mez> instead of just pumping the vulnerabilities

   <staikos> Mez: backdoors distribute better

   <Mez> what does that mean?

   tlr: have we considered relationship between this proposal and work on
   xforms, xforms-transitional

   <staikos> Mez, the manufacturer ships the software to all their
   customers for you, and the binary isn't further modified. It can't get
   any better

   tlr: have we considered relationship between this proposal and work on
   xforms,xforms-transitional/

   <Mez> I see; longer lifetime, more even distribution

   <staikos> yeah

   <tlr> [19]http://www.w3.org/2007/03/XForms-Transitional/

   anil:(yngve. can u please type in ur comment)

   Mez: can u please get to the conformance section?

   <Chuck> Actually, there are some authentication mechanisms that are
   much better for "liveness" testing (in response to Yngve)

   tyler: anyone having any doubts on the use cases, please post to the
   list and I can answer. We need to build a consensus

   <yngve> It may be impossible for the banks to find out if they are
   talking to a flesh and blood human.

   <Mez> Chuck, aren't those CAPTCHAs and the like?

   <tlr> on captchas: [20]http://www.w3.org/TR/turingtest/

   <yngve> Even CAPTCHAs are loosing ground

   <tlr> Inaccessibility of CAPTCHA / Alternatives to Visual Turing Tests
   on the Web / W3C Working Group Note 23 November 2005

   <PHB2> CAPTCHAs are bogus:
   [21]http://dotfuturemanifesto.blogspot.com/2007/06/end-of-captcha-hardl
   y.html

   <Chuck> Captchas are one technique, but OTP tokens are another. Also,
   most biometric schemes have a strong liveness characteristic that can
   be leveraged.

   <serge> I have another meeting to get to. ta.

   <staikos> mmmm token bundles. I'll be doing more banking at the teller
   in the future I think :)

   <Mez> tellers need job security too!

   <staikos> Mez: they'll have to type in a captcha each day when they
   arrive at work?

   <staikos> or just carry a token?

   <Mez> hey, they're paid to authenticate themselves :-)

   <Mez> I carry my badge to work every day

   <Chuck> Tyler, you may also want to include the use case where the site
   owner changes, along with its name. This is not a fringe case, given
   the M&A activity in the financial industy.

   <tyler> Thanks Chuck I'll write that one up. The proposal does indeed
   support this use case

   <rachna> Tyler, I added a skeleton proposal on "Drop the URL bar"
   proposal to the wiki, in case that makes it easier to fill out the
   content.

   <tlr> yngve, can you please put the URI into IRC?

   <tyler> Rachna, it's mostly the testing and implementation work that's
   scaring me off. Are you interested in that?

   <yngve> phil might want to consider this in his discussion about ev
   [22]http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all
   -ev

   <staikos> that's quite the title

   <tlr> tyler, there's a reason why I said we shouldn't expect everybody
   who brings up a proposal to be able to implement it.

   <tlr> mez, are we expecting to meet on July 4?

   <rachna> tyler, I agree with tlr.

   <PHB2> I don't plan to attend on July 4

   <tyler> I sure hope not

   <staikos> yes they do

Summary of Action Items

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [23]scribe.perl version 1.128
    ([24]CVS log)
    $Date: 2007/07/01 14:21:46 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0147.html
   3. http://www.w3.org/2007/06/20-wsc-irc
   4. http://www.w3.org/2007/06/20-wsc-minutes#agenda
   5. http://www.w3.org/2007/06/20-wsc-minutes#item01
   6. http://www.w3.org/2007/06/20-wsc-minutes#item02
   7. http://www.w3.org/2007/06/20-wsc-minutes#item03
   8. http://www.w3.org/2007/06/20-wsc-minutes#item04
   9. http://www.w3.org/2007/06/20-wsc-minutes#item05
  10. http://www.w3.org/2007/06/20-wsc-minutes#ActionSummary
  11. http://www.w3.org/2007/06/13-wsc-minutes
  12. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0157.html
  13. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals
  14. http://www.w3.org/2006/WSC/drafts/rec/#piieditor
  15. http://www.w3.org/2006/WSC/drafts/rec/#piieditor
  16. http://www.w3.org/2006/WSC/drafts/rec/#piieditor
  17. http://www.courtneymoskowitz.com/chameleon.html
  18. http://www.w3.org/2006/WSC/wiki/RecProcess
  19. http://www.w3.org/2007/03/XForms-Transitional/
  20. http://www.w3.org/TR/turingtest/
  21. http://dotfuturemanifesto.blogspot.com/2007/06/end-of-captcha-hardly.html
  22. http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev
  23. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  24. http://dev.w3.org/cvsweb/2002/scribe/
Received on Sunday, 1 July 2007 14:23:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:48 GMT