W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Meeting record: WSC WG 2007-06-27

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 17 Jul 2007 17:03:01 +0200
To: WSC WG <public-wsc-wg@w3.org>
Message-ID: <20070717150301.GA4103@raktajino.does-not-exist.org>

The meetings from our meeting on 27 June were approved and are
publicly visible:


Thomas Roessler, W3C  <tlr@w3.org.>


                                 WSC WG Weekly
                                  27 Jun 2007


   See also: [3]IRC log


          MaryEllen Zurko, Thomas Roessler, George Staikos, Phillip
          Hallam-Baker, Jan Vidar Krey, Yngve Pettersen, Chuck Wade, Tyler
          Close, Johnathan Nightingale, Hal Lockhart, Luis Barriga, Bill
          Doyle, Mike Beltzner, Rachna Dhamija

          Tim_H, Bruno_vN, Audian_P, Dan_S, Shawn_D, Maritza_J, Serge_E


          staikos, chuck


     * [4]Topics
         1. [5]administrivia
         2. [6]minutes approval
         3. [7]action item review
         4. [8]letterhead discussion
         5. [9]Synopsis of 3rd TIPPI Workshop
         6. [10]next meeting
     * [11]Summary of Action Items


   Mez: George [Staikos] is scribing today
   Mez mentioned recent experience scribing for a call, and that it can be
   ... so, appreciates George very much

minutes approval

   <TLR> [12]http://www.w3.org/2007/06/20-wsc-minutes.html

   <TLR> so approved

   Mez: Minutes from June 20th meeting approved

action item review

   Mez: No actions closed due to inactivity

   <TLR> ACTION-237 completed succesfully; no actions at risk.

   Began "agenda bashing" discussion. It was suggested that we get someone
   to brief this group on the recent TIPPI workshop.

   <jvkrey> [13]http://crypto.stanford.edu/TIPPI/

   PHB: Burt Kaliski and Dan Boneh are the workshop organizers/leaders

   <Mez> Please discuss the TP Day agenda during one of your near-future
   Group calls, and start a discussion on your mailing lists. Provide your
   Group's input by 13 July 2007 to the Tech Plenary discussion list ...

   <Mez> -- mailto:member-techplenary@w3.org

   <Mez> This list is also archived at...

   <Mez> -- [14]http://lists.w3.org/Archives/Member/member-techplenary/

   <Mez> ... and is Member readable and writable.

   <Mez> Feel free to provide input on agenda topics (e.g., future of
   (x)HTML(n), video on the Web, efficient XML, etc.), or on the format
   for sessions (e.g., panels, demos, lightning talks, etc.). Think about
   topics that would have appeal to a wide variety of W3C folks.

   <johnath> Sorry Mez, I missed a snip of that at the end - did you say
   you will start this conversation by email?

   johnath: my browser doesn't work so is there anything we want to get on
   the agenda/

   TLR: forward ideas directly or channel through Mez or TLR

   Mez: not me
   ... updates from tyler and thomas on what to do before last call
   ... which groups should we liaison with? now is the time...

   Mez initiated discussion of what needs to be done prior to last call.
   Also, what other groups should we ask to review our document or liaise

   Tyler: controversial items: list of security information - more data
   ... use cases don't provide basis for explanation and evaluation

   Mez: Asks for more information and clarification?

   TLR: Yes, there is info to add, but dont' want to block on that for
   last call

   <johnath> none from me - I think it captures the things I've considered
   in my recs

   Bill Doyle: We could go over the [use cases] again

   Tyler: I took out 'exhaustive' keyword
   ... at f2f felt that people felt that this section was woefully
   ... with a list, I could add them myself
   ... doesn't claim to provide -all- information, just a limited list of
   what's in scope

   Bill D: takes action to review it this week (tomorrow)

   <TLR> ACTION: Bill to review list of security information this week
   [recorded in

   <trackbot> Created ACTION-263 - Review list of security information
   this week [on Bill Doyle - due 2007-07-04].

   TLR: does not understand the meaning of some items in there
   ... maybe we need to expand on it

   Tyler: I need to know specifically which items are at issue

   TLR: will send a list

   Tyler: do we need to rework the use cases for something that is easier
   to build recommendations off of?

   Johnathan: I don't like to bring up threats when I don't have solution
   [to offer]

   Mez: we're not specifically requesting threats/responses information,
   what we have is in the Wiki and informal

   Johnathan: It's weak to say in use cases "this applies to all use

   <Mez> the top of the template says:

   <Mez> All sections are required for FPWD. Use your best judgement on
   filling them with appropriate content.

   <Mez> I thought the latter would be enough room for people to say in
   totally inappropriate sections - not applicable

   TLR: Johnathan, I agree on robustness, but, for example, the fullscreen
   usecase might be something to cover

   [Ed: if I understood TLR correctly]

   Mez: Not everything we cover needs to be in use cases

   <Chuck> Does it help to address "vulnerabilities" as a more specific
   topic than the broader and more ambiguous topic of "threats"?

   <Rachna_> "Full screen mode" is currently not one of our use cases or
   in our list of attacks.

   <Mez> Rachna, shouldn't that be there? is it just a matter of adding

   <TLR> Rachna, indeed, that was my point. Some of the robustness things
   might specifically *not* useful in such a context.

   Mez: checklist is good but not mandatory


   Mez: threat tree is a reference - agreed to at f2f

   <rachna_> [17]http://www.w3.org/2006/WSC/wiki/ThreatTrees

   <Chuck> Part of the problem is that "attacks" are constantly evolving.

   Tyler: Suggested postponing discussion until next meeting in 2 weeks?

   <rachna_> Bill and Tyler, IMO, we should label branches that are out
   scope or move them to a different section, rather than deleting them,
   so that people know that we are aware of them.

   <tyler> rachna, that sounds good

   George Staikos: I am being distracted by various interrupts. I am
   having difficulty scribing the conversation.

   <Chuck> Ok, I'll fill in

   <TLR> ScribeNick: chuck

   <TLR> thanks Chuck

   Mez: Put out call for liaisons with other organizations.

   <rachna_> Digital PhishNet is Microsoft's version of APWG - they have
   law enforcement membership (FBI)

   Anything else for last call (Mez)??

   <hal> Thomas did you get the name of that group mentioned yesterday
   that we should liaise with?

   <TLR> Hal, I guess the closest there is to "the group" would be Project
   Concordia or Liberty Alliance as such.

   <rachna_> other potential orgs to liason: IETF, gov agencies (FTC,

letterhead discussion

   Mez: Moving to discussion of Secure Letterhead, handoff to PHB

   <Mez> [18]http://www.w3.org/2006/WSC/drafts/rec/#letterhead

   PHB: Secure Letterhead provides a secure means for cryptographically
   binding logos to the cert and also for associating the cert with the
   actual parties. Secure Letterhead is based on established standards,
   primarily from IETF. Also existing industry practices from cert issuers
   (e.g., VeriSign) support these mechanisms.

   PHB: Secure Letterhead can display issuer logo as part of browser
   chrome. Can be used with DKIM as well. This allows email clients to
   display DKIM cert info and issuer logotype when presenting email
   message to user.

   PHB: Three types of logotypes: subject, issuer, and "community."
   Community logos are meant to imply membership or accreditation; goes
   beyond issuer's representations. Any display of logos needs to be
   accredited in some fashion. Phillip plans to make a proposal to
   CABForum that will represent a baseline for presenting logotypes.


   Mez asks PHB about conformance language; observes that this appears to
   be missing from draft of Secure Letterhead proposal

   <Mez> Requirement | Good Practice

   <Mez> The statement against which we expect an implementation to
   declare conformance. Requirements correspond to a MUST, Good Practices
   correspond to a SHOULD

   PHB expanded his comments on conformance language, introducing "may,"
   "should," and "must." He also noted some concerns about trademark
   issues that relate to graphical images. Probably should reference
   CABForum as a source of requirements.

   Tyler raises questions about passive indicators in chrome, given that
   all studies seem to show marginal benefit.

   PHB: This is probably not your first line of defense in phishing. One
   use of logotype certs provides a tie-in to other solutions, like Card
   Space, which can introduce more active controls with proper indications
   to users. Went on to note that this can also be used in a customer
   support context, and provided an example of telephone dialogue with
   customer support rep, who might ask customer what their browser is
   currently displaying. Customer support is a major cost for financial
   institutions, and so this may help improve impact on customer support
   resources. Phillip went on to indicate that usability tests need to be
   considered in a broader context that reflect months of use, and
   familiarity, as well as training.

   Johnath: Difficult to provide meaningful feedback on this document
   without the conformance language—i.e., what does it mean to have a
   compliant implementation? As an example, can this be implemented in
   secondary chrome? Without this context, it is difficult to assess the
   concreteness of this proposal.

   Johnath: Example, can this be implemented in secondary chrome?
   Concreteness of recommendation is difficult to asses.

   Mez: Asks PHB to take action to update proposal to comply with all
   template sections.

   <TLR> ACTION: hallam-baker to complete secure letterhead template
   [recorded in

   <trackbot> Created ACTION-264 - Complete secure letterhead template [on
   Phillip Hallam-Baker - due 2007-07-04].

   PHB: added that "accessibility" issues have been a concern with this,
   and other high visibility features

   PHB: noted that tech specs for logotypes can include alternative info,
   such as sound recordings (sound bites or audio files). However, it
   might be better to have browser read out cert info [to someone who is
   visually impaired].

   <Zakim> Thomas, you wanted to note there's sound trademarks

   PHB: Further noted that there are no specs yet for how to display
   community logotypes. There are also unknowns as to how an issuer
   vouches for the community logo. This could have major issues with
   liability for issuers.


   <Mez> thank you phb

   PHB: Observed that a section on accessiblity is included in both
   template and proposal.

   TLR: expressed a concern that we may need to dig into the accessibility
   issues further. For example, how screen readers [for visually impaired
   users] present information on security.

   PHB: responded to Thomas by noting that it is difficult to require
   subjects to include audio logos, but they can be required to provide an
   x.509 distinguished name, which can be audibly read out to a user.

   Yngve provided reference to use of sound bites from the [Sci-Fi]

   <yngve> Sciene Fiction reference was to L. E. Modesitt Jr. book "Flash"

   <yngve> background is that "Rez" chords are used for product

Synopsis of 3rd TIPPI Workshop

   Mez: Asked Rachna if she could provide an update on TIPPI. She agreed
   to cover this topic today.

   <rachna_> [22]http://crypto.stanford.edu/TIPPI/

   Rachna gave a bit of background on TIPPI Workshop. She considers it to
   be one of the best conferences addressing this problem space due to
   it's focus on practioners [not too academic].
   Yahoo presented overview of their solution, and PassMark presented
   their sitekey technique. Rachna gave a talk on usability testing that
   addressed limitations of SiteKey. This led to a debate/discussion of
   the benefits of SiteKey-like techniques based on these three
   presentations. Bank of America's position seems to be that SiteKey is
   useful because it has helped to increase user confidence in online
   banking, and that users like it.

   PHB: Questioned value of "increasing confidence" of users. If you don't
   actually deliver improvements, then confidence can also be eroded. One
   of the consequences of things like SiteKey is that you disrupt some of
   the users' assumptions, and complicate the social engineering issues.

   Rachna added that users have not been trained what to do when they
   don't see their SiteKey.

   PHB: investments in technologies (like SiteKey) may have become an
   impediment to a realistic assessment of their effectiveness.

   Rachna continued with topics from TIPPI. Malware papers were delivered
   and discussed.

   Rachna noted that ethical testing questions were discussed, and Tyler
   asked for clarification as to how this affects in-the-wild testing.
   Rachna noted tradeoffs between qualitative and quantitative data

   Rachna (someone?) presented a paper on malware that hijacks sessions on
   the users machine, and proposed some possible countermeasures involving
   VM-baed approaches.

   TLR: observed that malware attacks are a growing concern to European

   Rachna: A U of Indiana researcher proposed a counter-measure that would
   have the browser send history information to a relying web site. This
   was viewed as controversial.
   In summary, Rachna observed that the sense coming out of TIPPI 3 is
   somewhat depressing. There's not much progress to report, while
   problems continue to grow.

   Tyler: asked about clarification on malware vs. phishing. Rachna
   observed that phishing attacks are becoming much more intertwined with
   malware attacks. There are lots more types of attacks, in part, because
   of new techniques leveraging malware.

   Tyler: is looking for insights into what distinctions we might be able
   lean on in our work.

   Rachna: agrees with Tyler that these do lead to important questions of
   scope. The goals of the attackers are the same, independent of their

   TLR: noted connection between root kits and higher level security
   models. (Ed, having a hard time hearing TLR's editorialization)

   Jonath: Refers to APWG stats that show increases in and evolution of
   phishing attacks, but wonders about actual losses and whether there is
   data on how effective phishing attacks really are. Rachna observed that
   FIs tend to be very discrete about actual loss rates, so this
   information is not generally available.

   Chuck: Aside, APACS in the UK is one of the few official sources for
   fraud loss rates. (ref: www.apacs.org.uk)

   Jonath: Raises question of whether or not there are incentives to keep
   reporting on how big the phishing problem is, but not how effective the
   attacks really are? Could effectiveness be decreasing?

   Beltzner: raised similar question about effectiveness of phishing
   attacks. Do takedown measures help? What is effective seems to be
   vague. We know black/white lists are not terribly effective, but do
   they help at all? Rachna agrees that this is a very important set of
   questions, with few answers readily at hand.

   PHB: adds that concrete data is hard to come by. The losses are also in
   the operational costs to reverse fraudulent transactions. The cost of
   back end and customer support is what really concerns the banks. Banks
   imply that they are making more money on online banking and they have
   more users on online banking. Fraud is not currently the biggest
   concern with online banking, but the fraud rates are rising fastest in
   this area.

   <johnath> +1 to tyler's question, and anyone who could answer it

   <Mez> thomas, this was the last question, sorry

   Tyler: we should be evaluating our recommendations and proposals in
   terms of impact on customer support calls and costs. Do we have any
   figures on the magnitude of these problems.

   Rachna: does not have references to data, but it seems like an
   important consideration

   <rachna_> Mike, this is one public analysis I have seen on website
   takedown on phishing (It doesn't answer your question though):

   TLR: suggests that we consider this as a topic for future discussion
   and feedback.

   Rachna did plug the work of WSC at the TIPPI conference—way to go!

next meeting

   Mez: Brought meeting to a close. Noted that there will not be a meeting
   next week due to U.S. Holiday.

Summary of Action Items

   [NEW] ACTION: bill to review list of security information this week
   [recorded in
   [NEW] ACTION: phillipp to complete secure letterhead template [recorded
   in [25]http://www.w3.org/2007/06/27-wsc-minutes.html#action03]

   [End of minutes]


   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0218.html
   3. http://www.w3.org/2007/06/27-wsc-irc
   4. http://www.w3.org/2007/06/27-wsc-minutes#agenda
   5. http://www.w3.org/2007/06/27-wsc-minutes#item01
   6. http://www.w3.org/2007/06/27-wsc-minutes#item02
   7. http://www.w3.org/2007/06/27-wsc-minutes#item03
   8. http://www.w3.org/2007/06/27-wsc-minutes#item04
   9. http://www.w3.org/2007/06/27-wsc-minutes#item05
  10. http://www.w3.org/2007/06/27-wsc-minutes#item06
  11. http://www.w3.org/2007/06/27-wsc-minutes#ActionSummary
  12. http://www.w3.org/2007/06/20-wsc-minutes.html
  13. http://crypto.stanford.edu/TIPPI/
  14. http://lists.w3.org/Archives/Member/member-techplenary/
  15. http://www.w3.org/2007/06/27-wsc-minutes.html#action01
  16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0188.html
  17. http://www.w3.org/2006/WSC/wiki/ThreatTrees
  18. http://www.w3.org/2006/WSC/drafts/rec/#letterhead
  19. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl
  20. http://www.w3.org/2007/06/27-wsc-minutes.html#action04
  21. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Letterhead
  22. http://crypto.stanford.edu/TIPPI/
  23. http://www.cl.cam.ac.uk/~rnc1/weis07-phishing.pdf
  24. http://www.w3.org/2007/06/27-wsc-minutes.html#action01
  25. http://www.w3.org/2007/06/27-wsc-minutes.html#action03
Received on Tuesday, 17 July 2007 15:03:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:17 UTC