W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Meeting record: WSC WG weekly 2007-07-11

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 19 Jul 2007 11:51:25 +0200
To: WSC WG <public-wsc-wg@w3.org>
Message-ID: <20070719095125.GA16734@raktajino.does-not-exist.org>

The minutes from our meeting on 11 July were approved:


Thanks to Anil for scribing.

Thomas Roessler, W3C  <tlr@w3.org>


                                 WSC WG weekly
                                  11 Jul 2007


   See also: [3]IRC log


          Thomas, jvkrey, Tyler, Chuck_Wade, stephen, johnath, asaldhan,
          maritza, yngve, Hal_Lockhart, Bill_Doyle, PHB, MaryEllen_Zurko,
          sduffy, audian, rachna

          Dan_S, Audian_P




     * [4]Topics
         1. [5]approve minutes
         2. [6]Pick a Scribe. Anil present
         3. [7]newly completed action items
         4. [8]agenda bashing
         5. [9]liaisons list
         6. [10]WhatIsASecurePage
     * [11]Summary of Action Items

   <tlr> Scribe: AnilSaldhana

   <tlr> ScribeNick: asaldhan


   <tlr> +Hal

approve minutes

   <tlr> [12]http://www.w3.org/2007/06/27-wsc-minutes

   <tlr> RESOLVED: minutes accepted

Pick a Scribe. Anil present

   <tlr> anil, I'm taking care of the topic lines. ;)

newly completed action items

   <tlr> ACTION-226 done

   <tlr> ACTION-240 done

   <tlr> ACTION-243 done

   <tlr> no issues with any of these?

   <tlr> anil, any trouble scribing?

   tlr: I am trying to catch what they are referring to

   <tlr> anil, just scribe things as much as you can

   tlr: can u pitch in here

   <tlr> if people are too fast, slow them down

   johnath: can u pitch what u referred to

   <tlr> johnathan and MEZ both grappling with integrating robustness into
   spec test?

   <johnath> johnath: Question for Mez: I have an action item which refers
   to integrating robustness recommendations into the doc, but it's
   unclear how that should happen

   Mez: we will categorize into 4 . One of them is robustness. It is
   difficult to fit robustness into current template. We are trying to
   figure it out and waiting for editors draft

   <johnath> johnath: therefore, I will keepe xtending my due date until
   that comes out

   Mez: based on my conversations with shawn offline, my statements are

agenda bashing

   Mez: discussion about liasons
   ... we also have discussion on "Secure page"
   ... anybody has to say anything about agenda?

liaisons list

   Mez: there are number of groups that we should work with
   ... Dan has agreed to work with apwg/fbi, Bruno with omtp, mwbp,etsi

   <johnath> Shawn will be on the call - sent a note - running late

   Mez: we need volunteers for a few
   ... any takers for volunteering

   PHB2: can volunteer for CABFOrum

   <Zakim> stephen, you wanted to ask about IETF/SAAG and if there's a
   current-liaisons list somewhere

   Mez: put down phill for cabforum

   stephenF: is there a link someplace in the wiki for the liasons

   <PHB2> How slow is zakim?

   Mez: it is in the agenda.

   <PHB2> Sped up now

   <tlr> ACTION: mez to put liaison list into wiki [recorded in

   <trackbot> Sorry, couldn't find user - mez

   Mez: please give me an action item to place liasons in the wiki

   <tlr> ACTION: zurko to put liaison list into wiki [recorded in

   <trackbot> Created ACTION-266 - Put liaison list into wiki [on Mary
   Ellen Zurko - due 2007-07-18].

   <Zakim> tlr, you wanted to note that OMA is represented in HCG and to
   also note there's a generic W3C-wide liaison list

   Mez: stephen for IETF SAAG?

   <stephenF> not stephen for 3gpp

   <stephenF> phew

   Mez: cannot take on additional liason duties. I have enough already
   ... want help from the team

   tlr: what are we looking for from OMA?

   Mez: this depends on the person

   tlr: what are we expecting from them?
   ... hcg is the primary mechanism to do that

   Mez: tlr lets take it offline

   <Zakim> stephen, you wanted to ask about IETF/TAM (could be under AOB

   <anil> I am from Chicago

   tlr: stephenF can u give us an elevator pitch

   stephenF: managing trust anchors and protocols associated
   ... this trust anchor is fit for this and not for that. mainly for x509

   a bank can issue client certs to their users. a new protocol. create
   possiblilites of providing ssl certs

   <Chuck> Aside: Michael McCormick of Wells Fargo is likely to have
   direct interest in the IETF TAM topic.

   tlr: is it not slotted for the next meeting?

   Mez: set it up offline

   tlr: I can take it offline. but if u want resolution now, we cannot
   take offline

   Mez: cannot remember the issue

   it is resolution

   tlr: i agree that there is an aspect of financial services usecase that
   may not be useful

   stephenF: if there is no one from the financial services, then we can

   <tlr> tlr to attend tam BOF in Chicago, wave WSC flag, report back

   <Chuck> Reminder, Michael McCormick has a standing conflict with this
   group's weekly conference calls.

   <tlr> ACTION: roessler to attend tam BOF in Chicago, wave WSC flag,
   report back [recorded in

   <trackbot> Created ACTION-267 - Attend tam BOF in Chicago, wave WSC
   flag, report back [on Thomas Roessler - due 2007-07-18].

   <stephenF> stephen doesn't agree but will do that some other time:-)

   <anil> I would like to attend as I live in Chicago

   <tlr> stephen, you don't agree with what?

   <stephenF> more than welcome anil

   <stephenF> tlr - just generally:-)

   <johnath> he's very disagreeable

   <stephenF> oh no I'm not

   <tlr> johnath, we all know that

   <johnath> stephenF: :)

   Mez: I am going to type in IRC

   tlr: not yet arrived
   ... welcome shawn. middle of liaison discussion
   ... wonder anybody on the call what aspect of 3gpp we shud be
   ... want to defer this part as dan/bruno unavailable

   <stephenF> think dlna is home n/w

   <jvkrey> Wikipedia says TISPAN is "Telecoms & Internet converged
   Services & Protocols for Advanced Networks", part of European
   Telecommunications Standards Institute (ETSI)

   tlr: I want to defer to dan as to what dlna is
   ... rob and bruno on avail. Lets defer this and move to next item

   correction: rob and bruno unavail


   <tlr> [16]http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage

   yngve: lets see how am doing

   <tlr> agenda order: WhatIsASecurePage, then wsc-usecases

   yngve: goals i am trying to add.
   ... definitions

   Mez: good background.
   ... am looking for ??? section that will be good

   <johnath> Mez - halfway down - numbered list


   <johnath> "Proposals for..."

   <Zakim> stephen, you wanted to ask if that should be "secure page" or
   "TLS-secured page"

   <tlr> woah @ the anchor

   stephenF: u seem to be talking about tls secure page
   ... is it a tls secure page or a secure page

   yngve: am trying to move towards tls secure page
   ... whether u can say whether mybankDOTcom is really my bank, it cannot
   be at that level

   stephenF: it can confuse people if no distinction is made

   yngve: determine what kind of security

   yngve: usually it is the padlock

   yngve: i have listed the criteria

   yngve: some that are in and some that are out of scope. Some that are

   hal: are u saying that any insecure content- that we consider insecure
   (was not clear from writeup)

   yngve: from my thinking, we cannot tell how sensitive a content is
   ... can include information at what u r looking for
   ... as I mentioned, some banks want to consider content over insecure
   connection in a secure page

   <Zakim> stephen, you wanted to ask whether reputation is better dealt
   with elsewhere

   yngve: I am leaning in the direction that it is insecure until it is
   all secure

   stephen: that seems to me that we presume what is a page

   <tlr> stephen: presumes notion of what a page is

   <maritzaj> forgot about another meeting at 11:30 ... apologies for
   cutting out early

   <tlr> yngve: all that's displayed?

   yngve: somebody has a better suggestion

   stephenF: if it is a tls secure page, it should be mentioned elsewhere

   yngve: mentioned the possibility to use ocsp to get info as to what
   kind of credit card to use

   stephenF: I hate that idea

   yngve: that info can be included in the certificates.
   ... if it is authorized by AmEx to pay by CC.

   <PHB2> I don't like it either :-)

   <johnath> digression alert!

   stephenF: do not like that too much info into certs + layering
   violation + need to go to Mastercard,Amex
   ... if the scope of this proposal is - what is a page? what is a tls
   secure page?

   <Mez> how is this a digression? sorry, it seemed on point to me. but if
   it's a digression, it should be stopped

   stephenF: the scope of what is a secure page is too broad
   ... it will lead us to make mistakes
   ... just get the scope to "what is a page?

   <PHB2> OK what I would go for is a world where maybe we issue EV certs
   with specifically accredited OIDs that can be used by payment
   processing protocols.

   <johnath> Mez - sorry - stephenF's point, that the rec should be well
   constrained, is on-topic. But how CC information might be handled in
   cert vs. ocsp is all a separate rec, if at all. :)

   <Mez> got it

   yngve: am going through what criterial to consider. In opera,
   associated fraud detection close to the padlock.

   stephenF: i want to address just tls and not authorization

   yngve: can take a look

   Mez: sounds good

   tyler: in ur conformance section, 5,9 and 12 talk about redirect
   behavior. I do not understand. they seem contradictory. Please add some
   text around the recommendations
   ... do not understand the motivation for why these should be done

   yngve: aiming at when banks go from http to https

   tyler: why is it a problem?

   yngve: not much a problem. But I want these links to be clean. I want
   to include in the links (that indiciate https) into the security
   indicators. Originally opera did that

   <tlr> is that you, audian?

   <Audian> yes

   yngve: this is point 9. u click the link, submit the page. All this
   should be included in the security indicator. If anything is insecure
   transaction, this should be displayed in the security indicator.

   <tlr> rachna, is that you?

   <rachna> yes

   yngve: if anything goes over http (when wished https), malicious code
   can be inseted
   ... seen a couple of case, html/javascript created a page without
   padlock, but showed padlock.

   <Zakim> johnath, you wanted to comment on criteria 16, 15, 10, 8, and 7
   :) (I suspect I'll be re-queueing :)

   Mez: can u please respond to tyler's request.

   yngve: I will. providing some bckgrnd

   <anil> who is talking

   <tlr> johnath

   <tlr> asaldhan, when you can't identify the speaker, just say ??1: blah

   <stephenF> +1 on not saying 2^32

   <johnath> ref for keylength recs: [18]http://www.keylength.com/

   yngve: am sort of putting in an advice if for example NIST
   recommendation for xxx bit

   johnath: for writing conformance report, consider keylength

   Mez: that is for the authorities

   johnath: many of them are crypto people
   ... here.

   yngve: 512 bit certs are still in use
   ... a month or 2 ago, some finance sites were using it

   <johnath> zakim: q?

   <tlr> e.g., bcp 86?

   yngve: authorities do not always agree. euro authorities are not
   recommending 1024 bits

   <tlr> [19]http://tools.ietf.org/html/bcp86

   <tlr> Determining Strengths For Public Keys Used For Exchanging
   Symmetric Keys

   PHB2: we should differentiate confidentialty with authenticity instead
   of secure page
   ... a class of certs are only for confidentiality

   <stephenF> phb: what's wrong with anon D-H for that

   PHB2: either u do not see any indicators or u register the cert

   <Zakim> Thomas, you wanted to ask if there's a spec elsewhere that we
   might reference

   tlr: follow up with the discussion about keylength - bcp86

   <johnath> yngve: for the record, I think this is an important
   recommendation to get in. I'm wordsmithing it, but I think this is one
   of the key recs to get browser vendors to align on, as a whole.

   <stephenF> bcp 86 only requires "commensurate" though (from memory)

   tlr: bcp86 is a moving target document.

   <Zakim> stephen, you wanted to ask if item #4 is ok since its a server

   yngve: will look at it

   <tlr> ... deliberately ...

   stephenF: proposal #4

   <tlr> huh? The charter explicitly gives that example. ;-)

   stephenF: we thought we do not do proposals about what websites shud
   do. are we breaking rule
   ... concerned that we will be making a reco that ppl will totally
   ... there are large # of developers who code websites in a number of
   ... situations where someone has control over part of the website and
   not the other part. They will have difficulties in conformance

   <Mez> thomas is

   tlr: what web client should do ???

   <johnath> (I hear low volume noise)

   <johnath> hal, asaldhan - can you mute if you're not going to jump in?

   stephenF: tlr we need to issue statements for server side developers?

   <tlr> I think there's value to writing up "how to deploy a web site
   that causes security indicators to show up" type checklists in
   MUST/SHOULD language. ;-)

   <anil> *** stephen I am lost a bit here

   tlr: am saitisfied to keep what we have.

   <Zakim> johnath, you wanted to question criterion #10

   johnath: criteria 10
   ... understand how this got in. users may not realize they are
   submitting content to a unsecure site

   <PHB2> In fact I would like to see as little flipping from secure to
   unsecure as possible

   johnath: I do not see this recommendation may not help making a better

   <Mez> tyler, does PII use the submit url as the target website, or the
   url of the form? I hadn't thought about that crisply, and this
   discussion makes me wonder

   yngve: submitting creds intended for protected services. U need to plan
   to do it in secure fashion. In a protected page

   johnath: creating this behavior in the browser will create sufficient
   nuisance for people to work around it.

   <Mez> warnings would get disabled after the first time

   <Mez> but some sort of SCI would be interesting

   <stephenF> -1 to flag days

   <Mez> it wouldn't be possible for all clients to implement anything
   totally at the same time

   <tlr> +1 to -1 to flag days

   <tlr> ;-)

   <tlr> I'm +1 to point 2, but -1 to 10.

   <Zakim> stephen, you wanted to ask if this text treats the SCI in too
   "binary" a way

   Mez: we can have discussion on alternatives

   stephenF: in dublin, we discussed that security indicators is a binary
   ... but this proposal indicates that binary display is not sufficient

   <tlr> indeed, that's an important point

   stephenF: why not "low secure" "high secure"? Increase security

   <tlr> padlock -> $padlock

   yngve: do not have a glossary as to what terms mean

   <stephenF> fair enough to revisiting when glossary done

   <tlr> I think "padlock" at this point is an existentially quantified
   variable that holds whatever the right kind of indicator is.

   Mez: agree with stephen that we need to bring more recommendations

   <Zakim> Thomas, you wanted to speak about #3

   tlr: #3. Sounds like a good idea
   ... if u have been using secure connectn to transmit creds, u shud not
   be using those creds/tokens in a less secure env
   ... authentication/authorization models exist

   <anil> ****tlr. please fill in some information about authentiction/
   tokens/cookies here plz

   <stephenF> fwiw, stephen fine to punt SSC discussion to next week

   <Mez> stephen, would you be ok if ssc got moved back to the next
   meeting if we run over on this topic?

   <Mez> great, tx

   <stephenF> fwiw2: I gotta go off the call for 5 mins

   <Mez> ok, then we're definately pushing it back to next week

   <Mez> next week then. what the heck.

   <Audian> yawn

   <stephenF> back now

   <tlr> audian, yawn @ what?

   <anil> ***tlr I am lost. Please fill in what you mentioned

   <anil> *** before we send the minutes

   <Zakim> PHB, you wanted to say, banks should simply put all their
   content in a secure zone

   <tlr> tlr: there's the typical token-based authentication mode used by
   big web properties, which is based on authentication going on through
   HTTPS, then a token (cookie) is transferred through HTTP to low-value

   PHB2: suggest changing #1 that all web servers shud support ssl

   <stephenF> s/restart/resume/ is it?

   <tlr> #3 contradicts that; do we want to deprecate that practice?

   PHB2: oh yes, we can secure entire web site but it will not performant
   ... should tell users that they should secure all of their content

   <tlr> agree on the bank interactions.

   <Mez> I look forward to seeing the conformance language for that!

   PHB2: unless if u r a site like amazon where majority of the site is
   content. secure content is done by separate servers. For banks,
   everything should be secure. once secure, no reason to go to insecure

   <tlr> however, there is a reason to go back to insecure: You need a TLS
   private key on every server. Either, you open a CA, you cough up a lot
   of money, or you create attack surface by using wildcard certs.

   <tlr> mez, so do I. It's a hard to crack problem.

   <tlr> ACTION: phb to phrase conformance language for fully securing
   sites [recorded in

   <trackbot> Created ACTION-268 - Phrase conformance language for fully
   securing sites [on Phillip Hallam-Baker - due 2007-07-18].

   Mez: tlr and I think that conformance language around that is tough. U
   want to take a crack at that?

   <tlr> phb, we don't hear you

   tyler: reco for server side developers, one reco for tls secure page
   and one reco ???

   <Mez> I encourage everyone with thoughts that might not get them out in
   the next 12 minutes to put them in email, issues, etc.

   <johnath> if tyler is getting to recommending that this be broken down:

   <johnath> there we go, +1 to tyler. :)

   <tlr> +1, too

   <stephenF> +1

   tyler: could you break out the tls section

   <Mez> the template itself though really works against making smaller
   parts. Because there's so much reference material. But I think we'll
   need to deal with that anyway, with the robustness issues.

   yngve: will take a look

   <Zakim> johnath, you wanted to discuss criterion 16, if there's still
   time before stephen's SSC topic

   <tlr> reading 14 and 16 side by side, they are similar, and should be
   phrased in parallel

   <PHB2> did I just drop off the call

   <tlr> yes phill

   <tlr> a while ago actually

   johnath: support tyler in breaking out the 3 components

   <Mez> yes, we missed you phill

   johnath: criterion #16

   <Mez> you were saying something about making #1 more general, then

   <sduffy> gotta run to another meeting... REMINDER: Please have your
   proposals in the new template form by COB today

   <Mez> thanks shawn

   *** johnath, please chime in what you are saying.

   **** johnath I lost the trail

   <stephenF> jonath: insisting on all-EV seems over the top

   <stephenF> +1 to jonath - similar point could be made about 2048 vs
   1024 mixes

   <tlr> yuck, don't do a MAY there

   <stephenF> am I'm disagreeable? :-)

   johnath: EV tells that this is paypal. But it does not tell that paypal
   is legitimate

   ***johnath could u please pen what you talked about in IRC

   <johnath> (self-scribing) johnath: criterion 16 requires user agents to
   treat a totally https page with an EV top-level document as non-EV if
   it includes https content which uses OV/DV certs. I think that the use
   of those certs doesn't alter the identity of the page

   *** tlr. I need to vanish at the next scribing assign

   <Mez> sorry bill and thomas

   <Mez> I really, really hope you put your questions into email

Summary of Action Items

   [NEW] ACTION: mez to put liaison list into wiki [recorded in
   [NEW] ACTION: phb to phrase conformance language for fully securing
   sites [recorded in
   [NEW] ACTION: roessler to attend tam BOF in Chicago, wave WSC flag,
   report back [recorded in
   [NEW] ACTION: zurko to put liaison list into wiki [recorded in

   [End of minutes]

    Minutes formatted by David Booth's [25]scribe.perl version 1.128
    ([26]CVS log)
    $Date: 2007/07/19 09:21:35 $


   1. http://www.w3.org/
   2. http://www.w3.org/mid/OFB8544FBE.6C21574F-ON8525730F.0075697F-85257314.00529812@LocalDomain
   3. http://www.w3.org/2007/07/11-wsc-irc
   4. http://www.w3.org/2007/07/11-wsc-minutes.html#agenda
   5. http://www.w3.org/2007/07/11-wsc-minutes.html#item01
   6. http://www.w3.org/2007/07/11-wsc-minutes.html#item02
   7. http://www.w3.org/2007/07/11-wsc-minutes.html#item03
   8. http://www.w3.org/2007/07/11-wsc-minutes.html#item04
   9. http://www.w3.org/2007/07/11-wsc-minutes.html#item05
  10. http://www.w3.org/2007/07/11-wsc-minutes.html#item06
  11. http://www.w3.org/2007/07/11-wsc-minutes.html#ActionSummary
  12. http://www.w3.org/2007/06/27-wsc-minutes
  13. http://www.w3.org/2007/07/11-wsc-minutes.html#action01
  14. http://www.w3.org/2007/07/11-wsc-minutes.html#action02
  15. http://www.w3.org/2007/07/11-wsc-minutes.html#action03
  16. http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage
  17. http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#head-efe936b22bcb83eed5ffa40cef2335278973f7cc
  18. http://www.keylength.com/
  19. http://tools.ietf.org/html/bcp86
  20. http://www.w3.org/2007/07/11-wsc-minutes.html#action04
  21. http://www.w3.org/2007/07/11-wsc-minutes.html#action01
  22. http://www.w3.org/2007/07/11-wsc-minutes.html#action04
  23. http://www.w3.org/2007/07/11-wsc-minutes.html#action03
  24. http://www.w3.org/2007/07/11-wsc-minutes.html#action02
  25. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  26. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 19 July 2007 09:51:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT