- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 19 Jul 2007 11:51:25 +0200
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 11 July were approved:
http://www.w3.org/2007/07/11-wsc-minutes.html
Thanks to Anil for scribing.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC WG weekly
11 Jul 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
Thomas, jvkrey, Tyler, Chuck_Wade, stephen, johnath, asaldhan,
maritza, yngve, Hal_Lockhart, Bill_Doyle, PHB, MaryEllen_Zurko,
sduffy, audian, rachna
Regrets
Dan_S, Audian_P
Chair
mostly_MEZ
Scribe
AnilSaldhana
Contents
* [4]Topics
1. [5]approve minutes
2. [6]Pick a Scribe. Anil present
3. [7]newly completed action items
4. [8]agenda bashing
5. [9]liaisons list
6. [10]WhatIsASecurePage
* [11]Summary of Action Items
__________________________________________________________________
<tlr> Scribe: AnilSaldhana
<tlr> ScribeNick: asaldhan
anil
<tlr> +Hal
approve minutes
<tlr> [12]http://www.w3.org/2007/06/27-wsc-minutes
<tlr> RESOLVED: minutes accepted
Pick a Scribe. Anil present
<tlr> anil, I'm taking care of the topic lines. ;)
newly completed action items
<tlr> ACTION-226 done
<tlr> ACTION-240 done
<tlr> ACTION-243 done
<tlr> no issues with any of these?
<tlr> anil, any trouble scribing?
tlr: I am trying to catch what they are referring to
<tlr> anil, just scribe things as much as you can
tlr: can u pitch in here
<tlr> if people are too fast, slow them down
johnath: can u pitch what u referred to
<tlr> johnathan and MEZ both grappling with integrating robustness into
spec test?
<johnath> johnath: Question for Mez: I have an action item which refers
to integrating robustness recommendations into the doc, but it's
unclear how that should happen
Mez: we will categorize into 4 . One of them is robustness. It is
difficult to fit robustness into current template. We are trying to
figure it out and waiting for editors draft
<johnath> johnath: therefore, I will keepe xtending my due date until
that comes out
Mez: based on my conversations with shawn offline, my statements are
valid
agenda bashing
Mez: discussion about liasons
... we also have discussion on "Secure page"
... anybody has to say anything about agenda?
liaisons list
Mez: there are number of groups that we should work with
... Dan has agreed to work with apwg/fbi, Bruno with omtp, mwbp,etsi
<johnath> Shawn will be on the call - sent a note - running late
Mez: we need volunteers for a few
... any takers for volunteering
PHB2: can volunteer for CABFOrum
<Zakim> stephen, you wanted to ask about IETF/SAAG and if there's a
current-liaisons list somewhere
Mez: put down phill for cabforum
stephenF: is there a link someplace in the wiki for the liasons
<PHB2> How slow is zakim?
Mez: it is in the agenda.
<PHB2> Sped up now
<tlr> ACTION: mez to put liaison list into wiki [recorded in
[13]http://www.w3.org/2007/07/11-wsc-minutes.html#action01]
<trackbot> Sorry, couldn't find user - mez
Mez: please give me an action item to place liasons in the wiki
<tlr> ACTION: zurko to put liaison list into wiki [recorded in
[14]http://www.w3.org/2007/07/11-wsc-minutes.html#action02]
<trackbot> Created ACTION-266 - Put liaison list into wiki [on Mary
Ellen Zurko - due 2007-07-18].
<Zakim> tlr, you wanted to note that OMA is represented in HCG and to
also note there's a generic W3C-wide liaison list
Mez: stephen for IETF SAAG?
<stephenF> not stephen for 3gpp
<stephenF> phew
Mez: cannot take on additional liason duties. I have enough already
... want help from the team
tlr: what are we looking for from OMA?
Mez: this depends on the person
tlr: what are we expecting from them?
... hcg is the primary mechanism to do that
Mez: tlr lets take it offline
<Zakim> stephen, you wanted to ask about IETF/TAM (could be under AOB
either)
<anil> I am from Chicago
tlr: stephenF can u give us an elevator pitch
stephenF: managing trust anchors and protocols associated
... this trust anchor is fit for this and not for that. mainly for x509
a bank can issue client certs to their users. a new protocol. create
possiblilites of providing ssl certs
<Chuck> Aside: Michael McCormick of Wells Fargo is likely to have
direct interest in the IETF TAM topic.
tlr: is it not slotted for the next meeting?
Mez: set it up offline
tlr: I can take it offline. but if u want resolution now, we cannot
take offline
Mez: cannot remember the issue
it is resolution
tlr: i agree that there is an aspect of financial services usecase that
may not be useful
stephenF: if there is no one from the financial services, then we can
defer
<tlr> tlr to attend tam BOF in Chicago, wave WSC flag, report back
<Chuck> Reminder, Michael McCormick has a standing conflict with this
group's weekly conference calls.
<tlr> ACTION: roessler to attend tam BOF in Chicago, wave WSC flag,
report back [recorded in
[15]http://www.w3.org/2007/07/11-wsc-minutes.html#action03]
<trackbot> Created ACTION-267 - Attend tam BOF in Chicago, wave WSC
flag, report back [on Thomas Roessler - due 2007-07-18].
<stephenF> stephen doesn't agree but will do that some other time:-)
<anil> I would like to attend as I live in Chicago
<tlr> stephen, you don't agree with what?
<stephenF> more than welcome anil
<stephenF> tlr - just generally:-)
<johnath> he's very disagreeable
<stephenF> oh no I'm not
<tlr> johnath, we all know that
<johnath> stephenF: :)
Mez: I am going to type in IRC
tlr: not yet arrived
... welcome shawn. middle of liaison discussion
... wonder anybody on the call what aspect of 3gpp we shud be
liaisoning
... want to defer this part as dan/bruno unavailable
<stephenF> think dlna is home n/w
<jvkrey> Wikipedia says TISPAN is "Telecoms & Internet converged
Services & Protocols for Advanced Networks", part of European
Telecommunications Standards Institute (ETSI)
tlr: I want to defer to dan as to what dlna is
... rob and bruno on avail. Lets defer this and move to next item
correction: rob and bruno unavail
WhatIsASecurePage
<tlr> [16]http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage
yngve: lets see how am doing
<tlr> agenda order: WhatIsASecurePage, then wsc-usecases
yngve: goals i am trying to add.
... definitions
Mez: good background.
... am looking for ??? section that will be good
<johnath> Mez - halfway down - numbered list
<tlr>
[17]http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#head-efe936b22bcb
83eed5ffa40cef2335278973f7cc
<johnath> "Proposals for..."
<Zakim> stephen, you wanted to ask if that should be "secure page" or
"TLS-secured page"
<tlr> woah @ the anchor
stephenF: u seem to be talking about tls secure page
... is it a tls secure page or a secure page
yngve: am trying to move towards tls secure page
... whether u can say whether mybankDOTcom is really my bank, it cannot
be at that level
stephenF: it can confuse people if no distinction is made
yngve: determine what kind of security
yngve: usually it is the padlock
yngve: i have listed the criteria
yngve: some that are in and some that are out of scope. Some that are
suggested.
hal: are u saying that any insecure content- that we consider insecure
(was not clear from writeup)
yngve: from my thinking, we cannot tell how sensitive a content is
... can include information at what u r looking for
... as I mentioned, some banks want to consider content over insecure
connection in a secure page
<Zakim> stephen, you wanted to ask whether reputation is better dealt
with elsewhere
yngve: I am leaning in the direction that it is insecure until it is
all secure
stephen: that seems to me that we presume what is a page
<tlr> stephen: presumes notion of what a page is
<maritzaj> forgot about another meeting at 11:30 ... apologies for
cutting out early
<tlr> yngve: all that's displayed?
yngve: somebody has a better suggestion
stephenF: if it is a tls secure page, it should be mentioned elsewhere
yngve: mentioned the possibility to use ocsp to get info as to what
kind of credit card to use
stephenF: I hate that idea
yngve: that info can be included in the certificates.
... if it is authorized by AmEx to pay by CC.
<PHB2> I don't like it either :-)
<johnath> digression alert!
stephenF: do not like that too much info into certs + layering
violation + need to go to Mastercard,Amex
... if the scope of this proposal is - what is a page? what is a tls
secure page?
<Mez> how is this a digression? sorry, it seemed on point to me. but if
it's a digression, it should be stopped
stephenF: the scope of what is a secure page is too broad
... it will lead us to make mistakes
... just get the scope to "what is a page?
<PHB2> OK what I would go for is a world where maybe we issue EV certs
with specifically accredited OIDs that can be used by payment
processing protocols.
<johnath> Mez - sorry - stephenF's point, that the rec should be well
constrained, is on-topic. But how CC information might be handled in
cert vs. ocsp is all a separate rec, if at all. :)
<Mez> got it
yngve: am going through what criterial to consider. In opera,
associated fraud detection close to the padlock.
stephenF: i want to address just tls and not authorization
yngve: can take a look
Mez: sounds good
tyler: in ur conformance section, 5,9 and 12 talk about redirect
behavior. I do not understand. they seem contradictory. Please add some
text around the recommendations
... do not understand the motivation for why these should be done
yngve: aiming at when banks go from http to https
tyler: why is it a problem?
yngve: not much a problem. But I want these links to be clean. I want
to include in the links (that indiciate https) into the security
indicators. Originally opera did that
<tlr> is that you, audian?
<Audian> yes
yngve: this is point 9. u click the link, submit the page. All this
should be included in the security indicator. If anything is insecure
transaction, this should be displayed in the security indicator.
<tlr> rachna, is that you?
<rachna> yes
yngve: if anything goes over http (when wished https), malicious code
can be inseted
... seen a couple of case, html/javascript created a page without
padlock, but showed padlock.
<Zakim> johnath, you wanted to comment on criteria 16, 15, 10, 8, and 7
:) (I suspect I'll be re-queueing :)
Mez: can u please respond to tyler's request.
yngve: I will. providing some bckgrnd
<anil> who is talking
<tlr> johnath
<tlr> asaldhan, when you can't identify the speaker, just say ??1: blah
blah
<stephenF> +1 on not saying 2^32
<johnath> ref for keylength recs: [18]http://www.keylength.com/
yngve: am sort of putting in an advice if for example NIST
recommendation for xxx bit
johnath: for writing conformance report, consider keylength
Mez: that is for the authorities
johnath: many of them are crypto people
... here.
yngve: 512 bit certs are still in use
... a month or 2 ago, some finance sites were using it
<johnath> zakim: q?
<tlr> e.g., bcp 86?
yngve: authorities do not always agree. euro authorities are not
recommending 1024 bits
<tlr> [19]http://tools.ietf.org/html/bcp86
<tlr> Determining Strengths For Public Keys Used For Exchanging
Symmetric Keys
PHB2: we should differentiate confidentialty with authenticity instead
of secure page
... a class of certs are only for confidentiality
<stephenF> phb: what's wrong with anon D-H for that
PHB2: either u do not see any indicators or u register the cert
<Zakim> Thomas, you wanted to ask if there's a spec elsewhere that we
might reference
tlr: follow up with the discussion about keylength - bcp86
<johnath> yngve: for the record, I think this is an important
recommendation to get in. I'm wordsmithing it, but I think this is one
of the key recs to get browser vendors to align on, as a whole.
<stephenF> bcp 86 only requires "commensurate" though (from memory)
tlr: bcp86 is a moving target document.
<Zakim> stephen, you wanted to ask if item #4 is ok since its a server
thing
yngve: will look at it
<tlr> ... deliberately ...
stephenF: proposal #4
<tlr> huh? The charter explicitly gives that example. ;-)
stephenF: we thought we do not do proposals about what websites shud
do. are we breaking rule
... concerned that we will be making a reco that ppl will totally
ignore
... there are large # of developers who code websites in a number of
ways
... situations where someone has control over part of the website and
not the other part. They will have difficulties in conformance
<Mez> thomas is
tlr: what web client should do ???
<johnath> (I hear low volume noise)
<johnath> hal, asaldhan - can you mute if you're not going to jump in?
stephenF: tlr we need to issue statements for server side developers?
<tlr> I think there's value to writing up "how to deploy a web site
that causes security indicators to show up" type checklists in
MUST/SHOULD language. ;-)
<anil> *** stephen I am lost a bit here
tlr: am saitisfied to keep what we have.
<Zakim> johnath, you wanted to question criterion #10
johnath: criteria 10
... understand how this got in. users may not realize they are
submitting content to a unsecure site
<PHB2> In fact I would like to see as little flipping from secure to
unsecure as possible
johnath: I do not see this recommendation may not help making a better
world.
<Mez> tyler, does PII use the submit url as the target website, or the
url of the form? I hadn't thought about that crisply, and this
discussion makes me wonder
yngve: submitting creds intended for protected services. U need to plan
to do it in secure fashion. In a protected page
johnath: creating this behavior in the browser will create sufficient
nuisance for people to work around it.
<Mez> warnings would get disabled after the first time
<Mez> but some sort of SCI would be interesting
<stephenF> -1 to flag days
<Mez> it wouldn't be possible for all clients to implement anything
totally at the same time
<tlr> +1 to -1 to flag days
<tlr> ;-)
<tlr> I'm +1 to point 2, but -1 to 10.
<Zakim> stephen, you wanted to ask if this text treats the SCI in too
"binary" a way
Mez: we can have discussion on alternatives
stephenF: in dublin, we discussed that security indicators is a binary
flag.
... but this proposal indicates that binary display is not sufficient
<tlr> indeed, that's an important point
stephenF: why not "low secure" "high secure"? Increase security
<tlr> padlock -> $padlock
yngve: do not have a glossary as to what terms mean
<stephenF> fair enough to revisiting when glossary done
<tlr> I think "padlock" at this point is an existentially quantified
variable that holds whatever the right kind of indicator is.
Mez: agree with stephen that we need to bring more recommendations
<Zakim> Thomas, you wanted to speak about #3
tlr: #3. Sounds like a good idea
... if u have been using secure connectn to transmit creds, u shud not
be using those creds/tokens in a less secure env
... authentication/authorization models exist
<anil> ****tlr. please fill in some information about authentiction/
tokens/cookies here plz
<stephenF> fwiw, stephen fine to punt SSC discussion to next week
<Mez> stephen, would you be ok if ssc got moved back to the next
meeting if we run over on this topic?
<Mez> great, tx
<stephenF> fwiw2: I gotta go off the call for 5 mins
<Mez> ok, then we're definately pushing it back to next week
<Mez> next week then. what the heck.
<Audian> yawn
<stephenF> back now
<tlr> audian, yawn @ what?
<anil> ***tlr I am lost. Please fill in what you mentioned
<anil> *** before we send the minutes
<Zakim> PHB, you wanted to say, banks should simply put all their
content in a secure zone
<tlr> tlr: there's the typical token-based authentication mode used by
big web properties, which is based on authentication going on through
HTTPS, then a token (cookie) is transferred through HTTP to low-value
services.
PHB2: suggest changing #1 that all web servers shud support ssl
restarts?
<stephenF> s/restart/resume/ is it?
<tlr> #3 contradicts that; do we want to deprecate that practice?
PHB2: oh yes, we can secure entire web site but it will not performant
... should tell users that they should secure all of their content
<tlr> agree on the bank interactions.
<Mez> I look forward to seeing the conformance language for that!
PHB2: unless if u r a site like amazon where majority of the site is
content. secure content is done by separate servers. For banks,
everything should be secure. once secure, no reason to go to insecure
content.
<tlr> however, there is a reason to go back to insecure: You need a TLS
private key on every server. Either, you open a CA, you cough up a lot
of money, or you create attack surface by using wildcard certs.
<tlr> mez, so do I. It's a hard to crack problem.
<tlr> ACTION: phb to phrase conformance language for fully securing
sites [recorded in
[20]http://www.w3.org/2007/07/11-wsc-minutes.html#action04]
<trackbot> Created ACTION-268 - Phrase conformance language for fully
securing sites [on Phillip Hallam-Baker - due 2007-07-18].
Mez: tlr and I think that conformance language around that is tough. U
want to take a crack at that?
<tlr> phb, we don't hear you
tyler: reco for server side developers, one reco for tls secure page
and one reco ???
<Mez> I encourage everyone with thoughts that might not get them out in
the next 12 minutes to put them in email, issues, etc.
<johnath> if tyler is getting to recommending that this be broken down:
+1
<johnath> there we go, +1 to tyler. :)
<tlr> +1, too
<stephenF> +1
tyler: could you break out the tls section
<Mez> the template itself though really works against making smaller
parts. Because there's so much reference material. But I think we'll
need to deal with that anyway, with the robustness issues.
yngve: will take a look
<Zakim> johnath, you wanted to discuss criterion 16, if there's still
time before stephen's SSC topic
<tlr> reading 14 and 16 side by side, they are similar, and should be
phrased in parallel
<PHB2> did I just drop off the call
<tlr> yes phill
<tlr> a while ago actually
johnath: support tyler in breaking out the 3 components
<Mez> yes, we missed you phill
johnath: criterion #16
<Mez> you were saying something about making #1 more general, then
dropped
<sduffy> gotta run to another meeting... REMINDER: Please have your
proposals in the new template form by COB today
<Mez> thanks shawn
*** johnath, please chime in what you are saying.
**** johnath I lost the trail
<stephenF> jonath: insisting on all-EV seems over the top
<stephenF> +1 to jonath - similar point could be made about 2048 vs
1024 mixes
<tlr> yuck, don't do a MAY there
<stephenF> am I'm disagreeable? :-)
johnath: EV tells that this is paypal. But it does not tell that paypal
is legitimate
***johnath could u please pen what you talked about in IRC
<johnath> (self-scribing) johnath: criterion 16 requires user agents to
treat a totally https page with an EV top-level document as non-EV if
it includes https content which uses OV/DV certs. I think that the use
of those certs doesn't alter the identity of the page
*** tlr. I need to vanish at the next scribing assign
<Mez> sorry bill and thomas
<Mez> I really, really hope you put your questions into email
Summary of Action Items
[NEW] ACTION: mez to put liaison list into wiki [recorded in
[21]http://www.w3.org/2007/07/11-wsc-minutes.html#action01]
[NEW] ACTION: phb to phrase conformance language for fully securing
sites [recorded in
[22]http://www.w3.org/2007/07/11-wsc-minutes.html#action04]
[NEW] ACTION: roessler to attend tam BOF in Chicago, wave WSC flag,
report back [recorded in
[23]http://www.w3.org/2007/07/11-wsc-minutes.html#action03]
[NEW] ACTION: zurko to put liaison list into wiki [recorded in
[24]http://www.w3.org/2007/07/11-wsc-minutes.html#action02]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [25]scribe.perl version 1.128
([26]CVS log)
$Date: 2007/07/19 09:21:35 $
References
1. http://www.w3.org/
2. http://www.w3.org/mid/OFB8544FBE.6C21574F-ON8525730F.0075697F-85257314.00529812@LocalDomain
3. http://www.w3.org/2007/07/11-wsc-irc
4. http://www.w3.org/2007/07/11-wsc-minutes.html#agenda
5. http://www.w3.org/2007/07/11-wsc-minutes.html#item01
6. http://www.w3.org/2007/07/11-wsc-minutes.html#item02
7. http://www.w3.org/2007/07/11-wsc-minutes.html#item03
8. http://www.w3.org/2007/07/11-wsc-minutes.html#item04
9. http://www.w3.org/2007/07/11-wsc-minutes.html#item05
10. http://www.w3.org/2007/07/11-wsc-minutes.html#item06
11. http://www.w3.org/2007/07/11-wsc-minutes.html#ActionSummary
12. http://www.w3.org/2007/06/27-wsc-minutes
13. http://www.w3.org/2007/07/11-wsc-minutes.html#action01
14. http://www.w3.org/2007/07/11-wsc-minutes.html#action02
15. http://www.w3.org/2007/07/11-wsc-minutes.html#action03
16. http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage
17. http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#head-efe936b22bcb83eed5ffa40cef2335278973f7cc
18. http://www.keylength.com/
19. http://tools.ietf.org/html/bcp86
20. http://www.w3.org/2007/07/11-wsc-minutes.html#action04
21. http://www.w3.org/2007/07/11-wsc-minutes.html#action01
22. http://www.w3.org/2007/07/11-wsc-minutes.html#action04
23. http://www.w3.org/2007/07/11-wsc-minutes.html#action03
24. http://www.w3.org/2007/07/11-wsc-minutes.html#action02
25. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
26. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 19 July 2007 09:51:35 UTC