- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 22 Jun 2007 20:35:48 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes were approved and are public:
http://www.w3.org/2007/06/13-wsc-minutes
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC WG weekly
13 Jun 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
MaryEllen_Zurko, Thomas, jvkrey, rachna, luis, Bill_Doyle,
shawn, stephenF, Chuck_Wade, dan.schutzer, johnath, PHB, audian,
maritzaj, tyler, serge, Hal_Lockhart, yngve, anil
Regrets
beltzner
Chair
MEZ
Scribe
luis, tlr
Contents
* [4]Topics
1. [5]approving minutes
2. [6]Last Meeting's minutes
3. [7]newly completed action items
4. [8]agenda bashing
5. [9]status update on EV certificates
6. [10]conformance and rec drafting
* [11]Summary of Action Items
__________________________________________________________________
Last Meeting's minutes
mez: minutes approved
<tlr> [12]http://www.w3.org/2007/05/30-wsc-minutes
<tlr> [13]http://www.w3.org/2007/05/31-wsc-minutes
mez: action items
<tlr> [14]http://www.w3.org/2007/06/06-wsc-minutes
newly completed action items
mez: refering to closed actions items due to inactivity
<asaldhan> that was Anil from JBoss/RedHat
tlr: Action 199 - possible recommendation material
<Mez> slow down thomas
<Mez> as did I
<Mez> miss what you said
<tlr> ACTION-199
<Mez> go slow; your phone connection is fuzzy
<Mez> consider irc backup :-)
tlr: Chuck Wade had the action
... extracting recommendations on authentication
dan: giving some contributions
<tlr> ACTION: schutzer to revisit section 3 of BMA study results
[recorded in
[15]http://www.w3.org/2007/06/13-wsc-minutes.html#action01]
<trackbot> Created ACTION-261 - Revisit section 3 of BMA study results
[on Daniel Schutzer - due 2007-06-20].
dan: he has the appendix and will send it out
<Chuck> I have not "violent" disagreement. Thanks, Dan.
tlr: aksing about conformance section
agenda bashing
tlr: potential for demonstrations. Audian?
audian: i have the infrastructure but have to consider payment
... I need to make an estimation and then come back
mez: moving discssion to email space
... on agenda recommendations, security protocols
... update on EV certs
... Thomas wonders abouts the URLs he put out
tlr: Two parts are there. we are lagging behind
mez: we are still on agenda bashing
... conformance discussion are also needed
status update on EV certificates
<Mez> [16]http://www.w3.org/2006/WSC/wiki/EV
johnath: EV certs.
<tlr> it is
<tlr> he sounds better than you
<johnath> [17]http://www.w3.org/2006/WSC/wiki/EV
johnath: rehashing history
... 1st question. why EV?
... old system didn't work. CA creating different degrees of validation
... too much vendor favoritism. CA couldn't explain charging high
prices
... some roots were misbehaving
... root stores started with Netscape
... Netscape was (?) affected by liability
... Some CA had more rigoruous practices
... many browser vendors are supporting EV guidelines
... including major ones
... guidelines for considering business entities
... EV doesn't address identity issues
... EV creates a higher bar
<PHB2> not necessarily!
johnath: EV is real and is here. Support will be given to those
endorsing EV
<PHB2> The EV experience means that people will know that its a
VeriSign certificate, so they may recognize services we offer over and
above the minimum requirements of EV
johnath: EV will be suported by major UA browsers
<PHB2> What EV means is that there should not be any null CAs issuing
EV certs with no effective accountability checks whatsoever
<serge> And how many users know exactly what Verisign does?
johnath: many will be tempting to see the EV buzz as panacea, but it's
not and there are issues to work on
<PHB2> How much will we invest in telling them?
mez: any comments?
chuck: EV is useful. Does EV cleans up other cert-related standards
... other cert standards have also come along.
<stephenF> s/cleaning standards/complying to standards/ ?
johnath: yes EV does gathering previous cert proposals
... guidelines refer to OCSP, CRL
... on logotypes - it says nothing on validation
... which is next thing to tackle
PHB: nothing affects logotype.
... wants to see the follow-up
... user interaction with the browser
... need to authentication for better co-signing
mez: let's avoid discussing here cabforum's future work
PHB: who is the trust provider?
<Mez> just want to keep us on topics of immediate interest and utilty
to wg
PHB: issuing suspicious certs damage the brand
... accountability for cert issuers
serge: on logotypes
... previous CAs ... most users don't deal with these companies
... don't recognize the logos
... users trust logos that look like previously seen ones
... but don't understand what they actually mean
mez: let's not fall deep into logotype discussions
<serge> [18]http://portal.acm.org/citation.cfm?id=953510
<tlr> ACTION: serge to share study on effectiveness of trust seals in
SharedBookmarks [recorded in
[19]http://www.w3.org/2007/06/13-wsc-minutes.html#action02]
<trackbot> Created ACTION-262 - Share study on effectiveness of trust
seals in SharedBookmarks [on Serge Egelman - due 2007-06-20].
<Zakim> johnath, you wanted to reply to PHB about who verifies an
identity
mez: ACM link above requires subscription .-(
<Mez> we'll have full ev and logotype discussions around the actual
proposals at some near future meeting
<Mez> ack dan.schutzer
johnath: refer to identity recommendations he put
dan: who is entitled to the logotype?
johnath: move the discussion to cabforum
chuck: following up dan's comment. the logotype should be displayed in
the security part
... there is some relevance to this group
conformance and rec drafting
tlr: updated template on proposals.
<Chuck> The important point is that the "community" logotype needs to
be displayed in a secure manner (whatever that means)
tlr: an example is available too
<Mez> the template is at
<Mez>
[20]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Reco
Templ
tlr: Question? conformance can be done on secure page, e.g.
... Is there something more we need to do?
... by the end of this week
<johnath> tlr is cutting out for me for a couple seconds at a time
... (some words are dropped on the line)
<sduffy> me too
... requesting feedback
<Audian> I was able to hear thomas just fine
... proposals needed for conformance sections
mez: clarifying thomas request
<Audian> but i wasn't listening
<tlr> audian, tsk
trl: great if all can work on the wiki
... check in realtime and speak up
<Mez> [21]http://www.w3.org/2006/WSC/drafts/rec/#certerr
mez: next item is: SecurityPprotocol Error Presentation
... can any one walk through the proposal?
<mez: Michael McCormick couldn't make it for this meeting
stephenF: can we make recommendation without seeing prototype
suggestions?
<Audian> i'm leaving irz, but will attempt to stay on the call (elvis
is kinda leaving the building)
stephenF: .... it can be too early
mez: can yiu clarify?
stephenF: we need to see proofs of concept before recommendations
... doubt that they are all possible
mez: all dialogs have more than one buttons
... do you want an example?
stephenF: recommendations need to be backed up by experimentations
tlr: rephrasing ...
johnath: supporting stephenF
... we should have a notion on how these recommendations could be
implemented
... difficult to qualify implemenation based on recommendations
... they are too broad
<yngve> I have discussed some aspects of this in my article
[22]http://my.opera.com/yngve/blog/show.dml/461932
<Zakim> stephenF, you wanted to say that its not just conformance, but
existence proof
mez: the conformance draft may be public before reaching internal
consensus
stephenF: concern is that dissagreeing on recommendations that can't be
done on practice
... for example PKI. There are thousands of risks that mean nothing to
the user
... we are missing abstractions that can make sense to the user. But
it's not obvious
chuck: I use many browsers and find many SSL/certs problems
... and every browser handles problems in its own way, own jargon, own
UI...
... some cleanup, rational option, are needed
<stephenF> +1 to cleanup (if it means develop an abstraction users
might get)
... this group can be effective in getting this across
yngve: how to explain to the user? ...
<Chuck> Apologies, I've just had to "step out" to help a client with a
critical problem.
yngve: e.g. unknown certs... like in real life when someone makes a
strong statement that is difficult to verify
... a client can't just shutdown a connection.Tthe question is what
criteria the browser can use
<tlr> that ties in with Stephen Farrell's action to look at the SSL
behavior
yngve: but the user can't make that criteria either
... cases when user knows where he wants to go but no one can help her
PHB: there is no need to display all those errors
... e.g. instead be silent and take the user to the site but with no
security indicators
<Mez> an affordance to "correct the problem" if it's something the user
can deal with, such as accepting a new cert, is the only hole I see in
phil's point
<stephenF> The abstraction that means something to the user need not be
the same as the abstraction of the protocol errors
tlr: I hear two proposals and bunch of ideas
... one proposal is on certification
... becomes a non-normative chapter in the recommendations
... the other proposal is on interaction for non-trusted sites
... what conditions should trigger errors and what not
... collecting what has been said and consolidate
... what's been said by yngve, stephenF, PHB
... i suggest all three draft a proposal
<stephenF> me
stephenF: seems reasonable. but someone from the user side is needed
<tlr> ScribeNick: tlr
stephen: sounds reasonable to do protocol stuff first
<luis> (got to leave now - bye)
stephen: think action item is due in two weeks ..
MEZ: Stephen, please verify in tracker
yngve: replying to phil about what browsers should do
... opera not showing padlock on mixed security ...
<Mez> [23]http://www.w3.org/2006/WSC/Group/track/users can be used by
everyone to see their open action items
yngve: do not show padlock if there's OCSP trouble ...
<stephenF> action 240 on me is due 20070626
mez: looking forward to seeing Yngve's proposal in conformance language
tlr: think it is in conformance language, or close to
yngve: ?!
mez: robust discussion around bullet items
... fading away ...
... seem to have a lot of pieces we have together ...
... any other comments on 3.4 proposals ...
<stephenF> I don't understand the last one
mez: "do not refer to destination URL for assistance"
... that's the "contact the site administrator" type of advice
<stephenF> ok with that - admins never help anyway:-)
tlr: (a) abstract: don't ask people to override security decision to
make that very decision.
... (b) concrete: don't suggest contacting the site that you are trying
to contact right now
yngve: suggest something like "please contact webmaster by e-mail at
......"
... not sure how broadly used that one is
... mandating webmaster might be good idea ...
tlr: postmaster@ has been tried, it has failed ...
... also, out-of-band contact is pretty much the same as (b) above ...
yngve: any other method we can mandate for such communication?
mez: new protocol stuff?
yngve: probably
mez: CHI and whoever in SharedBookmarks
<stephenF> gotta go now folks, (might be travelling next week btw) bye
<yngve> perhaps [24]http://server/contactform ?
mez: broadness of use cases?
tlr: reflect level of abstraction that is here
... think this supports putting these things into general,
non-normative part of document ...
mez: on 3.7 ...
<Mez>
[25]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Reco
Templ
tyler: bothered that template doesn't star any of the material that we
worked on in the note
... would kind of like to go back to old template ...
... current template seems not focused on enabling testing ...
... seems to be driving toward language that we can put into our final
recommendations ...
... isn't that jumping the gun on the process ...
... if you agree that the purpose of the first document is to have
something to build consensus about ...
tlr: point of template is precisely to take first stab at core idea --
what is it that should be done universally?
tyler: umh, lost the thread
mez: would like to hear from others as well
... one thing is that nobody who knows about usability testing had any
comments about 3.7 ...
... personal opinion: all parts of the template will be necessary to
actually understand any particular part of the proposal ...
... since we don't care about time line ...
... seems like right thing is to make all the sections required ...
... at least take a stab at them ...
... but don't require people to put in things that are meaningless /
stupid ...
... would be happy to rip off asterisks ...
<Mez> it's a pause
<Mez> while we see if anyone else has an opinion
schutzer: use new template, take stab at everything, but use judgment?
mez: would be hard to see how something that goes toward a standard
could not have conformance language.
<Mez> [26]http://www.w3.org/2006/WSC/drafts/rec/#certerr
tyler: which one had the use case section irrelevant?
mez: we were going through the cert error part
... I think I challenged Michael in e-mail ...
... there are some use cases going at SSL-specific error cases ...
... there is a flaw in either the use cases or the recommendation
proposal ...
tyler: it's an error somewhere
<Mez> I don't think the note has to have all the use cases
<Mez> tyler seems to disagree with that
<Mez> it seems reasonable to me that a proposal could "add" use cases
at the proposal scope
tlr: there are categories like "universally useful, but not a specific
recommendation"
mez: how to wrap up?
tlr: think we should keep the asterisks. These are priorities. These
are what the recommendations actually mean
mez: will take this up in e-mail
<rachna> Mez, I'll respond to your usability question about the certerr
template in email.
<Mez> tx rachna
<Mez> I really want the template to be useful, so it's critical that
any sections we claim are important actually are
Summary of Action Items
[NEW] ACTION: schutzer to revisit section 3 of BMA study results
[recorded in
[27]http://www.w3.org/2007/06/13-wsc-minutes.html#action01]
[NEW] ACTION: serge to share study on effectiveness of trust seals in
SharedBookmarks [recorded in
[28]http://www.w3.org/2007/06/13-wsc-minutes.html#action02]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [29]scribe.perl version 1.128
([30]CVS log)
$Date: 2007/06/22 16:29:33 $
__________________________________________________________________
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0083.html
3. http://www.w3.org/2007/06/13-wsc-irc
4. http://www.w3.org/2007/06/13-wsc-minutes#agenda
5. http://www.w3.org/2007/06/13-wsc-minutes#item01
6. http://www.w3.org/2007/06/13-wsc-minutes#item02
7. http://www.w3.org/2007/06/13-wsc-minutes#item03
8. http://www.w3.org/2007/06/13-wsc-minutes#item04
9. http://www.w3.org/2007/06/13-wsc-minutes#item05
10. http://www.w3.org/2007/06/13-wsc-minutes#item06
11. http://www.w3.org/2007/06/13-wsc-minutes#ActionSummary
12. http://www.w3.org/2007/05/30-wsc-minutes
13. http://www.w3.org/2007/05/31-wsc-minutes
14. http://www.w3.org/2007/06/06-wsc-minutes
15. http://www.w3.org/2007/06/13-wsc-minutes.html#action01
16. http://www.w3.org/2006/WSC/wiki/EV
17. http://www.w3.org/2006/WSC/wiki/EV
18. http://portal.acm.org/citation.cfm?id=953510
19. http://www.w3.org/2007/06/13-wsc-minutes.html#action02
20. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl
21. http://www.w3.org/2006/WSC/drafts/rec/#certerr
22. http://my.opera.com/yngve/blog/show.dml/461932
23. http://www.w3.org/2006/WSC/Group/track/users
24. http://server/contactform
25. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl
26. http://www.w3.org/2006/WSC/drafts/rec/#certerr
27. http://www.w3.org/2007/06/13-wsc-minutes.html#action01
28. http://www.w3.org/2007/06/13-wsc-minutes.html#action02
29. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
30. http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 22 June 2007 18:36:04 UTC