- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 9 Mar 2007 17:20:42 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 20 February have been approved. They
are online here:
http://www.w3.org/2007/02/20-wsc-minutes
A text/plain version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC Working Group Teleconference
20 Feb 2007
See also: [2]IRC log
Attendees
Present
Mike Belzner
Chuck Wade
Hal Lockhart
Jonath
Maritza Johnson
Mary Ellen Zurko
Tony Nadalin
Phill Hallam-Baker
Paul Hill
Rob Franco
Thomas Roessler
bill-d
Rachna
(Rob Franco)
Regrets
Chair
Mary Ellen Zurko
Scribe
Phill Hallam-Baker
Contents
* [3]Topics
1. [4]Minutes approval
2. [5]Action item review
3. [6]Note draft
* [7]Summary of Action Items
_________________________________________________________________
Minutes approval
Approving minutes from last meeting
<tlr> [8]http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html
Minutes approved nem con
Action Item review
Next topic: Newly closed action items
No issues raised.
Note Draft
tlr [9]http://www.w3.org/2006/WSC/drafts/note/
MEZ: Issue is getting our note to First Public Working Draft (FPWD). Have
people actually read the draft?
<Nadalin> yes
MEZ: Reading the draft is 'trivial parallelism': we can all read it at once.
Are there substantive issues we need to address before FPWD?
TLR: One would be to move material from overview to the abstract
MEZ: OK but this is not a blocking issue, you can do it this week while you
are editor.
tlr ACTION: thomas to expand abstract of note by moving in material from
overview [recorded in
[10]http://www.w3.org/2007/02/20-wsc-minutes.html#action02]
Recorded as ACTION-145.
Chuck Wade: we need to address the fact that there are many specialized
browsers for paticular content, specialized actions etc, W3C can provide
forward references. This? was not comming out in note
Bill-d: We should address the topics of forward evolving models, forward
security models, isolated sandbox modes, newer O/S models, treat security
possibly in completely different mechanisms
Chuck: Part of what maybe needs to be brought to the forefront is the way
that browsers deal with the platform, using common infrastructure of the
platform rather than bringing it all themselves. The platform is a better
place to put security to be used by many browsers, applications as common
interfaces, this is not jusyt about how security should be presented to
users using a browser but by users using the Web, many more diverse
platforms, many more uses than in the past,
tlr: did a bit of rewriting last week on the way in which the note deals
with what is in and out of scope. Rephrased from relatively product centric
view to talking about web interactions, httop, https at the center of that
Chuck I agree with you, Thomas, that some of the recent changes do improve
the document.
tlr: Are the changes made last week sufficient to take this into account in
your view, is this something that has to happen now?
chuck: can happen later, should be more visible, some of the recent changes
heading in the right direction
mez: charter is very general, say web user agent
Chuck I'm merely arguing that at some of these key concepts need to be more
"front and center."
mez: use cases were browser centric last time I looked at them
Chuck We need to be "Web" centric, and not "browser" centric in terms of
user security context
mez: we briefly discussed widgets on the list a while ago we discussed voice
browsers a while ago , in general we were trying to motivate the stuff we
are doing with use cases, it could be that there are some use cases that are
missing. one that is missing is a list of user agents we are going to cover,
one of the reasons I would have liked the list is for just this reason,
trying to keep in mind, do it centraly as sort of a goal thing.
Chuck How about the "iTunes" use case? This is somewhat "tongue in cheek"
remark, but this is an example of what will likely emerge as a much more
common approach.
mez: How do people get security context from iTunes? Not the way they get it
from a browser? Are these use cases rather than user agents?
Chuck: Use cases rather than user agents, stock transactions, things like
that, what about the AJAX applications? Web will be redefined in many way,
New sociual engineering opportunities
Beltzner +1 to MEZ
MEZ we are not about changing anything under the covers, you are begining to
wander there
TLR: I am going to be the beuraucrat: there are a ?lot of important points,
are these on the critical path for the first draft of this note? To what
extent does it affect classes of implementations for which we define
conformance? State that the note is in currently is ok for first public
draft, may want to contribute further use cases, first draft is soliciting
comment for the first time, not closure
ChuckI am not suggesting that we hold off sharing our work with a wider
audience, but that we consider evolving our Note to address some of the
forward references
MEZ: Chuck willing to take an action to lead conversation on list
Chuck: yes
tlr ACTION: chuck to start conversation on conformance for non-browser user
agents and forward-looking web use [recorded in
[11]http://www.w3.org/2007/02/20-wsc-minutes.html#action03]
Recorded as ACTION-146.
MEZ: Everyone is happy, any more comments on FPWD? ... NO
TLR: Thing to do is for the group to agree to go to FPWD if folk are happy
with me to fix the abstract
MEZ: will ask you to send out a copy of or a link to when it changes ...
that ok thomas?
TLR: need to be clear, we are doing the first PWD for the note not
substantive proposals. I rephrase, if nobody objects then we publish that
would work for me, does that make sense?
MEZ i think it sounds good
MEZ: should we talk through any mechanics need to do at group level
TLR at group level we need a decision
MEZ we are making the decision now
TLR: sorry for spoiling the party: title and short name for the thing?
MEZ: do you remember what they were
MEZ takes a minute to find it
MEZ will have the dreaded phrase web security context
MEZ any other proposals, put them forward
tlr PROPOSED: Web Security Context Use Cases and Requirements
tlr shortname: wsc-reqs
Chuck How about: "Trusting the Web--Not!"
PHB: we need something bettwr than security context
HAL: user interface?
Mez "Web Security Context: Requirements and Use Cases"
PHB User Experience is better
MEZ agrees
Chuck How about "Security EXperience"? The Acronym ought to be catchy
Mez "Usable and Robust Dispay of Web Security Context: Requirements and Use
Cases"
Beltzner: don't like user interface, tends to create ire amongst browser
providers
Mez "Are You Experienced"
Beltzner: idicators is good, indicators
Nadalin Secure Web User Experence: Requirements and Use Cases
Mez "Web Security Experience and Indicators: Use Cases and Requirements"
MEZ: security experience and indicators?
Chuck Security Experience and Indicators
hal just web security indicators
TLR: ??
Mez WEB Security Experience ...
TLR: secure browsing? tagline from PR
MEZ Are we overpromising?
bill-d web IA
TLR does this map to what we provide?
hal I like just plain web security indicators - drop experience
johnath Web Security Information and Indicators?
Mez "Web Security Indicators: Use Cases and Requirements"
Chuck How about Web Trust Indicators
PHB likes experience
Chuck Trust is the real problem,
MEZ trust makes her nervous
Chuck Ultimately, what matters is whether the person can trust their
experience on the WEb
Mez "Trusting Web Trust" - gets both usability and robustness
Nadalin I think that we need to include "experience" since we are not
talking about all of security its just the visual experience
rfranco I think the document is more about recomendations rather than
requirements, needs, you wanted to be more than just experience and
indicaters - needs to use context to provide IA
beltzner rfranco++
Mez "Making Assurance Double Sure: Directions in Web Experience and
Indicators"
bill-d: information assurance... want trust.. secure experience.. don't want
to say provide secure environment
Chuck How important is it for the user to be able to trust the content
they're presented with?
PHB: We can make an empirical statement about the state of Web security
experience... albeit a negative one
beltzner Mez_: "security" seems to have some consensus
beltzner :)
Mez "Web Security Experience, Indicators, and Trust"
MEZ: consensus????
johnath Mez_++
beltzner yeah, that last one was good
Mez "Trusting Web Security Experiance and Indicators: Use Cases and
Directions"
beltzner plus it starts with WS, which makes johnath and I happy
Chuck There's trust of the session you have with a Web site or sites, and
then there is the question of whether or not you can trust what you get back
from the Web site. The tendency to have so many actors throwing up content
on a page that the user thinks is associated with a single site is a real
part of the problem.
johnath mez - Liked your previous one more than this last
HAL: term security maps to what people expect..
Chuck "Trust" as a term is a perfectly good English word that has been
corrupted by the various security snake oil purveyors
Mez "Web Security Experience, Indicators and Trust: Requirements and Use
Cases"
johnath yes - sorry, assumed the suffix there. Mez++ again
TLJ: must not appear to be recommendations as it isn't
Mez "Web Security Experience, Indicators and Trust: Scope and Use Cases"
Belzner: note is not putting forward requirements
beltzner sounds like a barn burner
TLR use cases but probably not specific enough for requirements
MEZ: now taking concrete sugggestioons or alternatives
MEZ: ok we have a title
tlr title: Web Security Experience, Indicators and Trust: Scope and Use
Cases
Mez wseit-scope
Mez wsc-scope
Mez wsc-use-cases
tlr wsc-usecases
HAL: hard enough without name of doc being different to WG
mez: any objections, alternatives
tlr RESOLVED: Web Security Experience, Indicators and Trust: Scope and Use
Cases
tlr RESOLVED: wsc-usecases
MEZ: ok we have a title, short title
Chuck Yes
rfranco what is the date?
tlr RESOLVED: To move editor's draft to FPWD after no-objection period for
abstract
TLR: purely editorial changes ... publication now mechanical apart from the
abstract
TLR abstract by noon eastern tommorrow
TLR 2,3,4 March for publication???
TLR any changes after now into future version
franco: going live with news immediately prior to the next f2f?
Mez [12]http://www.w3.org/2006/WSC/
MEZ: any other things needed at the team level
MEZ alright great....
MEZ: don't think we have time for any other discussion items today... will
send notes on chrome to list
MEZ will also be putting out reply on reputation service
TLR: metz q on how to proceed
... note will not be published by next meeting, how do we move on to the
recommendations side of the doc?
... probably quite ready to move on to the technical side of the discussion,
Take up threat trees
tlr meeting adjourned
Summary of Action Items
[NEW] ACTION: chuck to start conversation on conformance for non-browser
user agents and forward-looking web use [recorded in
[13]http://www.w3.org/2007/02/20-wsc-minutes.html#action03]
[NEW] ACTION: thomas to expand abstract of note by moving in material from
overview [recorded in
[14]http://www.w3.org/2007/02/20-wsc-minutes.html#action02]
[End of minutes]
_________________________________________________________________
Minutes formatted by David Booth's [15]scribe.perl version 1.127 ([16]CVS
log)
$Date: 2007/03/09 16:15:20 $
_________________________________________________________________
?
References
1. http://www.w3.org/
2. http://www.w3.org/2007/02/20-wsc-irc
3. http://www.w3.org/2007/02/20-wsc-minutes.html#agenda
4. http://www.w3.org/2007/02/20-wsc-minutes.html#item01
5. http://www.w3.org/2007/02/20-wsc-minutes.html#item02
6. http://www.w3.org/2007/02/20-wsc-minutes.html#item03
7. http://www.w3.org/2007/02/20-wsc-minutes.html#ActionSummary
8. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html
9. http://www.w3.org/2006/WSC/drafts/note/
10. http://www.w3.org/2007/02/20-wsc-minutes.html#action02
11. http://www.w3.org/2007/02/20-wsc-minutes.html#action03
12. http://www.w3.org/2006/WSC/
13. http://www.w3.org/2007/02/20-wsc-minutes.html#action03
14. http://www.w3.org/2007/02/20-wsc-minutes.html#action02
15. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
16. http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 9 March 2007 16:22:20 UTC