Meeting record: WSC WG weekly 2008-01-30

Minutes from our meeting on 2008-01-30 were approved and are
available online here:

   http://www.w3.org/2008/01/30-wsc-minutes.html

A text version is included below the .signature.

-- 
Thomas Roessler, W3C  <tlr@w3.org>



   [1]W3C

               Web Security Context Working Group Teleconference

30 Jan 2008

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          Thomas Roessler, Maritza Johnson, William Eburn, Jan Vidar Krey,
          Tyler Close, Anil Saldhana, Bill Doyle, Ian Fette, Yngve
          Pettersen, Luis Barriga, Daniel Schutzer

   Regrets
          Johnathan Nightingale, Tim Hahn, Mary Ellen Zurko, Hal Lockhart,
          Serge Egelman

   Chair
          Thomas Roessler

   Scribe
          Ian Fette

Contents

     * [4]Topics
         1. [5]Convene
         2. [6]approve minutes
         3. [7]wsc-usecases updates
         4. [8]ISSUE-131: Executing code outside of browser
         5. [9]ISSUE-130: Trust Anchor Consistency Across Devices
         6. [10]ISSUE-114: Self-signed certificate changeover
         7. [11]ISSUE-129: Should we say anything about scoring
            techniques?
     * [12]Summary of Action Items
     __________________________________________________________________

   <trackbot-ng> Date: 30 January 2008

   <scribe> ScribeNick: ifette

Convene

   tlr: f2f next week, see mez's agenda email
   ... some draft text low hanging fruit, take a look
   ... look at editor's draft, and follow-up via email re: discussion on
   what can be fast-tracked
   ... today is poor attendance day
   ... mez, tjh, hal, phb, et al not here
   ... current AGENDA
   ... quick look at wsc-usecases, then ISSUE-131, then ISSUE-130, then
   ISSUE-114
   ... and ISSUE-129

approve minutes

   <tlr> [13]http://www.w3.org/2008/01/23-wsc-minutes.html

   RESOLUTION: minutes approved

wsc-usecases updates

   tlr: no closed action items
   ... tyler, can you give us an update?

   tyler: in tracker, only one action open against note to incorporate
   tjh's review
   ... that action is marked pending review, expecting tjh to go through
   doc and make sure it's good
   ... also got an email from Al Gillman, problem when reading note using
   screen reader. The table doesn't come out well
   ... he has people who will contact tyler re: how to reformat that
   ... want to turn table into list, tyler not so keen on because it's not
   so good pointing out what isn't covered

   tlr: what table?

   tyler: at the top of the list of scenarios is a table

   tlr: takeaway is there is some editorial stuff left, tlr happy to
   provide help if he can

   <tyler>
   [14]http://www.w3.org/2006/WSC/drafts/note/Overview.html#scenarios

   tlr: does tjh know that he's on the hook to review?

   tyler: pinged mez, she put it into pending, expecting mez to ping tjh.
   tlr will email tjh

   <tlr> ACTION-376

   tyler: it's ACTION-367

   <tyler> [15]http://www.w3.org/2006/WSC/track/actions/367

   tlr: all for this agendum

ISSUE-131: Executing code outside of browser

   ISSUE-131?

   <trackbot-ng> ISSUE-131 -- Executing code outside of browser in 8.3.2.3
   is vague / scary -- OPEN

   <trackbot-ng> [16]http://www.w3.org/2006/WSC/track/issues/131

   <tlr>
   [17]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#techniques-robus
   tness

   tlr: some level of agreement in december, on some text

   <tlr>
   [18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Dec/0116.html

   tlr: see this email
   ... lengthy discussion thread re: plugins and how all of this applies
   to plugins
   ... should we go forward taking effectively a mix of the text that Mez
   had proposed in Dec. with the change that Mike had proposed, or...?

   ifette: i have no problem with the text in the email that the link tlr
   posted contains

   tlr: reads text

   yngve: would like to see the new version in written form
   ... should post somewhere

   ifette: already there

   tlr: action item to send mail to list

   <scribe> ACTION: tlr to send email to list regarding ISSUE-131
   containing full text of new proposal, and will close out the issue
   [recorded in
   [19]http://www.w3.org/2008/01/30-wsc-minutes.html#action01]

   <trackbot-ng> Created ACTION-380 - Send email to list regarding
   ISSUE-131 containing full text of new proposal, and will close out the
   issue [on Thomas Roessler - due 2008-02-06].

   tlr: assuming nobody objects to the email sent out, assume email ready
   to put to bed

ISSUE-130: Trust Anchor Consistency Across Devices

   ISSUE-130?

   <trackbot-ng> ISSUE-130 -- Trust Anchor Consistency Across Devices? --
   OPEN

   <trackbot-ng> [20]http://www.w3.org/2006/WSC/track/issues/130

   <tlr>
   [21]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0015.html

   tlr: latest proposal from luis posted

   <tlr>
   [22]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tls-across-devic
   es

   tlr: affected text is here (link above)
   ... content doesn't really control the UX
   ... we should not ask for the same UX
   ... suggests web content should offer trust and TLS consistency across
   UAs
   ... why doesn't luis introduce last changes

   <tlr>
   [23]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0015.html

   luis: only minor changes to proposed text, just clarifications
   ... first one is about user experience
   ... according to original text, says content should be designed to
   offer same UX, that's difficult, propose to change this, only thing web
   designers control is trust and TLS consistency, UX is on client side

   tlr: so let me understand
   ... by the same argument, tls consistency is a UA question as well
   ... after all, the UA selects the key of trust roots
   ... direction is to say that having the same security experience is a
   goal which designers should aim for
   ... disinclined to say TLS and trust anchor consistency
   ... suggests for first part, instead of "designed to offer" ->
   "designed to enable"
   ... "designed to enable a consistent UX"

   luis: maybe something more releaxed
   ... enabled more relaxed, better

   <tlr> "designed to enable a consistent user experience across..."

   tlr: happy to do that

   luis: second comment
   ... about website owners operating tls protected sites should anticpate
   mobile use
   ... may have constrained capabilities OR restricted trust anchors
   ... sounds like two options
   ... but really one is a consequence of the other

   yngve: point about certificates, it is possible for a CA that is not
   embedded in clients to be cross-signed by another CA
   ... similar to EV

   tlr: let's keep that out of our document
   ... have any concrete proposals?
   ... my inclination would be to take the text for first comment as
   agreed above, and taking luis's second change as is currently phrased

   RESOLUTION: issue closed, move on

   tlr: suggests yngve takes issue to phrase your problem more generally
   ... and tlr should close out 130

   <tlr> ACTION: tlr to change 9.5 in line with ISSUE-130 discussion ago;
   close issue. [recorded in
   [24]http://www.w3.org/2008/01/30-wsc-minutes.html#action02]

   <trackbot-ng> Created ACTION-381 - Change 9.5 in line with ISSUE-130
   discussion ago; close issue. [on Thomas Roessler - due 2008-02-06].

   <tlr> ACTION: yngve to bring up generic techniques for trust root
   changeover [recorded in
   [25]http://www.w3.org/2008/01/30-wsc-minutes.html#action03]

   <trackbot-ng> Created ACTION-382 - Bring up generic techniques for
   trust root changeover [on Yngve Pettersen - due 2008-02-06].

ISSUE-114: Self-signed certificate changeover

   ISSUE-114?

   <trackbot-ng> ISSUE-114 -- Self-signed certificate changeover -- OPEN

   <trackbot-ng> [26]http://www.w3.org/2006/WSC/track/issues/114

   tlr: what is currently proposed is a UX that makes cert changeover for
   SSCs basically impossible
   ... how do we deal with it
   ... any way to have changeover to a different SSC is a way to have a
   MITM attack
   ... no compelling solutions
   ... ideas?

   <tlr>
   [27]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#change-tls-state

   yngve: think X509/PKIX had a mechanism for telling what's the next
   key/whatever
   ... problem is that SSCs are going to be made by people not aware of it

   tlr: doesn't fit use case

   yngve: might work for some minor use cases
   ... not general use case

   tlr: can always say that there should be an interaction that provides
   ample warning and a reasonably complex user interaction that makes it
   hard to casually accept cert, but we end up having a coin toss between
   an attack going through and a new legit cert
   ... we might in fact be best served by saying MAY do override
   ... tempted to throw out that as a proposal for resolution

   tyler: will interested parties be at f2f?

   tlr: some, some will be on phone

   <bill-d> good drop off

   tyler: sort of thing that mez was talking about, fast-track?

   tlr: no resolution

   RESOLUTION: none

ISSUE-129: Should we say anything about scoring techniques?

   <tlr> ISSUE-129?

   <trackbot-ng> ISSUE-129 -- Should we say anything about scoring
   techniques? -- OPEN

   <trackbot-ng> [28]http://www.w3.org/2006/WSC/track/issues/129

   ISSUE-129?

   <trackbot-ng> ISSUE-129 -- Should we say anything about scoring
   techniques? -- OPEN

   <trackbot-ng> [29]http://www.w3.org/2006/WSC/track/issues/129

   scribe: quite a bit of recent discussion

   tlr: tjh had proposed a rewrite
   ... not sure he sees a rewrite in there
   ... wonder if current status is to merge in

   <Zakim> ifette, you wanted to jump on this issue

   ifette: no
   ... very against merging language into the document
   ... feel very strongly against SHOULD
   ... because a non-binary score is useless to users
   ... changes in score might be useful as a signal that we should warn
   something
   ... but a user seeing some number of bars, a percent, a score, a meter,
   is totally useless

   tlr: will defer this issue
   ... thanks for having shown up here
   ... one of the shorter calls in a while, see some of you next week in
   Palo Alto

Summary of Action Items

   [NEW] ACTION: tlr to change 9.5 in line with ISSUE-130 discussion ago;
   close issue. [recorded in
   [30]http://www.w3.org/2008/01/30-wsc-minutes.html#action02]
   [NEW] ACTION: tlr to send email to list regarding ISSUE-131 containing
   full text of new proposal, and will close out the issue [recorded in
   [31]http://www.w3.org/2008/01/30-wsc-minutes.html#action01]
   [NEW] ACTION: yngve to bring up generic techniques for trust root
   changeover [recorded in
   [32]http://www.w3.org/2008/01/30-wsc-minutes.html#action03]

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [33]scribe.perl version 1.128
    ([34]CVS log)
    $Date: 2008/02/13 17:37:00 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0236.html
   3. http://www.w3.org/2008/01/30-wsc-irc
   4. http://www.w3.org/2008/01/30-wsc-minutes.html#agenda
   5. http://www.w3.org/2008/01/30-wsc-minutes.html#item01
   6. http://www.w3.org/2008/01/30-wsc-minutes.html#item02
   7. http://www.w3.org/2008/01/30-wsc-minutes.html#item03
   8. http://www.w3.org/2008/01/30-wsc-minutes.html#item04
   9. http://www.w3.org/2008/01/30-wsc-minutes.html#item05
  10. http://www.w3.org/2008/01/30-wsc-minutes.html#item06
  11. http://www.w3.org/2008/01/30-wsc-minutes.html#item07
  12. http://www.w3.org/2008/01/30-wsc-minutes.html#ActionSummary
  13. http://www.w3.org/2008/01/23-wsc-minutes.html
  14. http://www.w3.org/2006/WSC/drafts/note/Overview.html#scenarios
  15. http://www.w3.org/2006/WSC/track/actions/367
  16. http://www.w3.org/2006/WSC/track/issues/131
  17. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#techniques-robustness
  18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Dec/0116.html
  19. http://www.w3.org/2008/01/30-wsc-minutes.html#action01
  20. http://www.w3.org/2006/WSC/track/issues/130
  21. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0015.html
  22. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tls-across-devices
  23. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0015.html
  24. http://www.w3.org/2008/01/30-wsc-minutes.html#action02
  25. http://www.w3.org/2008/01/30-wsc-minutes.html#action03
  26. http://www.w3.org/2006/WSC/track/issues/114
  27. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#change-tls-state
  28. http://www.w3.org/2006/WSC/track/issues/129
  29. http://www.w3.org/2006/WSC/track/issues/129
  30. http://www.w3.org/2008/01/30-wsc-minutes.html#action02
  31. http://www.w3.org/2008/01/30-wsc-minutes.html#action01
  32. http://www.w3.org/2008/01/30-wsc-minutes.html#action03
  33. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  34. http://dev.w3.org/cvsweb/2002/scribe/

Received on Wednesday, 13 February 2008 17:39:24 UTC