Dealing with deciding about the SCE section in terms of June LC from Mary Ellen Zurko on 2008-02-22 (public-wsc-wg@w3.org from February 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 22 Feb 2008 09:38:47 -0500
To: public-wsc-wg@w3.org
Message-ID: <OF2C1C81FA.89D109DC-ON852573F7.004AB8EA-852573F7.00507540@LocalDomain>
We have only one section (with rfc2119 normative text) that we haven't 
made substantial progress on towards what (if anything) will be in the 
version that's ready for LC in June; the security confidence estimate 
section. 

Here is the current text:
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#page-score

The sense of the WG at the f2f was that something like SCE was desirable 
(some of us interpreted "something like SCE" to be anything between the 
current SCE text and the current padlock or SSL indicator practice). 

At next week's meeting, we're going to view proposals for (something like) 
SCE. We agreed that each proposal needs:
1) the RFC 2119 normative text
2) an (example) algorithm (if the existance is implied by #1)
3) a low fi prototype (anywhere from a picture representing a specific 
example, to a few pictures representing a few example states, or beyond). 
4) the point of the proposal (what are we trying to communicate to the 
user, or otherwise accomplish)

We don't usually have a web conf, so proposals need to be sent to the team 
by this Tuesday (11:59pm Hawaii time). That won't give everyone a chance 
to look them over; that's what we'll do in the meeting. I will be 
attempting to provide a web conf for this; I'll send connection 
information out on our members only list. 

It's not clear to me we have any proposal that covers all the required 
items (though I suspect only a slight amount of effort would produce one 
for the current text; as Martiza says, an hour or so of someone's time). 
As I've said several times, I want us to explicitly consider what (if 
anything) we have to say about currently SSL indicators. In that spirit, 
my proposal for (something like) SCE follows.

Title: TLS Indicator

[I'm using the current verson of xit as a reference. Items removed from 
that version for LC will also be removed from this proposal.]

1) normative text. 

Change 6.1.1 to refer to both Identity Signal and TLS indicator, for all 
normative text. Here's what it looks like when changed that way:
_______________________________
Web user agents MUST make information about the [[identity]] of the Web 
site that a user interacts with and the state of TLS protection available. 
The [Definition: [[identity signal]] ]  and [defn TLS indicator] SHOULD be 
part of primary user interface during usage modes which entail the 
presence of signalling to the user beyond only presenting page content. 
Otherwise, they MUST at least be available through secondary user 
interface. Note that there may be usage modes during which this 
requirement does not apply: For example, a Web browser which is 
interactively switched into a no-chrome, full-screen presentation mode 
need not preserve any security indicators in primary user interface.
User interactions to access this identity signal or the TLS indicator MUST 
be consistent across all Web interactions. This includes interactions 
during which the Web user agent has no trustworthy information about the 
[[identity]] of the Web site that a user interacts with, and when TLS has 
not been used to protect those interactions. In the former case, user 
agents SHOULD indicate that no information is available. In the latter 
case, they SHOULD indicate the interaction was not TLS protected. 
User agents with a visual user interface that make the identity signal and 
TLS indicator available in primary user interface SHOULD do so in a 
consistent visual position.
_______________________________

This is the part that has to change, since I don't remember what we 
decided with strong/weak. 

TLS Indicator

The TLS indicator MUST present a state this is only for strongly TLS 
protected pages. The TLS indicator SHOULD differentiate between a page 
that is  weakly TLS-protected, and one that has no TLS protection at all. 


2) I do not believe an algoriithm is needed for this, as I'm using 
definitions from xit. But let me know asap if one is. There is some 
fuzziness in the current definitions, since it allows for other, optional 
states that would map to weakly TLS protected besides weak crypto 
algorithms, use of DH_anon, and non validated certs. 

3) Here's the part that should inspire others, as I am seriously lame at 
lo fi prototyping. 



4) To communicate to a user who already understands something about TLS 
(that it provides protection against active on the wire attacks) and who 
is motivated to check for an indicator for whether or not TLS is doing so, 
whether or not TLS is in fact protecting against active on the wire 
attacks.
Attachments

application/octet-stream attachment: scepadlock.ppt
Received on Friday, 22 February 2008 14:39:23 UTC