- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 4 Jul 2008 09:36:39 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2008-06-18 were approved and are
available online here:
http://www.w3.org/2008/06/18-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
18 Jun 2008
See also: [2]IRC log
Attendees
Present
Tyler, yngve, MaryEllen_Zurko, +1.905.495.aaaa, johnath, Thomas,
joesteele, +1.708.524.aabb, anil, Bill_Doyle, ifette
Regrets
Jan_Vidar_K, Dan_S, Serge_E
Chair
SV_MEETING_CHAIR
Scribe
Tyler
Contents
* [3]Topics
* [4]Summary of Action Items
__________________________________________________________________
<trackbot> Date: 18 June 2008
<johnath> Mez: still no word from the a/c guy which means, I suspect,
that he'll be hitting the late end of the window. So maybe that means
I'll be screwed, or maybe it means he won't show, and I'll be on the
call... sorry I don't have something more definite
<Mez> np; tx for the update. As I said, we'll get through the LC
discussion, and if you're not there then, call it a day.
<Mez> hi folks
<Mez> we'll just riff here a bit til tlr comes on and finds us a scirbe
<johnath> Mez: still waiting!
<anil> I cannot scribe today
<anil> tomorrow.
<anil> sorry, next week
<tlr> Scribe: Tyler
<Mez> [5]http://www.w3.org/2008/06/11-wsc-minutes.html
mez: minutes approved!
<Mez>
[6]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0063.html
johnath: I also took an action on mixed images?
... Firefox 3.0 not conformant
mez: ACTION-479 closed due to inactivity
<joesteele> +q
<joesteele> -q
<tlr> ACTION-484: Firefox will probably fix this point in a point
release some time soon
<trackbot> ACTION-484 Figure out whether mixed mode conformance claims
are accurate for images notes added
mez: soliciting agenda items
<Mez> [7]http://www.w3.org/2006/WSC/track/products/4
mez: none, so going to "taking wsc-xit to last call"
... I think it's ready
... let's find out what the group thinks
... all open issues against wsc-xit are ready to be closed
<Mez>
[8]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0075.html
mez: Any issues with closing these issues?
<Mez> [9]http://www.w3.org/2006/WSC/track/actions/457
<tlr> +1
mez: Would like a completion for ACTION-457, but don't think it's a
blocker for Last Call
<Mez> [10]http://www.w3.org/2006/WSC/track/actions/458
<Mez> [11]http://www.w3.org/2006/WSC/track/actions/462
<johnath> +1 editorial, though I will be interested to see the output
of 458
mez: ACTION-458 and ACTION-462 are document maintenance issues, like
linking the first definition of a term
... hope these get done by the Last Call
<Mez> [12]http://www.w3.org/2006/WSC/track/actions/466
mez: ACTION-466 was addressed at the f2f...
<Mez> [13]http://www.w3.org/2006/WSC/track/actions/478
<joesteele> +1
mez: there was talk of being able to do more, but I think the current
status is good enough
<johnath> works for me
mez: Moving on to the second half of Thomas' email...
<Mez>
[14]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0046.html
<Mez>
[15]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0050.html
mez: everyone should read the conformance section
<Mez>
[16]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0069.html
<Mez>
[17]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0068.html
<Mez>
[18]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#security-conside
rations-ev-dv
mez: text around EV and DV was updated and discussed on the mailing
list
... last issue is on the document title...
<Mez> Security User Interface Guidelines
<Mez> Web Security Context: User Interface Guidelines
mez: we have two proposals by Thomas...
... might also want to update the short name
... Any opinions or should we let Thomas choose
<joesteele> #2 +1
<johnath> #2 +1
<tlr> I prefer #2 as well
anil: I love the term 'xit'...
... don't like Thomas' suggestions
tlr: Can't remember what our short name means, often have to explain it
when using the term in conversation
<Mez> I like #2
<Mez> ok, we can take a straw poll
<Mez> A) Security User Interface Guidelines
<Mez> B) Web Security Context: User Interface GuidelinesWeb Security
Context: User Interface Guidelines
tlr: would like a mnemonic name, leaning towards the second option for
a title
<Mez> B) Web Security Context: User Interface Guidelines
yngve: Guidelines for user interface GUI
<Mez> C) Web Security Context: Experience, Indicators, and Trust
yngve: perhaps too much emphasis on graphical, which could cause
problems
<Mez> D) Web Security Context: Guidleines for User Interface
mez: We now have four options...
<Mez> A) Security User Interface Guidelines
mez: no support for A) yet
<Mez> B) Web Security Context: User Interface Guidelines
<Mez> C) Web Security Context: Experience, Indicators, and Trust
<Mez> D) Web Security Context: Guidleines for User Interface
<johnath> B
<joesteele> B
<yngve> D
<tlr> b
<Tyler> b
<johnath> B (with the possible short-name wsc-ui since that's still
accurate, and shorter - but B either way)
<anil> c
<johnath> :)
mez: B looks like the majority vote
<Mez> wsc-ui
<tlr> fine with me
<Mez> wsc-uig
<Mez> wsc-xit
johnathan: wsc-ui
<johnath> tyler: :)
<tlr> +1 to johnath, then
<joesteele> +1 to wsc-ui
mez: any problems changing the short name
tlr: maybe, but probably not, I'll look into it
<scribe> ACTION: Change short name to wsc-ui [recorded in
[19]http://www.w3.org/2008/06/18-wsc-minutes.html#action01]
<trackbot> Sorry, couldn't find user - Change
<tlr> RESOLUTION: New title: Web Security Context: User Interface
Guidelines; new shortname: wsc-ui
<scribe> ACTION: tlr to change short name from wsc-xit to wsc-ui
[recorded in
[20]http://www.w3.org/2008/06/18-wsc-minutes.html#action02]
<trackbot> Created ACTION-488 - Change short name from wsc-xit to
wsc-ui [on Thomas Roessler - due 2008-06-25].
<tlr> PROPOSED: To take the newly-named wsc-ui to last call
<johnath> +1 to LC
<johnath> push the button!
mez: resolved!
<tlr> RESOLVED: To take wsc-ui to last call
<tlr> ACTION: thomas to take care of publication of wsc-ui as Last Call
WD [recorded in
[21]http://www.w3.org/2008/06/18-wsc-minutes.html#action03]
<trackbot> Created ACTION-489 - Take care of publication of wsc-ui as
Last Call WD [on Thomas Roessler - due 2008-06-25].
<tlr> trackbot, close action-488
<trackbot> ACTION-488 Change short name from wsc-xit to wsc-ui closed
tlr: going to talk to W3C management to get an extension to do last
call
... we should figure out how much time we need to do last call, taking
into account vacation time
... anything that ends before mid-September is a bad idea
... Europeans vacation in August, Americans in July
... This puts CR in October
... TPAC in October
mez: CR in October seems aggressive
... integrating feedback takes time
... accessibility comments can be copious
... just sorting through them takes a lot of time
<johnath> happy birthday, ifette
mez: I think we should aim CR for November
<ifette> thx :-)
tlr: a 9 month extension seems needed
mez: what about testing?
tlr: CR can take one to several months
... we could ask for a year, for more follow through on the rec
mez: we are looking to get 2 UA implementations
... usability testing is still a big issue
... and it's time consuming to schedule and do
... we're claiming this stuff is usable and not testing it is wrong
... need to have this conversation when our testing people are here
<johnath> (tyler, I'll scribe you)
<johnath> tyler: it almost sounds like you're saying that continuing
requires the participation of active user interface testers
<johnath> ... should we have that before applying for an extension
<johnath> Mez: I think we should go for the extension
<joesteele> +q
joesteele: Parts of the spec have no planned implementation
<tlr> "feature at risk|
mez: anything that doesn't have 2 implementations can't be a MUST
... SHOULD and MAYs don't have any hard and fast rules
... I'm uncomfortable with under-implemented SHOULDs
... some of our SHOULDs are fallback positions for implementations that
don't do what we really think they should do
... hard to get implementations for these SHOULDs
tlr: think we need 2 impls for SHOULD
... can drop things in CR
... can use this as a stick for encouraging more implementation
... some things may very well be dropped
... the terminology here is "feature at risk"
... CR-entry section?
mez: Any other issues around going to LC?
... I'm super-excited and pleased
... Can we do the Firefox walk through?
johnath: yes
<Mez>
[22]http://www.w3.org/2006/WSC/wiki/Firefox_3.0_Conformance_with_June_L
C
mez: Picking up on 6.1.2
johnath: We meet 6.1.2
... no petnames
... site Identity Button is used to communicate human-readable info
... no logotypes
... these are MAYs
... site info for EV gives both org name and domain name
... otherwise only the domain name
... conform with next two bullets
... we have no positive indicators on mixed content pages
mez: it looks like Firefox is making Conformance level 1
johnath: Yes, we're targeting Conformance level 1
... we do most of the SHOULDs though
mez: I've also been focused mostly on the MUSTs
<Mez> tyler: if the browser has two tabs, same domain name, one mixed,
the other not
<Mez> .... securityi display for 2nd effected?
<Mez> johnath: if present multiple web pages, security indicators rules
applied to current one
<Mez> ... all refer to currently displayed tab
<Mez> tyler: colin jackson doing attacks taking advantage of this
<Mez> ... if mixed doesn't have pos indicators, then same origin allows
attacker to infect other pages loaded
<Mez> ... have positive indicators displayed despite infection
<Mez> johnath: talking with FF mountain view folks
<Mez> ... could be a bug if it undermines indicators
<Mez> tyler: if undermine a page on that domain, can script any frames
from that domain
<Mez> johnath: find surprising you can go to other tabs
<Mez> ... must be talking to content guys
johnath: next section may pose problems with SHOULDs
... we make a big deal about how you can always get to page info
... to address this section
... always the same UI action
... we conform with these MUSTs
... we only make the status check available implicitly
... not currently conforming with this SHOULD
... we don't know how to make it user understandable
... we only alert when the status check fails
<Mez> tyler: having difficulty expressing going on to user
<Mez> ... must have some language for these concepts in the negative
<Mez> johnath: can be done in principle
<Mez> .. warning fatique - concern about adding ui that's only
informing in alarm case
<Mez> ... at alarm time, the experience is different qualitatively
<Mez> ... not sure what the value for users is when its not interesting
<Mez> ... maybe when know ocsps vs crls
<Mez> ... technical details
<Mez> ... a bit of a battle to consider
<Mez> tyler: thinking not aimed at lone end user
<Mez> ... more for user with tech support
<Mez> johnath: interesting; not the way we treat page info now
<Mez> ... laden with tech info before; something that people can
actually use now
<Mez> ... boasting that reports how often been to a site
<Mez> ... contextual information from dialog
<Mez> ... could imagine tech support interface as well
yngve: At the moment, we're not failing page loading on failed OCSP
lookup
... we tried it, but things were too unstable
... looking ahead it may become of interest
johnath: we also don't require the OCSP lookup, since these servers are
not reliable
... the results are also unpredictable for the same server over short
time spans
yngve: we have also seen bad responses, not just lack of connectivity
... 2 major CAs are using an OCSP responder that don't support POST
requests
johnath: we don't show whether or not credentials have been sent
... think it's hard to know this information reliably
... we do show whether or not the user has a stored password for the
site
<Mez> "Whether the site content was authenticated."
johnath: we interpreted "authenticated" as referring to the identity
info in the cert
... we were unsure if this is the correct interpretation
... we are not doing logotypes and the rest of the spec makes it
optional, but this next bullet leaves that ambiguous
... we don't conform with the SHOULD language as written. was surprised
by the wording
mez: we should review the logotypes issue as one big issue. it may be a
feature at risk
johnath: Now looking at the MAY section
... we've got a history UI that does these
... but it's not part of the security UI
... No claims about tracking, but we do make a comment about cookies
mez: onto 6.3
johnath: site identity button meets these requirements
... I love the consistent UI requirement. The site button is always
accessible the same way.
... we also conform with rest of 6.3
... 6.4 is pretty complicated
... some more discussion to be had on 6.4
<tlr> regrets from me for next week
mez: let's leave this to another telecon
... opera, should we move over to your review
yngve: we've got a guy working on it, but he's overloaded
... he's planning on doing it
... I'm here for the next telecon
mez: great, we'll plan on covering the Opera info
<tlr> "coffee, nothing else"
<tlr> adjourned
mez: see you all next week
Summary of Action Items
[NEW] ACTION: Change short name to wsc-ui [recorded in
[23]http://www.w3.org/2008/06/18-wsc-minutes.html#action01]
[NEW] ACTION: thomas to take care of publication of wsc-ui as Last Call
WD [recorded in
[24]http://www.w3.org/2008/06/18-wsc-minutes.html#action03]
[NEW] ACTION: tlr to change short name from wsc-xit to wsc-ui [recorded
in [25]http://www.w3.org/2008/06/18-wsc-minutes.html#action02]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [26]scribe.perl version 1.133
([27]CVS log)
$Date: 2008/07/04 07:36:17 $
References
1. http://www.w3.org/
2. http://www.w3.org/2008/06/18-wsc-irc
3. http://www.w3.org/2008/06/18-wsc-minutes.html#agenda
4. http://www.w3.org/2008/06/18-wsc-minutes.html#ActionSummary
5. http://www.w3.org/2008/06/11-wsc-minutes.html
6. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0063.html
7. http://www.w3.org/2006/WSC/track/products/4
8. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0075.html
9. http://www.w3.org/2006/WSC/track/actions/457
10. http://www.w3.org/2006/WSC/track/actions/458
11. http://www.w3.org/2006/WSC/track/actions/462
12. http://www.w3.org/2006/WSC/track/actions/466
13. http://www.w3.org/2006/WSC/track/actions/478
14. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0046.html
15. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0050.html
16. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0069.html
17. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0068.html
18. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#security-considerations-ev-dv
19. http://www.w3.org/2008/06/18-wsc-minutes.html#action01
20. http://www.w3.org/2008/06/18-wsc-minutes.html#action02
21. http://www.w3.org/2008/06/18-wsc-minutes.html#action03
22. http://www.w3.org/2006/WSC/wiki/Firefox_3.0_Conformance_with_June_LC
23. http://www.w3.org/2008/06/18-wsc-minutes.html#action01
24. http://www.w3.org/2008/06/18-wsc-minutes.html#action03
25. http://www.w3.org/2008/06/18-wsc-minutes.html#action02
26. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
27. http://dev.w3.org/cvsweb/2002/scribe/
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 4 July 2008 07:37:16 UTC