- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 10 Jul 2008 09:22:42 -0400
- To: public-wsc-wg@w3.org
Minutes from our meeting on 2008-07-02 were approved and are
available online here:
http://www.w3.org/2008/07/02-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
02 Jul 2008
See also: [2]IRC log
Attendees
Present
MaryEllen_Zurko, Thomas, johnath, yngve, joesteele, Tyler,
+47.23.69.aaaa, jvkrey, dans, +1.312.660.aabb, anil
Regrets
BillD
Chair
Mez
Scribe
tlr
Contents
* [3]Topics
1. [4]Convene
2. [5]action items
3. [6]firefox 3.0 and conformance
* [7]Summary of Action Items
__________________________________________________________________
<trackbot> Date: 02 July 2008
<Mez> we need a scribe
Yngve or Johnath or
possibly myself
<Mez> can't be johnath; he's the talent for the meeting
so Yngve or me, I guess
<johnath> Mez: my nemesis:
[8]http://www.calphalon.com/calphalon/consumer/products/productGroup.jh
tml?catId=CLCat100485
<scribe> ScribeNick: tlr
Convene
all there
<Mez> [9]http://www.w3.org/2008/06/25-wsc-minutes.html
so apporved
action items
nothing spectacular
<Mez>
[10]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0101.html
ACTION-478?
<trackbot> ACTION-478 -- Joe Steele to pull together UT background on
7.1.1 robustness recommendation (shared secret) -- due 2008-07-17 --
PENDINGREVIEW
<trackbot> [11]http://www.w3.org/2006/WSC/track/actions/478
mez: ACTION-478 looks like it lacks activity
joe: yeah, that's fine; I'll do it anyway
firefox 3.0 and conformance
johnath: Is it the plan as a group to undertake conformance testing for
third party implementations?
... i.e., any interest in evaluating other browsers
tlr: careful, a bit, about conformance testing -- I'm not sure we're
getting to a test suite that exercises all possible states
... and enables conformance claims just based on a test suite ...
... the more the merrier, but we probably need less to get through CR
...
johnath: so, plans to third-party test other implementations?
mez: nobody has broached that topic yet
... I have vague and scary plans ...
... and i'll call it "implementation testing" in the future ...
<johnath> alert! The scribe is taking liberties!
<johnath>
[12]http://www.w3.org/2006/WSC/wiki/Firefox_3.0_Conformance_with_June_L
C
<johnath> section 6.4
johnath: seems like the best way is section by section
... 6.4.1 is tricky. We're kind of getting there, but it's a bit hard
... to make a clear assertion ...
... we don't do "solely in terms of art" ...
... do enable users to go back to prior state ...
... there''s always a back button ...
... not sure if there's subtlety implied
... think this is all fine with us ...
... error interactions should have advanced user option ...
... we're doing error codes for security errors ...
... so you can go and look them up in the big binder ....
... error code can be used to search for details, but we don't do
separate interaction
... for things like network timeouts, we don't do the precise error
codes ...
mez: error codes only for security?
johnath: not by policy, but that's what we done
... most of the other ones have distinctive titles ...
... but SEC_ERROR_SERIAL_NUMBER_REUSED ...
yngve: would like to mention that opera has sth similar
... more difficult to get to explanation
... for SSL errors, include TLS error code ...
... sometimes with additional information ...
... or flags ...
... useful to narrow down where the problematic code sits ...
... similarly, don't have these kinds of error codes on "can't connect
to server" and the like ...
johnath: seems like Opera's and FF's approaches are same.
... might be worth clarifying language ...
mez: admit imagining that as we go through CR, we'll grapple with those
issues
... don't mind grappling right away, though ...
... but not encouraging us to do this ...
johnath: 6.4.2 - status indicator is site identity button ...
... for some other stuff, non-modal indicators ...
... persist in primary chrome till interacted with ...
... think pop-up blocking ...
... check ...
... warning/caution ...
... quite a mouthful ...
... we don't say "caution" or "warning", but visual signals ...
... might not be conformant ...
... there's a MUST here that refers to words ...
... could be a point of non-conformance ...
... recommended option, we have ...
... often "try again"...
... for security, "get me out" - known safe page ..
... also "add exception" for an override ...
... not creating situation where only thing is to dismiss warning and
move on
... noted before that "danger" is easier than "caution". Odd.
... creates weird situation where "danger" is easier to conform with
than "warning"
... our security errors actually match this ...
... if cynical, would recast conformance in terms of "danger" ...
yngve: note that TLS has two levels of warning
... had possibility to open warning dialogues to ask whether continue
or not for a long time ...
... recently changed to fatal error for everything ...
... except for some fatal cases ...
... warning or fatal in the protocol ...
... server could say it's a warning, it's not fatal ...
... there are some cases on that, could send warning about not having
certificate ...
... in previous versions of SSL; TLS 1.0 changed that to sending empty
cert ...
... warning about closing connection (not passing to user) ...
... anything that's warning is really an error and treated as fatal ...
... reason for going fatal is that choices aren't usefully possible for
user
mez: odd that it falls out that way given concern about habituation
... maybe we need to take another look at this point ...
johnath: At any rate, 6.4.4 is really easier.
... 6.5, chrome reconfiguration
... yes, we have that ...
... except that there are add-ons ...
mez: add-ons, incredibly important
johnath: they can hook into "restore default" button
<joesteele> are the APIs those add-ons can use exposed to a webpage?
joe: These APIs.... exposed to web page?
johnath: no no no
... categorically, no ..
joe: install process?
johnath: exactly
... 7.1.1 - this sounds like security skins ...
... I needed to know background to understand it ...
... useful to say "e.g. security skins" ...
yngve: side remark - in some apps you can change user agent string in
HTTP ...
...
mez: would like to have a bit of experience with this kind of context
... are we going to see this tested with Opera?
... don't think we've anything direct, except you can skin opera ...
... no connection to user agent string or stuff like that ...
... if we have implementation experience, details interesting
... without any, difficult ...
yngve: of two minds about whether to mention possibility
... sort of implied,
mez: not sure this is going to make it if nobody implements
<MikeM> yngve: that chameleon agent string feature causes problems for
sites (like wellsfargo.com) that need to identify the browser for
security & other reasons.
johnath: walking further through spec
... visibility of chrome ...
... yes
... tabbed browsing and site identity button ...
... next one, padlock and mimicking ...
... people could use padlock as favicon ...
... we don't use icons to signal trust info ...
... add-on installation
... disable ok buttons in installation ...
... multi-step ui for certificate exceptions ...
... no synthetic button clicks from content ...]
s/content...
s/content...]//
johnath: we do prevent web content from hiding certain buttons
... also, moving / resizing windows in ways that would cause them to be
hidden...
... I'll claim that there's no way for content to override ...
... we do prevent window sizing and he like ...
... there's a bit in javascript, but not off the screen ...
... we don't allow web content to override security chrome ...
... re "overlay" - have titles in tab bar, don't overlay ...
johnath; software installation - request consent for add-on and plugin
install
scribe: don't do installation of software ouside the browser ..
... pre-consent ...
... trivially conformant here ...
... only thing I can think of -- if web site just tries to install
add-on, we block it ...
... you can chose to say that site is permitted to install add-on ...
... user interaction involved, not pre-consenting ...
... MAY on software install ...
... don't provide mechanisms for content to execute software
... in a direct fashion ..
... but hand off things to plugins or external handlers ...
... discussion of download manager ...
... some stuff that we don't do automatically ...
... 7.4.3 - no programmatic bookmarking ...
... don't do that, full stop ...
... second sentence here is weird, btw ..
... pop-up windows: do restrict ...
... permit pop-ups that *are* result of user interaction.
... we don't restrict them globally, though
johnath: most implementors will read this and understand what it's
getting at
... there's some ambiguity, but not very serious ...
mez: think we've got raw material to see where we'll have challenges in
CR
... we can now start looking at features at risk.
<Mez> [13]http://www.w3.org/2006/WSC/wiki/FeaturesAtRisk
mez: I'd love feed-back, but be scared, it's work in progress
<yngve> Maybe 7.4.4 should be rephrased to "SHOULD be careful", "SHOULD
control" opening of popups, or something similar, or as johnathan
suggested saying restrict to only those initiated by user interaction
tyler: add columns for add-ons?
mez: hopefully!
... anything where we don't even have a single implementation, will
give us pause
tyler: wait - two columns saying CI?
mez: I think this is going to be useful - any row that doesn't have two
implementations, can't be required
... should seriously consider whether we want MAY with no
implementation experience ...
... anything in a column that has "N" means we don't ahve single
implementation that would even start claiming that it might be
conforming ...
tyler: yngve -- does opera have an add-on API?
yngve; sorry, no
mez: think I'm clear on most things at this point, no double-checking
... that's it for this agenda item ...
... in terms of what's next -- should work on how to do testing ...
... unclear how to structure that discussion ...
... tlr - can you help?
tlr: I think anybody can go through implementation info for existing
RECs
... maybe UAAG -- and btw, regrets for next week
mez: umh.... maybe take a week off?
joe: also regrets
tlr: as a thought, you might want to talk about the idea of content
best practices
mez: number of topics
... to get us through July ..
yngve: btw, I'm on vacation most of August
mez: I had been warned that these things happen
... btw, appreciate some advance warning ...
Summary of Action Items
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [14]scribe.perl version 1.133
([15]CVS log)
$Date: 2008/07/10 13:21:58 $
References
1. http://www.w3.org/
2. http://www.w3.org/2008/07/02-wsc-irc
3. http://www.w3.org/2008/07/02-wsc-minutes.html#agenda
4. http://www.w3.org/2008/07/02-wsc-minutes.html#item01
5. http://www.w3.org/2008/07/02-wsc-minutes.html#item02
6. http://www.w3.org/2008/07/02-wsc-minutes.html#item03
7. http://www.w3.org/2008/07/02-wsc-minutes.html#ActionSummary
8. http://www.calphalon.com/calphalon/consumer/products/productGroup.jhtml?catId=CLCat100485
9. http://www.w3.org/2008/06/25-wsc-minutes.html
10. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0101.html
11. http://www.w3.org/2006/WSC/track/actions/478
12. http://www.w3.org/2006/WSC/wiki/Firefox_3.0_Conformance_with_June_LC
13. http://www.w3.org/2006/WSC/wiki/FeaturesAtRisk
14. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
15. http://dev.w3.org/cvsweb/2002/scribe/
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Thursday, 10 July 2008 13:23:20 UTC