- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 6 Jun 2008 17:09:40 +0200
- To: public-wsc-wg@w3.org
Minutes from our meeting on 2008-05-07 were approved and are
available online here:
http://www.w3.org/2008/05/07-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
- DRAFT -
Web Security Context Working Group Teleconference
07 May 2008
See also: [2]IRC log
Attendees
Present
MaryEllen_Zurko, Bill_Doyle, johnath, jvkrey, ifette, Thomas,
yngve, joesteele, PHB, +1.708.524.aaaa, asaldhan
Regrets
Tim, H
Chair
SV_MEETING_CHAIR
Scribe
bill-d
Contents
* [3]Topics
* [4]Summary of Action Items
__________________________________________________________________
<trackbot-ng> Date: 07 May 2008
<Mez> [5]http://www.w3.org/2006/WSC/Group/cheatsheet#Scribing
<johnath> ScribeNick: bill-d
<Mez> [6]http://www.w3.org/2008/04/30-wsc-minutes.html
Mez: approve last meeting minutes
<Mez>
[7]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0001.html
Mez: open action items
... no issues pending
<scribe> ... closed items due to inactivity
tlr: is this item going to resurface?
... does phil need to take a second look
mez: agenda bashing, isue 133 what about that plug in stuff, 181 http -
http3, 183 automatic self signed, 190 relaxing relaxed path
<Mez>
[8]http://lists.w3.org/Archives/Member/member-wsc-wg/2008May/0000.html
mez: other issues are listed in f2f, if we have other issues should be
brought up now
<Mez> issue-133?
<trackbot-ng> ISSUE-133 -- How do our definition of Web Page and the
Robustiness section interact? -- OPEN
<trackbot-ng> [9]http://www.w3.org/2006/WSC/track/issues/133
mez: pick up on issue 133 plug in issues
... email from Joesteele on issue 133
<Mez>
[10]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Mar/0218.html
joesteele: definition of web page in regards to plug ins was to tight,
should be more general, second item answers question about robustness
and plugins interact
... existing security plugins, do they need to conform
mez: 133 may need more discussion and taken to f2f. original approach
was lowbar. at least should say plugins could undermine security model
of browsers
... and joe has raised questions and text questioning this practice.
... question is if the text is clear, crisp enough to change the set of
recomendations in terms of robustness and compliance
ifette: it is often not possible for browser to know what the plug-in
is doing. plugins can invalidate the IA model of browser and that is
what it is
<yngve> Opera includes all plugin requests through Netscape
<yngve> API (via browser) when evaluating security level for the
document.
joesteele: in regards to what yngve said, user agent may not know what
plugin is doing, but not sure if this should be the way plugins should
work.
<yngve> (That does not mean we are able to tell or include everything
the plugin does in the state)
joesteele: IE has a way to be notified and should the issue be raised.
looking at cardspace, cardspace greys out the background and security
details that may be present
<Mez> Mez' reply to Joe
<Mez>
[11]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0018.html
<Mez> Joe's mail:
<Mez>
[12]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0015.html
ifette: wsc may not be the place to suggest changes to the plugin api
<Zakim> Mez, you wanted to say I liked the idea of allowing plug ins to
be compliant
phb2: part of the plugin architecture should have the capability to not
IA details
mez: concept that joe brought forward that seemed agreeable was to note
how well behaved plugins met WSC guidance
joesteele: regard cardspace as an external system but triggered by
browser, are external systems part of WSC guidance, because they are
launched by the browser.
ifette: out of system text is in WSC text because of acrobat reader.all
of the processing is taken on by acroreader. same as windows media
player. browser is not informed of security status
<johnath> Mez: fwiw, I'm silent here because I'm thinking about it - I
will be in Oslo though, so I hope to have a considered opinion by then
:)
mez: if anyone has strong opinion on subject please take it on, request
from joesteele to make additional email comments and clarify via email
thread.
<Mez> issue-181?
<trackbot-ng> ISSUE-181 -- Should there be an authoring practice
suggesting http/https URI space consistency -- OPEN
<trackbot-ng> [13]http://www.w3.org/2006/WSC/track/issues/181
mez: on to issue 181
... http - https sharing same uri space, and consistent uri schem
<Zakim> ifette, you wanted to axe this text
mez: how users should get security context be obtained - available from
https / http
<yngve> [14]https://www.spv.no/
<Zakim> johnath, you wanted to probably agree with ifette, depending on
what he says
ifette: original though was http site, https site should be consistent
-
<ifette> +1
johnath: don't think we need standard language around how the uri
should be managed
<joesteele> +1
tlr: proposed handling for man in the middle attacks, looking for tyler
to further define how the issue should be defined
mez: move the issue to after june
... issue 181
<Mez> issue-183?
<trackbot-ng> ISSUE-183 -- Automatic Selfsigned Certificate
acceptance/probation MUST NOT be implemented unless there is a history
capability -- OPEN
<trackbot-ng> [15]http://www.w3.org/2006/WSC/track/issues/183
mez: on to issue 183 self signed certificate
... question on self signed certificates and pinning them
<Mez>
[16]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
tlr: 5.5.1 may support pinning through some interaction
... two choices user agent may use a notification that allows accept
cert with pinning
... may use notification or should - not must
mez: given how is stands a user agent could achieve conformance and
automatically accept self signed cert, - does this change to must?
tlr: change should to must to conform with yngve proposal
<joesteele> +q
mez: proposal to change 5.5.1 from should to must, does anyone object
joesteele: likes wording but had question may provide mechanisim to
pinning, can an automatic mechanism be in place that includes something
like a whitelist
johnath: cut them from your own ca and it will be trusted
tlr: language in 5.5.1 applies to self signed cert that does not lead
to a trusted root certificate.
... a technically self signed cert is validated, a degenerate case. the
locallly configured trust root is used by the server in the tls
transaction. noted as a poor practice
<tlr> ACTION: thomas to propose language for SSC section that covers
"locally configured trust anchor is actually shown by server" edge case
- due 2008-06-07 [recorded in
[17]http://www.w3.org/2008/05/07-wsc-minutes.html#action01]
<trackbot-ng> Created ACTION-427 - propose language for SSC section
that covers \"locally configured trust anchor is actually shown by
server\" edge case [on Thomas Roessler - due 2008-06-07].
yngve: a mechanism that the certificate has been used, accepted before
by the user
<Mez>
[18]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
mez: after clarification from yngve 5.5.1 tls error - change item 4
from should to must.
tlr: generic issue if error signaling for non interactive user agents
would be non compliant
<tlr> When this specification speaks of a "Web user agent" to describe
the application through which a user interacts with the Web, then this
term is used on a conceptual level: No assumption is made about
implementation details; the "Web user agent" may denote a combination
of several applications, extensions to such applications, operating
system features, and assistive technologies.
<tlr> That, to me, means that non-interactive user agents are simply
out of scope.
<tlr> (thinking about it for a moment more)
tlr: confused about non interactive user agent, wsc defines user agent
as interactive. and this may need additional clarification
... if we have another mechanism to determine if cert is trusted
joesteele: question on f the note is compete to define this issue
<Mez>
[19]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-validated-ce
rtificates
<tlr>
[20]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-validated-ce
rtificates
<Mez> so, joesteele, can you look at the reference and let us know if
you've got a case you think that doesn't cover?
yngve: going back to tlr comments on user interaction. where user has
set up prefetching
<Zakim> ifette, you wanted to talk to yngve's point abouit prefetching
yngve: user notes pages to be looked and and browser fills up cache
<tlr> yeah, just don't prefetch, but fetch in realtime
ifette: if client is prefetching, browser should not prefetch broken
http
<tlr> +1, but I think we don't have to talk about it
mez: on the table txt 183 change should to must
<ifette> 3
<Mez> A) first line [21]http://www.w3.org/2006/WSC/track/issues/183
<tlr> If a client is able to automatically accept a Selfsigned
Certificate, or recover from similar problem without user interaction,
it MUST NOT do so unless the client also have a history mechanism about
security information.
<Mez> B) change
[22]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
item 4. to MUST
<Mez> C) do nothing
<ifette> I vote C
<tlr> c
<joesteele> c
<Mez> Otherwise, user agents MUST use error signalling of class warning
or above (6.4.3 Warning/Caution Messages , 6.4.4 Danger Messages).
<Mez> zakim's who's here?
<yngve> B is acceptable
c
<tlr> errrrr
<tlr> wait a sec
<johnath> B
<tlr> B
b
<jvkrey> b
<ifette> C
<PHB2> b
<joesteele> C
<asaldhan> B
<johnath> cheese doesn't have the same throughput that mice do
<johnath> (indeed, cheese is famous for slowing urr... throughput)
<jvkrey> beer is typically 50NOK for 0.4 liter
<Mez> B: Yngve, Johnathan, TLR, Bill, Jan Vidar, PHB, Anil
<Mez> C: Ian, Joe
mez: option b, issue 183 item 4 change should to must
... on non interactive agents please further define
... request goes out to wsc wg
<Zakim> asaldhan, you wanted to ask that I need NOK
joesteele: concern is not so much about non interactive but locally
configured. the locally configured trust anchors and interaction with
unsigned certificates
tlr: assumption self signed certificate could be trust anchor and part
of the trust chain
... not always but sometimes can be trust anchor
mez: tlr will rewrite text, tlr and joesteele appear to be in agreement
<asaldhan> ACTION: asaldhan to incorporate above def to spec [recorded
in [23]http://www.w3.org/2008/05/07-wsc-minutes.html#action02]
<trackbot-ng> Created ACTION-428 - Incorporate above def to spec [on
Anil Saldhana - due 2008-05-14].
<Mez> issue-190?
<trackbot-ng> ISSUE-190 -- Relaxed Path Validation - optional,
recommended? -- OPEN
<trackbot-ng> [24]http://www.w3.org/2006/WSC/track/issues/190
mez: issue 190
ifette: had time to think about it, relaxed path validation, browsers
fine to handle certs in two different ways. but it could be confusing
if browsers can validate using differnet ways
<tlr>
[25]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-pathval
<tlr> When, for a TLS-protected HTTP connection, the certificate
presented is found to have been expired, error signalling of class
danger (6.4.4 Danger Messages) MUST be used. Note that user agents that
apply Relaxed Path Validation to non-AA certificates will never detect
this error condition for such certificates.
<Mez> as well as all of 5.4
tlr: text is in 5.5.1
<tlr>
[26]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-validated-ce
rtificates
tlr: 5.1.3 may use relaxed validation
... as well as 5.1.2
<tlr> User agents MUST NOT use Relaxed Path Validation to validate
paths that lead to an AA-qualified trust root. Instead, Basic Path
Validation MUST be used.
<tlr> User agents MAY use Relaxed Path Validation for certificate paths
that chain up to a locally configured trust anchor which is not
AA-qualified.
tlr: question to ian - if we were to drop relaxed path validation what
is the message to user?
ifette: user should get a modal warning
tlr: warning - not danger, danger does not let the user through
mez: clarify error and warning messages
... as to what generates warnings / errors
<tlr> sorry
<tlr> danger is explicit for domain mismatch
<tlr> When the URL corresponding to the transaction at hand does not
match the certificate presented, and a validated certificate is used,
then error signalling of level danger(6.4.4 Danger Messages) MUST be
used.
PHB: starting to agree to punt the relaxed text
<ifette> ISSUE: Domain name mismatch should be a WARNING and not a
DANGER interaction
PHB: agree with ifette
tlr: would like to have a followup discussion, let it mature and take
it up at f2f
<yngve> Mez:
[27]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Apr/0039.html
tlr: continue on mailing list
<johnath> ifette: don't think trackbot-ng noticed that, for some reason
<yngve> Oslo Social at [28]http://www.sult.no/englishinformation.cfm
<johnath> oh, you've noticed that :)
tlr: next meeting is the f2f
... representitive from microsoft will be observing on second day
<ifette> I is only sometimes a vowel?
<ifette> :-)
<Mez> :-)
<Mez> wow, good question ian
<Zakim> asaldhan, you wanted to tlr
<asaldhan> Mez: ignore
<Mez> sorry
<Mez> maybe you can ping him on IRC
<asaldhan> Mez: that is what I am doing now. :)
<johnath> Mez: I forget, when do you get in again?
<asaldhan> johnath: I get in Sunday around 1pm
<Mez> Monday mid day; I'm not going to put in that extra day to frisk
about after all
<johnath> asaldhan: probably about the same for me - have to recheck
that itinerary
<ifette> I get in sunday around 5
<Mez> [29]http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
<asaldhan> I had to book saturday as it was a difference of 700 dollars
<ifette> arrives OSL 4:35pKL
<ifette> KL1147 arrives 4:35p that is
<Mez> if you put it inthe wiki you only have to type it once :-)
<ifette> i didnt see a page on wiki for that
<jvkrey> monday is a public holiday in norway, so shops are closed, btw
<Mez> [30]http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
<Mez> iane
<Mez> Ian
<Mez> that's the wiki
<Mez> page
<Mez> which I sent out in email
<Mez> [31]http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
<asaldhan> I cannot edit it
<asaldhan> how do I edit it?
<Mez> have you ever edited the wiki?
<asaldhan> yes
<Mez> did you ever get your name on the ACL t
<Mez> ?
<Mez> then it's just like that
<asaldhan> I do not think it is on the acl
<Mez> see Edit(Text) at the bottom?
<Mez> if not, check with tlr about the acl
<asaldhan> ok
<asaldhan> pinging tlr
what has to happen to scribe notes?
Summary of Action Items
[NEW] ACTION: asaldhan to incorporate above def to spec [recorded in
[32]http://www.w3.org/2008/05/07-wsc-minutes.html#action02]
[NEW] ACTION: thomas to propose language for SSC section that covers
"locally configured trust anchor is actually shown by server" edge case
- due 2008-06-07 [recorded in
[33]http://www.w3.org/2008/05/07-wsc-minutes.html#action01]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [34]scribe.perl version 1.133
([35]CVS log)
$Date: 2008/05/07 16:47:21 $
__________________________________________________________________
Scribe.perl diagnostic output
[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.133 of Date: 2008/01/18 18:48:51
Check for newer version at [36]http://dev.w3.org/cvsweb/~checkout~/2002/scribe/
Guessing input format: RRSAgent_Text_Format (score 1.00)
Found ScribeNick: bill-d
Inferring Scribes: bill-d
WARNING: No "Topic:" lines found.
Default Present: MaryEllen_Zurko, Bill_Doyle, johnath, jvkrey, ifette, Thomas, y
ngve, joesteele, PHB, +1.708.524.aaaa, asaldhan
Present: MaryEllen_Zurko Bill_Doyle johnath jvkrey ifette Thomas yngve joesteele
PHB +1.708.524.aaaa asaldhan
Regrets: Tim H
WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth
Found Date: 07 May 2008
Guessing minutes URL: [37]http://www.w3.org/2008/05/07-wsc-minutes.html
People with action items: asaldhan thomas
WARNING: No "Topic: ..." lines found!
Resulting HTML may have an empty (invalid) <ol>...</ol>.
Explanation: "Topic: ..." lines are used to indicate the start of
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report
[End of [38]scribe.perl diagnostic output]
References
1. http://www.w3.org/
2. http://www.w3.org/2008/05/07-wsc-irc
3. http://www.w3.org/2008/05/07-wsc-minutes.html#agenda
4. http://www.w3.org/2008/05/07-wsc-minutes.html#ActionSummary
5. http://www.w3.org/2006/WSC/Group/cheatsheet#Scribing
6. http://www.w3.org/2008/04/30-wsc-minutes.html
7. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0001.html
8. http://lists.w3.org/Archives/Member/member-wsc-wg/2008May/0000.html
9. http://www.w3.org/2006/WSC/track/issues/133
10. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Mar/0218.html
11. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0018.html
12. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0015.html
13. http://www.w3.org/2006/WSC/track/issues/181
14. https://www.spv.no/
15. http://www.w3.org/2006/WSC/track/issues/183
16. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
17. http://www.w3.org/2008/05/07-wsc-minutes.html#action01
18. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
19. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-validated-certificates
20. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-validated-certificates
21. http://www.w3.org/2006/WSC/track/issues/183
22. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-tlserrors
23. http://www.w3.org/2008/05/07-wsc-minutes.html#action02
24. http://www.w3.org/2006/WSC/track/issues/190
25. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-pathval
26. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-validated-certificates
27. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Apr/0039.html
28. http://www.sult.no/englishinformation.cfm
29. http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
30. http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
31. http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
32. http://www.w3.org/2008/05/07-wsc-minutes.html#action02
33. http://www.w3.org/2008/05/07-wsc-minutes.html#action01
34. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
35. http://dev.w3.org/cvsweb/2002/scribe/
36. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/
37. http://www.w3.org/2008/05/07-wsc-minutes.html
38. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 6 June 2008 15:10:16 UTC