W3C home > Mailing lists > Public > public-wsc-wg@w3.org > June 2008

Meeting record: 2008-05-14

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 6 Jun 2008 17:09:50 +0200
To: public-wsc-wg@w3.org
Message-ID: <20080606150950.GA35780@iCoaster.does-not-exist.org>

Minutes from our meeting on 2008-05-14 were approved and are
available online here:

   http://www.w3.org/2008/05/14-wsc-minutes.html

A text version is included below the .signature.

-- 
Thomas Roessler, W3C  <tlr@w3.org>




   [1]W3C

                              WSC WG face to face

14 May 2008

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          Mary Ellen Zurko, Ian Fette, Johnathan Nightingale, Joe Steele,
          Jan Vidar Krey, Anil Saldhana, Thomas Roessler, Yngve Pettersen,
          Phillip Hallam-Baker, Luis Barriga, Maritza Johnson, Claudio
          Santambrogio

   Regrets
   Chair
          Mez

   Scribe
          luis, ifette, csant, johnath

Contents

     * [4]Topics
         1. [5]agenda bashing
         2. [6]Issue 200
         3. [7]ISSUE-133
         4. [8]ISSUE-169
         5. [9]ISSUE-203
         6. [10]ISSUE-212
         7. [11]Issue-206
         8. [12]ISSUE-199
         9. [13]Appendix Removal
     * [14]Summary of Action Items
     __________________________________________________________________

   <jvkrey> ScribeNick: luis

   Mez: admin started
   ... two new persons in meeting: Tom & Claudio

   Claudio from Opera and Tom from Microsoft

   scribe: Tom is an observer

agenda bashing

   Mez: (around the table)
   ... yesterday we left in issue 200
   ... also commments from the team
   ... plugin
   ... 169 still on hold
   ... 199 also wait
   ... where we are on the way to last call
   ... not too bad
   ... now, what happens after june

   <tlr>
   [15]http://lists.w3.org/Archives/Member/member-wsc-wg/2008May/0004.html

Issue 200

   <Mez> issue-200?

   <trackbot-ng> ISSUE-200 -- Should an AA security indication include all
   elements in the evaluation, or just the top document -- OPEN

   <trackbot-ng> [16]http://www.w3.org/2006/WSC/track/issues/200

   <joesteele> Is ISSUE-183 still OPEN?

   <Mez> let me look

   <Mez> would still be open if not executed

   <Mez> joe

   <jvkrey> ISSUE-183?

   <trackbot-ng> ISSUE-183 -- Automatic Selfsigned Certificate
   acceptance/probation MUST NOT be implemented unless there is a history
   capability -- OPEN

   <trackbot-ng> [17]http://www.w3.org/2006/WSC/track/issues/183

   <Mez> joe, have any issue other than client vs ua on that one? I sent
   you email; I think that's just an editorial change, and Luis pointed
   that out as well in his editorial changes.

   NOTE: (waiting for Yngve to resume meeting)

   <joesteele> yes --

   joesteele: an issue on email
   ... signalling with notification for pinning
   ... signalling with danger

   <Mez>
   [18]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0033.html

   joesteele: the decision was made and unclear why just warning

   tlr: clarification behind rationale ...
   ... risk with man in the middle attacks
   ... if user hasn't visited that site before
   ... though users would click yes anyway
   ... so the situation would not be worse than today
   ... changing from notification to warning ...
   ... is an idea

   joesteele: still concerns
   ... user gets a SSC notification and would pin it
   ... and next time he would not see the notification

   johnath: understand the concern

   tlr: concern is that there is no explicit interaction

   Mez: back to ISSUE-200
   ... comparing pure AA vs relaxing to strongly protected with validated
   ... arguing is over?
   ... voting

   <johnath> proposal 1: "A user agent that can display an AA indicator
   MUST NOT display this indicator unless all elements of the page are
   loaded from servers presenting an AA certificate."

   <johnath> proposal 2: "A user agent that can display an AA indicator
   MUST NOT display this indicator unless all elements of the page are
   loaded from servers presenting a validated certificate, over strongly
   protected TLS connections."

   <Mez> A) 1

   <Mez> B) 2

   <Mez> C) do nothing

   <Mez> D) abstain

   <ifette> I vote B

   <yngve> A

   <ifette> I vote B

   <johnath> B

   <luis> B

   <PHB2> b

   <joesteele> A

   <anil> b

   <csant> A

   <jvkrey> a

   <Mez> d

   <tlr> d

   <Mez> A yngve, joesteele, csant, jvkrey - 4

   <Mez> B ifette, johanth, luis, phb, anil - 5

   <Mez> D mez, tlr - 2

   ifette: strawpoll or vote?

   Mez: vote

   ifette: vote per organization or per participant

   <tlr>
   [19]http://www.w3.org/2005/10/Process-20051014/policies.html#Votes

   tlr: reading something
   ... in order to vote to resolve a substantive issue, an individual MUST
   be a group participant in Good Standing. Each organization represented
   in the group MUST have at most one vote, even when the organization is
   represented by several participants in the group (including Invited
   Experts)

   <johnath> ifette: second para answers your question

   <johnath> as luis has just pasted! :)

   ifette: motivating his preference

   tlr: a domain validation is not fully secured
   ... if there is assumption on domain validation
   ... attacker can get hold of "validated" certs

   johnath: why is that different than EV (AA) certs?
   ... the domain validation in AA is like validated certs
   ... in either case the pointer is to a domain

   PHB: EV is for shopping, banking ...
   ... extending to content ...
   ... CA issues certs chaining up to the domain, not to the root

   <Zakim> ifette, you wanted to say that this would hurt adoption, as if
   we require this, nobody will buy ev certs because so long as their ads
   and google-analytics dont use ev theres no

   ifette: most browsers would yank from the root
   ... those not doing proper validation
   ... EV adoption would be blocked if all resources must be EV

   johnath: agrees, no one would bother to deploy EV

   yngve: mixing EV and non-EV may reduce trust onEV

   johnath: it's risky in either way ...

   Mez: what's the risk when mixing content
   ... what would work in one case and not in the other?

   PHB: Paypal has only EV certs

   yngve: not for Paypal objects

   johnath: BA would be a good example how EV would apply

   PHB: worried on SSL pages containing non-SSL parts

   johnath: where to draw the line?

   Tom: agrees with johnath
   ... its the top level page that assurance is given on

   Mez: this is imporant to cover

   <Zakim> anil, you wanted to say that I feel that the top level
   assurance is not sufficient

   Mez: majority vote is needed

   anil: recaping on top-level assurance
   ... though XSS is a risk that EV doesn't provide assurance on

   <johnath> *correction - Tom: ...its the top level page that assurance
   is given, as long as all subelements are delivered over secured,
   validated connections

   yngve: concern that ads and so on. Payment process is not un EV

   luis: (thnx johnath)

   johnath: example with Paypal with EV giving assurance that the Visa
   resource is trusted

   Mez: continues with the process

   anil: what about redirect to other site

   <anil> anil: during payment process on EV-certified site

   ifette: the SCI for EV would be shown only for the EV site
   ... if the redirected site is not EV, there the SCI would not be shown

   anil: something needs to be written in best practices

   Mez: everybody is in good standing
   ... reading the rules
   ... no invited experts

   <johnath> proposal 1: "A user agent that can display an AA indicator
   MUST NOT display this indicator unless all elements of the page are
   loaded from servers presenting an AA certificate."

   <johnath> proposal 2: "A user agent that can display an AA indicator
   MUST NOT display this indicator unless all elements of the page are
   loaded from servers presenting a validated certificate, over strongly
   protected TLS connections."

   <johnath> A) 1

   <johnath> B) 2

   <johnath> C) No change

   <johnath> D) Abstain

   <yngve> A

   <luis> B

   <johnath> B

   <ifette> Google votes B

   <anil> RedHat votes B

   <Mez> IBM votes B

   <PHB2> VeriSign votes B

   <joesteele> B

   <tlr> I'd love to drop a "concur" ;-)

   scribe: 7 B's and 1 A

   <tlr> RESOLVED: Proposal 2 is adopted

   scribe: anil to update draft

ISSUE-133

   <Mez> issue-133?

   <trackbot-ng> ISSUE-133 -- How do our definition of Web Page and the
   Robustiness section interact? -- OPEN

   <trackbot-ng> [20]http://www.w3.org/2006/WSC/track/issues/133

   <johnath> ACTION: anil to update section 5.3 to include proposal 2 text
   [recorded in
   [21]http://www.w3.org/2008/05/14-wsc-minutes.html#action01]

   <trackbot-ng> Created ACTION-450 - Update section 5.3 to include
   proposal 2 text [on Anil Saldhana - due 2008-05-21].

   <johnath> Mez's text:
   [22]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0049.html

   <Mez>
   [23]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0055.html

   js23: proposing is an addition is a cross reference
   ... pointing back to this section

   Mez: formal MUST, SHOULD MAY were not used but natural language on
   purpose

   <Zakim> johnath, you wanted to ask about conformance nature of mez'
   language

   Mez: can you provide an example on back reference

   johnath: language is not normative and that's OK

   Mez: unclear what type of extensions we were supposed to consider
   ... for conformance

   tlr: two worries. last sentence sounds like requirement for conformance
   ... proposing change with specific UA
   ... rather than being generic
   ... instead of testing conformance >> claiming conformance
   ... 2nd worry: all this reads a fine list what an extension would do to
   claim conformance
   ... proposing text and shuffling for claiming conformance to capture
   attention

   <joesteele> Mez -- is this what you had in mind? Plugin, extensions and
   external systems which interact with the browser should pay careful
   attention to avoid degrading the user agents conformance to this
   section.

   <johnath> +1 to the proposal as-is, with joe's text additions in the
   obvious places

   Mez: which section?

   <johnath> (as-is with tlr's edits)

   Mez: 5 , 6 & 7?

   <ifette> -1 as well

   <ifette> (to shoving in the back references scattered about the
   document)

   tlr: better in the front of the spec rather than back reference

   jonahth: make forward references

   <Mez> here's the edited version from tlr's comments

   jonahth: no need for back ref's

   Mez: propose to put it in ??

   tlr: thinking would be section 3

   <Mez> swap 3 and 4 sez tlr

   tlr: prefer everything in one place

   johnath: interpreting Mez's that she wants in current section 4

   tlr: discussion what's in 3 and 4 and agree
   ... what's on each

   <Mez> A) add that paragraph after the other paragraphs on user agent
   and web page

   <Mez> b) don't

   <Mez> c) abstain

   <tlr> a, with some editorial discretion

   <ifette> a

   <johnath> I believe the thing we're voting on is Mez's changes + tlr
   edits, without backreferences from later sections - wherever tlr wants
   to put them

   <jvkrey> a

   <johnath> A

   <joesteele> a

   <luis> A

   <PHB2> a

   <csant> a

   <yngve> A

   <anil> a

   <Mez> c

   <johnath> ACTION: tlr to add extension text to section 4.1, and
   possibly merge/reorg sections 3 and 4 [recorded in
   [24]http://www.w3.org/2008/05/14-wsc-minutes.html#action02]

   <trackbot-ng> Created ACTION-451 - Add extension text to section 4.1,
   and possibly merge/reorg sections 3 and 4 [on Thomas Roessler - due
   2008-05-21].

   <Mez> 31 minutes break

   <Mez> back on the hour

   <Mez>
   [25]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0056.html

   <johnath>
   [26]http://www.flickr.com/photos/matthewj/sets/72157604988911230/

   <PHB2> heellllooooooooooooo

   <johnath> coming back

   <johnath> 2 hour timeout

   <ifette> ScribeNick: ifette

   <Mez> hi phil

   <Mez>
   [27]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0056.html

ISSUE-169

   ISSUE-169?

   <trackbot-ng> ISSUE-169 -- Section 5.5.3 creates a burden on browsers
   to remember past certificates -- OPEN

   <trackbot-ng> [28]http://www.w3.org/2006/WSC/track/issues/169

   <luis> trusted root certificate >> trusted anchor

   johnath: This seems long

   tlr: Not so long. parts are going away
   ... including the part on revocation checking failure
   ... and another part (the last paragraph) is being moved up to after
   the first numbered list

   <johnath> current text for 5.5.1 -
   [29]http://pastebin.mozilla.org/431034

   johnath: Pastes URL that shows what 5.5.1 would look like after edits

   ifette: this sounds nice

   <johnath> +1

   ifette: should store state or may store state. if you don't offer
   pinning, that extra info offers little value

   tlr: keeping the state around enables UAs to respond more strongly to
   certain error conditions

   ifette: fine

   <johnath> Mez: wiki with changes highlighted -
   [30]http://www.w3.org/2006/WSC/wiki/Revised551-May14

   tlr: there is a question on whether we want to add anything re
   downgrading level of warning interaction if... trails off

   <johnath> (since pastebin is not permanent)

   tlr: the one question tlr has is whether 4.3 in that list we would want
   to...
   ... trails off
   ... restarts
   ... we have currently in that list of 4 items basically making a link
   b/t offering pinning and having a notification interaction
   ... the one additional thing I could see would be for UAs that keep
   state but doesnt do pinning is to say if it keeps state around, and if
   there is a site with which the user has interacted before and a
   validated cert has never been seen, whether in that case it should be a
   warning or notification
   ... that creates a certain hole but is probably the right thing in my
   mind
   ... would be a slight weakening or in addition to point 4
   ... would like to put that on the table
   ... so the interaction in that case would be for a UA that does not
   support pinning, you get a warning the first time, after that it's just
   a notification message
   ... it is a rather weak model and i prefer the one with pinning

   johnath: inclined to say that if you want to solve this, just support
   pinning

   tlr: Other question: pinning may/should/must

   ifette: may

   yngve: dont like notifications unless based on previous knowledge
   ... could be interpreted as just not showing any indication to user
   even on first time

   johnath: 5.1.5 says uas may support pinning, such behaviour includes...
   (reads)

   tlr: something wrong in 1st sentence
   ... ponders

   johnath: fine with proposed text as is

   tlr: dont feel strongly about changing. move on.

   mez: ok, big pause?
   ... silence...
   ... other issues?

   yngve: consistent with 5.1.5 means if a webpage consistently presents a
   self signed cert

   tlr: no
   ... it means that requirements further down should be followed
   ... first part up to UAs may support pinning etc, is a rationale
   ... this is about SHOULD NOT cause self signed certs to pinned to more
   than one site, must not caused untrusted root to be accepted for addl
   sites, should be considered sufficient auth to allow petname
   association
   ... also MUST NOT do any automatic thing unless client has history info
   mechanism about security info, which is weak

   yngve: thinking about???
   ... may use notification
   ... think it should at least say if it's got historical knowledge

   tlr: would mean first interaction always warning, only later downgrade

   yngve: concerned that we may lead implementers to ditch unknown self
   signed warnings

   tlr: concern that they implement notification mechanism equal to not
   showing anything?

   yngve: just showing a weak notification
   ... giving a stronger warning first time

   tlr: current idea precisely that
   ... weak notification, UNLESS you have info that site is usually
   validated

   yngve: first time have no info, has ssc
   ... notification or warning?

   tlr: notification

   yngve: problem?
   ... concerned could leave open for spoofing

   tlr: does create a window
   ... if you dont want that dont implement that

   yngve: would not interrupt users

   tlr: yes

   yngve: problematic

   tlr: ok....?

   <johnath> (poor ifette)

   yngve: still can be used for making spoof sites
   ... suspect that if this gets implemented wrong way, w/o dialog, even
   more prevalent

   ifette: why would phisher direct to https with warning when they could
   direct to http with no warning?

   yngve: depends on what kind of indicators are shown
   ... https, padlock, etc

   tlr: following you... as far as MITM attacks concerned
   ... not for phishing
   ... for MITM yes, we are saying this is creating an additional risk in
   following scenario which is acceptable in big picture
   ... and current UAs people click ok anyways
   ... question is is that risk acceptable
   ... and whether changing this first interaction is useful way to
   mitigate risk
   ... SSCs at least get protection against passive attackers
   ... better than http
   ... protect against active attackers as soon as is possible
   ... does dialog make significant difference for first interaction?
   ... not really opening up any new holes.

   yngve: might be an idea to explain the risks in that section

   tlr: trying to remember if we explain or not

   yngve: risk assessment
   ... would like link

   tlr: part of an editiorial fix, one thing that is spelled out is
   precisely this

   <tlr>
   [31]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#mitm-initial

   tlr: that we've been discussing
   ... active attacks during initial attacks
   ... happy to add link from 5.1 to 9.1
   ... which already links back to 5.1

   yngve: want risks linked in text

   tlr: will change link in beginning of 9.1 to point to 5.5.1 which
   ismeant

   luis: has a new thing on this phrase
   ... in johnath's text
   ... three places where requirement to UA is phrased
   ... may offer pinning (in here twice)
   ... line number 16
   ... later on in line 26
   ... later in text in section 5.1.5

   yngve: those two detail different situations
   ... first one is if it already knows pinned, second is if it doesnt
   have historical info

   luis: requirements still the same

   johnath: first set of bullets governed by paragraph about what
   capabilities UA has
   ... next bullets for UAs not capable of
   ... refer to different categories of UAs

   group: ... more back and forth on editorial changes

   ifette: leave to editors?

   group: yay

   ifette: vote?

   <johnath> proposal: text from pastebin/wiki + editorial changes to
   5.1.5 to avoid "pinning" repetition

   jvkrey: if you cant store state of certificates, why offer possibility
   to pin>

   johnath: read as we dont store about whether a site presented a
   validated cert or not, but we are able to pin singular exceptions

   yngve: same for opera

   ifette: vote?

   group: talks and feels good

   mez: great lets vote

   <johnath> proposal: text from pastebin/wiki + editorial changes to
   5.1.5 to avoid "pinning" repetition

   a) go with tlr's text

   b) keep it

   c) abstain

   <johnath> A

   <ifette >A

   <PHB2> a

   <jvkrey> a, I like it

   <tlr> a

   <luis> A

   <csant> A

   mez: C

   <anil> A

   <yngve> A

   mez: ok
   ... give tlr an action

   <johnath> ACTION: tlr to update 5.5.1 with wiki text, and possibly edit
   5.1.5 to avoid "pinning" repetition [recorded in
   [32]http://www.w3.org/2008/05/14-wsc-minutes.html#action03]

   <trackbot-ng> Created ACTION-452 - Update 5.5.1 with wiki text, and
   possibly edit 5.1.5 to avoid \"pinning\" repetition [on Thomas Roessler
   - due 2008-05-21].

   mez: takes us through and produces resoutions for all open issues
   except for ISSUE-199

   tlr: new issue

   <johnath> issue-203?

   <trackbot-ng> ISSUE-203 -- Update Security Considerations -- OPEN

   <trackbot-ng> [33]http://www.w3.org/2006/WSC/track/issues/203

   ISSUE-203?

   <trackbot-ng> ISSUE-203 -- Update Security Considerations -- OPEN

   <trackbot-ng> [34]http://www.w3.org/2006/WSC/track/issues/203

ISSUE-203

   tlr: should say where we rely on specific user behavior, and where are
   the risks where users do things we dont expect
   ... where are we creating additional exposure
   ... someone who is not an editor should go through spec and do that
   pass

   ifette: dont have edits folded in

   yngve: +1
   ... review done after editing folded in

   ifette: apologizes to mez

   johnath: is that true?

   tlr: can probably go through and do that review
   ... at least in a raw form
   ... know where we came out on mixed content
   ... expect considerations from yngve
   ... one change that comes up in my mind that has real impact on
   security considerations seciton
   ... might want to explictly say that we do not specify behavior for
   failure conditions as network failures during revocation checking
   ... these are the things from what I remember that would affect
   security considerations
   ... other than that we can work from current draft

   johnath: offers to write section 9.2 about revocation checking if that
   is helpful

   mez: yes

   johnath: :-)

   yngve: phone?

   mez: top down
   ... ?

   tlr: yes

   mez: yes
   ... anything in section 1

   <Mez> [35]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#Overview

   <Mez>
   [36]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#Conformance

   ifette: confusion about first time

   <luis> tlr: no conformance language for "first time"

   ifette: would like to clarify first in 6.2

   johnath: we do top level page view
   ... was it typed into address bar, click link, tec
   ... top level docshell
   ... not good language for spec
   ... first time a user agent navigated to a page

   mez: that's the change
   ... ?

   tlr: no action on yngve to write security considerations about EV and
   mixed content

   <Mez> is this what you meant ?

   <Mez> 2. When the user first went to a web page with the current top
   level web page's domain.

   ifette: close

   <Mez> 2. When the user first visited a web page with the current web
   page's domain.

   <tlr> ACTION: yngve to provide initial draft of security considerations
   for EV mixed with DV case [recorded in
   [37]http://www.w3.org/2008/05/14-wsc-minutes.html#action04]

   <trackbot-ng> Created ACTION-453 - Provide initial draft of security
   considerations for EV mixed with DV case [on Yngve Pettersen - due
   2008-05-21].

   <Mez> 2. When the user first visited a top level [ref web page] with
   the current top level [ref web page's] domain.

   <Mez> 1. When the user most recently visited the domain of the [ref web
   page] in the past.

   <Mez> 2. When the user first visited a top level [ref web page] with
   the current top level [ref web page's] domain.

   <Mez> 3. How often the user visited the domain of the [ref web page] in
   the past.

   <Mez> 1. When the user most recently visited the domain of the top
   level [ref web page] in the past.

   <Mez> 2. When the user first visited a top level [ref web page] with
   the current top level [ref web page's] domain.

   <Mez> 3. How often the user visited the domain of the top level [ref
   web page] in the past.

   ifette: yay

   luis: is this first visit info that can be flushed

   ifette: yes. clear history

   luis: not persistent

   ifette: assume implementation, but in reality probably tied to history

   mez: walkthrough... past section 3>

   johnath: created proposed text for ocsp

   <johnath> issue-205?

   <trackbot-ng> ISSUE-205 -- Add security consideration for OCSP failure
   -- OPEN

   <trackbot-ng> [38]http://www.w3.org/2006/WSC/track/issues/205

   mez: look at it?

   ifette: +1

   mez: gee, what happneed to 204?

   ISSUE-204?

   <trackbot-ng> ISSUE-204 -- Drop square brackets in section 6.1.1 --
   OPEN

   <trackbot-ng> [39]http://www.w3.org/2006/WSC/track/issues/204

   tlr: 204 is editorial

   <johnath> proposal - that we adopt text from ISSUE-205

   PROPOSAL: adopt text from ISSUE-205

   mez: super cool groovy

   <Mez> a) do it

   <Mez> be) no

   <Mez> c) abstain

   <Mez> not to be

   <johnath> A

   <tlr> issue-205?

   <trackbot-ng> ISSUE-205 -- Add security consideration for OCSP failure
   -- OPEN

   <trackbot-ng> [40]http://www.w3.org/2006/WSC/track/issues/205

   <ifette> a

   <Mez> a

   <tlr> a

   <yngve> a

   <jvkrey> a

   <johnath> other votes? PHB?

   <csant> a

   <johnath> anil?

   <luis> C

   <anil> A

   <PHB2> a

   mez: great

   <johnath> ACTION: anil to add section 9.2 based on issue-205 text
   [recorded in
   [41]http://www.w3.org/2008/05/14-wsc-minutes.html#action05]

   <trackbot-ng> Created ACTION-454 - Add section 9.2 based on issue-205
   text [on Anil Saldhana - due 2008-05-21].

   mez: moving on to section 4

   <Mez> [42]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#concepts

   mez: will pick up with section 5 on ISSUE-203
   ... encourage people to look at this over lunch

   <Mez> back in 60 minutes

   <scribe> ScribeNick: csant

   <Mez> [43]http://www.w3.org/2006/WSC/Group/cheatsheet

   <Mez> scribing and scribing action items sections, in the middle

   <PHB2> going offline

   <Mez> issue-203?

   <trackbot-ng> ISSUE-203 -- Update Security Considerations -- OPEN

   <trackbot-ng> [44]http://www.w3.org/2006/WSC/track/issues/203

   Mez: Picking up on section 5

   <Mez> [45]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tlsforweb

   <anil> section 5.1.5

   johnath: 5.1.5, fine - when talking about pinning self-signed certs,
   naive implementor might trust it too easily

   tlr: last 2 paragraphs take care of that?

   <Mez> section 5.1.2 - should we say that AAC don't protect against XSS?

   <scribe> ACTION: johnath to dd that wording to 5.1.2 [recorded in
   [46]http://www.w3.org/2008/05/14-wsc-minutes.html#action06]

   <trackbot-ng> Created ACTION-455 - Dd that wording to 5.1.2 [on
   Johnathan Nightingale - due 2008-05-21].

   Mez: 5.1.3 - should we say whether validate certs are important?

   tlr: might make sense to add a note to 5.1.3

   <Mez> ACTION: tlr to say why validated certs are worthy of so much
   reliance, for security considerations [recorded in
   [47]http://www.w3.org/2008/05/14-wsc-minutes.html#action07]

   <trackbot-ng> Created ACTION-456 - Say why validated certs are worthy
   of so much reliance, for security considerations [on Thomas Roessler -
   due 2008-05-21].

   Mez: logotypes? 5.1.4
   ... needed to mention in security considerations?

   PHB2: logotypes communicate identity more directly to the user...
   ... helps user to identify easier...

   <Mez> ACTION: phb to give overview of why logotypes are interesting in
   security considerations section [recorded in
   [48]http://www.w3.org/2008/05/14-wsc-minutes.html#action08]

   <trackbot-ng> Created ACTION-457 - Give overview of why logotypes are
   interesting in security considerations section [on Phillip Hallam-Baker
   - due 2008-05-21].

   Mez: 5.1.6, petnames?

   ifette: most things in the spec most people in the group agree on,
   petnames i wouldn't be so sure.

   anil: we need to introduce security consideration section, explaining
   what it really means.

   ifette: why do we have a whole ssection on names?

   <anil> ACTION: anil to add a couple of sentences about what the
   security consideration section means [recorded in
   [49]http://www.w3.org/2008/05/14-wsc-minutes.html#action09]

   <trackbot-ng> Created ACTION-458 - Add a couple of sentences about what
   the security consideration section means [on Anil Saldhana - due
   2008-05-21].

   ifette: need to explain why this is actually included

   johnath: there is a concern that in the absence of petnames a user
   might rely on other, less reiable means
   ... petnames help establishing a reliable association, mainly for
   AA-cert sites

   tlr: shouldn't the wording then be "should"?

   johnath: requires users' interaction, not really sure whether it's a
   safe mechanism
   ... not sure we need to add a motivation for each item.

   tlr: pure motivation arguments should be kept out of the security
   considerations.

   <johnath> ISSUE-207?

   <trackbot-ng> ISSUE-207 -- Add Section 9.3 - Certificates assure
   identity, not security -- OPEN

   <trackbot-ng> [50]http://www.w3.org/2006/WSC/track/issues/207

   <johnath> proposal: that we adopt the text in ISSUE-207 as a new
   section in section 9

   <Mez> a) 207 yes

   <Mez> b) no

   <Mez> c) ?

   <yngve> a

   <ifette> a

   <johnath> A

   <csant> A

   <anil> A

   <PHB2> A

   <jvkrey> abstain

   <luis> A with minor editorial on strongly protected ...

   <tlr> a

   <Mez> c

   <Mez> ACTION: anil to do issue-207 [recorded in
   [51]http://www.w3.org/2008/05/14-wsc-minutes.html#action10]

   <trackbot-ng> Created ACTION-459 - Do issue-207 [on Anil Saldhana - due
   2008-05-21].

   Mez: 5.2, types of TLS
   ... 5.3, yngve has an action on, 5.4 is gone.

   <johnath> Issue-208?

   <trackbot-ng> ISSUE-208 -- Add security consideration for "human
   readable" names - e.g. petnames -- OPEN

   <trackbot-ng> [52]http://www.w3.org/2006/WSC/track/issues/208

   <johnath> PROPOSAL: That ISSUE-208 text be added to section 9 (with
   editorial changes as needed)

   <ifette> A

   <Mez> a) do it

   <Mez> b) nope

   <Mez> c) don't care

   <johnath> A

   <csant> a

   <Mez> c

   <tlr> a

   <luis> A

   <anil> A

   <jvkrey> c

   <yngve> a

   <PHB2> A

   <johnath> ACTION: tlr to include ISSUE-208 text in section 9 (with
   edits as needed) [recorded in
   [53]http://www.w3.org/2008/05/14-wsc-minutes.html#action11]

   <trackbot-ng> Created ACTION-460 - Include ISSUE-208 text in section 9
   (with edits as needed) [on Thomas Roessler - due 2008-05-21].

   Mez: 5.5.2 ok, anything about 5.5.3?
   ... 6.2? 6.3?
   ... 6.4?

   tlr: 6.4.1, why is there a MUST NOT in front of terms of art?

   <ifette> "must not be phrased solely in temrs of art"

   <ifette> "must not be phrased solely in terms of art, e.g. jargon"

   <ifette> A

   <johnath> A

   <tlr> a

   <csant> A

   <PHB2> A

   <anil> A

   <Mez> a) buy Thomas many drinks tonight

   <Mez> b) amend 6.4.1, 2nd paragraph, 1st sentence, adding ian's clause

   <Mez> c) do nothing

   <Mez> d) abstain

   <ifette> oh boy...

   <ifette> i like my text. I vote accordingly

   <tlr> (the minutes will be faked accordingly)

   <johnath> text++

   <luis> D

   <anil> B

   <tlr> B

   <jvkrey> d

   <yngve> B

   <PHB2> B

   <csant> B

   <Mez> d

   resolution: approve text

   <Mez> ACTION: anil to alter 6.4.1 accordingly [recorded in
   [54]http://www.w3.org/2008/05/14-wsc-minutes.html#action12]

   <trackbot-ng> Created ACTION-461 - Alter 6.4.1 accordingly [on Anil
   Saldhana - due 2008-05-21].

   <tlr> action-461?

   <trackbot-ng> ACTION-461 -- Anil Saldhana to alter 6.4.1 accordingly --
   due 2008-05-21 -- OPEN

   <trackbot-ng> [55]http://www.w3.org/2006/WSC/track/actions/461

   Mez: 6.4.2, 6.4.3 ok

   yngve: 6.4.3, 6.4.4 issue about message overload

   Mez: 7.1.1, 7.1.2? 7.2?
   ... 7.3, 7.4?

   anil: editorial question: should we link *all* uses of definitions?

   tlr: tried to link first occurence within each section
   ... 7.4.4: MAY or SHOULD needs to be cleared

   Mez: was taken care of yesterday, there was an action.

   <anil> ACTION: anil to correct link words that have a definition (such
   as Web user agents) in the first occurrence in a subsection [recorded
   in [56]http://www.w3.org/2008/05/14-wsc-minutes.html#action13]

   <trackbot-ng> Created ACTION-462 - Correct link words that have a
   definition (such as Web user agents) in the first occurrence in a
   subsection [on Anil Saldhana - due 2008-05-21].

   ifette: 8: what is that first sentence?

   tlr: striking it.

   ifette: some concerns about 8.3
   ... don' like the MUST, do not agree.

   yngve: e.g. a cookie should be sent with the same security as other
   credentials

   ifette: for many sites it is too expensive to be realistic.

   <johnath> ISSUE-210

   <johnath> ISSUE-210?

   <trackbot-ng> ISSUE-210 -- Add section 9.5 - Warning Fatigue -- OPEN

   <trackbot-ng> [57]http://www.w3.org/2006/WSC/track/issues/210

   <ifette> ISSUE-211?

   <trackbot-ng> ISSUE-211 -- Make 8.3 SHOULD not must -- OPEN

   <trackbot-ng> [58]http://www.w3.org/2006/WSC/track/issues/211

   <ifette> A

   <Mez> a) make change

   <Mez> b) don't

   <Mez> c) don't care

   <johnath> A

   <maritzaj> a

   <anil> A

   <jvkrey> c

   <tlr> a

   <csant> c

   <PHB2> A

   <Mez> c

   <yngve> A for 210

   <johnath> ACTION: tlr to add ISSUE-210 text to section 9, with edit to
   reference "managing user attention" section [recorded in
   [59]http://www.w3.org/2008/05/14-wsc-minutes.html#action14]

   <trackbot-ng> Created ACTION-463 - Add ISSUE-210 text to section 9,
   with edit to reference \"managing user attention\" section [on Thomas
   Roessler - due 2008-05-21].

   <ifette> ISSUE-211?

   <trackbot-ng> ISSUE-211 -- Make 8.3 SHOULD not must -- OPEN

   <trackbot-ng> [60]http://www.w3.org/2006/WSC/track/issues/211

   Mez: keep going with issue 203: 8.4, 8.5?

   <anil> ACTION: anil to merge acknowledgments (sections 10 and 2) to 2
   [recorded in
   [61]http://www.w3.org/2008/05/14-wsc-minutes.html#action15]

   <trackbot-ng> Created ACTION-464 - Merge acknowledgments (sections 10
   and 2) to 2 [on Anil Saldhana - due 2008-05-21].

   <ifette> ISSUE-211?

   <trackbot-ng> ISSUE-211 -- Make 8.3 SHOULD not must -- OPEN

   <trackbot-ng> [62]http://www.w3.org/2006/WSC/track/issues/211

   Mez: done with issue 203? trl, want to consider any other topics?

   tlr: none.

   <ifette> ISSUE-211?

   <trackbot-ng> ISSUE-211 -- Make 8.3 SHOULD not must -- OPEN

   <trackbot-ng> [63]http://www.w3.org/2006/WSC/track/issues/211

   Mez: ISSUE-203 to be closed

   <tlr> ACTION: tlr to remove sqbrackets from identity signal section
   [recorded in
   [64]http://www.w3.org/2008/05/14-wsc-minutes.html#action16]

   <trackbot-ng> Created ACTION-465 - Remove sqbrackets from identity
   signal section [on Thomas Roessler - due 2008-05-21].

   <ifette> ISSUE-206?

   <trackbot-ng> ISSUE-206 -- Smartphone Considerations -- OPEN

   <trackbot-ng> [65]http://www.w3.org/2006/WSC/track/issues/206

   <johnath> we're dialing back in

   <johnath> :)

   <PHB2> ach, just wait till everyone has an iphone and this goes away

   <jvkrey> a+

   luis: has submitted changes to ISSUE-206 to the list

   <Mez> jvkrey

   jvkrey: phones' UI is constantly shifting.
   ... would like to rethink the separation between primary and secondary
   chrome

   <Zakim> anil, you wanted to say "can we just make text generic to not
   refer to desktops or smart phones or hand held devices OR add a
   statement that this is applicable to future devices"

   tlr: example of low-chrome phone UI is fine, but hesitant to add more
   details

   <anil> ACTION: anil to create an issue for concrete proposals around
   "can we just make text generic to not refer to desktops or smart phones
   or hand held devices" [recorded in
   [66]http://www.w3.org/2008/05/14-wsc-minutes.html#action17]

   <trackbot-ng> Created ACTION-466 - Create an issue for concrete
   proposals around \"can we just make text generic to not refer to
   desktops or smart phones or hand held devices\" [on Anil Saldhana - due
   2008-05-21].

   Mez: need to make changes to 6.1.1 proposal?

   tlr: 2 changes:
   ... fullscreen mode should be changed to low-chrome mode...
   ... and also suggest to keep it as an example of where we are now, not
   to introduce something new.

   jvkrey: not sure i understand the change from no-chrome (fullscreen) to
   low-chrome.

   Mez: we'll wait for a round of updates via mail on ISSUE-206

   ifette: contentious issue is 6.1.1

   <tlr> action-433?

   <trackbot-ng> ACTION-433 -- Anil Saldhana to change
   robustness-apis-obscure-security-ui to include For visual user agents,
   browser chrome SHOULD always be present to signal security context
   information. This requirement does not apply when UI is explicitly
   dismissed by the user, e.g. by switching to full screen mode." -- due
   2008-05-20 -- PENDINGREVIEW

   <trackbot-ng> [67]http://www.w3.org/2006/WSC/track/actions/433

   tlr: suggest to cut off action 433 before the "e.g."

   <tlr> ACTION: anil to cut off "before " e.g. by switching to [recorded
   in [68]http://www.w3.org/2008/05/14-wsc-minutes.html#action18]

   <trackbot-ng> Created ACTION-467 - Cut off \"before \" e.g. by
   switching to [on Anil Saldhana - due 2008-05-21].

   <tlr> presentation mode in desktops. However, it does apply when user
   switches

   <tlr> to full-screen mode in smartphones." from result from ACTION-433

   <tlr> trackbot, close ACTION-467

   <tlr> close ACTION-467

   <trackbot-ng> ACTION-467 Cut off "before " e.g. by switching to closed

   <johnath> ACTION: anil to make spelling changes in ISSUE-209 [recorded
   in [69]http://www.w3.org/2008/05/14-wsc-minutes.html#action19]

   <ifette> ISSUE-211?

   <trackbot-ng> Created ACTION-468 - Make spelling changes in ISSUE-209
   [on Anil Saldhana - due 2008-05-21].

   <trackbot-ng> ISSUE-211 -- Make 8.3 SHOULD not must -- OPEN

   <trackbot-ng> [70]http://www.w3.org/2006/WSC/track/issues/211

   <tlr> ACTION: anil to cut off action433 result before the "e.g. by
   switching to ....." [recorded in
   [71]http://www.w3.org/2008/05/14-wsc-minutes.html#action20]

   <trackbot-ng> Created ACTION-469 - Cut off action433 result before the
   \"e.g. by switching to .....\" [on Anil Saldhana - due 2008-05-21].

   <ifette> ISSUE-211?

   <trackbot-ng> ISSUE-211 -- Make 8.3 SHOULD not must -- OPEN

   <trackbot-ng> [72]http://www.w3.org/2006/WSC/track/issues/211

   ifette: when we have a good idea, but there are reasons not to
   implement it, we should use SHOULD

   yngve: this applies to sensitive transactions, therefore credentials
   MUST really be protected in the same way

   <Zakim> anil, you wanted to "add levels of sensitivity"

   anil: agree with both - but we are lacking a definition for level of
   sensitivity.

   ifette: in real life these issues have been considered, and it didn't
   seem sustainable.

   johnath: when making guidelines we should stick to what is actually
   more important from security reasons, not what is more viable
   economically.

   ifette: if we are too strict, sites will not adopt this

   tlr: proposal: change from MUST to SHOULD, but add a strong
   reccomendation and a warning on implications.

   ifette: do people really have concerns about the current amazon
   handling of this?

   csant: Mez and johnath do.

   johnath: I sympathyze with the decisions, but I do not feel confortable
   with these solutions.

   tlr: a MUST might really help contributing to give a push to sites to
   actually go for more secure solutions

   ifette: rather skeptical about tlr's statement.
   ... should authoring practices be moved to a separate document?

   Mez: maybe it would be a good exercise for the group.

   <jvkrey> +1 to tlr

   tlr: the first 7 chapters are really not addressed at authors, so maybe
   we really should move them to a separate document
   ... we should not get rid of the remaining chapters 8 and 9, but they
   might be more useful in a separate doc.

   johnath: rather make edits and remove uppercasing MUST and SHOULDs than
   moving them to a separate document.

   <ifette> A) change MUST to SHOULD

   <ifette> b) Make the authoring practices a separate document

   <ifette> C) Make the section non-normative

   <ifette> D) do nothing

   <ifette> E) abstain

   <Mez> straw poll - sense of the room - totally non binding

   <ifette> B

   <johnath> B

   <ifette> C

   <PHB2> b

   <ifette> B/C

   <tlr> b

   <johnath> B-C

   <Mez> b, then d

   <luis> Ericsson votes C

   <yngve> D preferably

   <jvkrey> b, I think this document is needed, and the audience that
   *really* needs it will be lost in the first 7 sections.

   <csant> b/c

   <anil> D

   <luis> B is OK too

   Mez: any objections to go for B?

   <johnath> ACTION: tlr to create FPWD of best practices for web authors,
   remove section 8 and references from wsc-xit [recorded in
   [73]http://www.w3.org/2008/05/14-wsc-minutes.html#action21]

   <trackbot-ng> Created ACTION-470 - Create FPWD of best practices for
   web authors, remove section 8 and references from wsc-xit [on Thomas
   Roessler - due 2008-05-21].

   <Mez> 26 minutes; see you then

   <tlr> RESOLUTION: split authoring best practices into a separate
   rec-track deliverable

   RESOLUTION: split authoring best practices into a separate rec-track
   deliverable

   <tlr> issue-202?

   <trackbot-ng> ISSUE-202 -- Conformance model section makes outdated
   assumption about spec content -- OPEN

   <trackbot-ng> [74]http://www.w3.org/2006/WSC/track/issues/202

   <johnath> ScribeNick: johnath

ISSUE-212

   ISSUE-212?

   <trackbot-ng> ISSUE-212 -- devices and low-chrome mode -- OPEN

   <trackbot-ng> [75]http://www.w3.org/2006/WSC/track/issues/212

   Mez: what is the motive here?

   jvkrey: my motive is to remove some confusion wrt to no-chrome/full
   screen modes and also be clear that even though your browser has
   "little chrome" it would not be excused from requirements on chrome

   Mez: there's no RFC2119 language here

   jvkrey: this is an example - appended to the RFC2119 paragraph

   Mez: this is in 6.1.1? Oh yes.
   ... this is motivating the "SHOULD"
   ... I personally have no intuition into what is in a low chrome mode

   yngve: very few UI elements, no menus or that kind of thing - almost
   all content

   Mez: please turn that around and tell me what chrome is expected

   yngve: it could be none - or it could be some minimum functionality,
   small menus, but I'm not a UI guy
   ... in some cases, a very small addressbar that pops up on hover
   ... you can have it slide back down when not hovered

   Mez: and why don't we want identity in a low chrome mode?

   jvkrey: you DO want identity there

   yngve: this is to distinguish from presentation mode

   Mez: but this seems to say that we don't want it

   luis: I read it that way as well

   (conversation on hold while we sort out network stuff)

   Mez: let's continue since scribe has network
   ... I'm still concerned that switching to low-chrome should not be a
   reason to remove SCI

   tlr: I continue to be confused by this
   ... we have usage modes where chrome is present, and SCI always have to
   be there
   ... we also have usage modes that have no chrome, and we exempt SCI
   display requirements
   ... but now we have these intermediate modes saying that chrome is
   available on demand
   ... and I would expect us to require SCI *when chrome is displayed*
   ... I would like to leave it at that relatively simple distinction

   jvkrey: is your concern taken care of it "low"->"no"

   tlr: yes, if we are strictly talking about chrome/nochrome

   luis: but that was what was originally written

   tlr: I think that, at least to luis, "full screen mode" is a term that
   means different things to desktops vs. smart phones

   PHB2: I prefer presentation mode, personally
   ... that gets to the heart of it in that presentation mode is focused
   on presenting "only the content"

   tlr: another example is youtube in full screen video mode
   ... it's not *just* presentation mode, I think the basic definition is
   right

   (more network debugging)

   <PHB2> content-only presentation mode

   Mez: so, how does this change the proposal?

   tlr: I would propose that...
   ...

   <tlr> For example, a Web browser which is interactively switched into a
   full-screen presentation mode that does not display any chrome need not
   preserve security indicators in primary user interface.

   <tlr> Or: For example, a Web browser which is interactively switched
   into a presentation mode that does not display any chrome need not
   preserve security indicators in primary user interface.

   tlr: does that cause a conflict?

   Mez: I like the precision of the second one

   tlr: okay, I'm happy with either of these

   luis: do we need the second case there as well?

   tlr: okay, new text coming

   <tlr> On the other hand, a user agent such as a smart phone which has a
   usage mode that makes minimal (but visible) chrome elements available
   does need to preserve security indicators.

   <tlr> ... in such a mode.

   luis: in full screen mode, presentation mode?

   tlr: I don't know - as a spec reader I don't think I want to have a
   term in there, since I was surprised to learn it was overloaded
   ... I would also suggest we drop the example in the TLS indicator
   section

   luis: this is okay to me

   <luis> OK for me

   Mez: how are we feeling about this? Problems?

   jvkrey: I don't like that part of the smartphone, it applies to
   anything with a small screen

   <luis> handled device?

   yngve: we are talking about browsers displaying on devices with
   "limited screen area"
   ... it could be even on VGA devices, like browsing-on-TV

   tlr: this is an example

   <jvkrey> On the other hand, a user agent with limited screen estate
   which has a usage mode that makes minimal chrome elements available
   does neet to preserve security indicators.

   yngve: it is an example, but it should be generic

   Mez: is jvkrey's text the entire proposal?

   jvkrey: that is in addition to the first line

   <Mez> For example, a Web browser which is interactively switched into a
   presentation mode that does not display any chrome need not preserve
   security indicators in primary user interface. On the other hand, a
   user agent with limited screen estate which has a usage mode that makes
   minimal chrome elements available does neet to preserve security
   indicators.

   <tlr> On the other hand, a user agent such as a smart phone, airline
   seatback or TV set which has a usage mode that makes minimal (but
   visible) chrome elements available does need to preserve security
   indicators.

   <tlr> For example, a Web browser which is interactively switched into a
   presentation mode that does not display any chrome need not preserve
   security indicators in primary user interface. On the other hand, a
   user agent such as a smart phone, airplane seatback or TV set which has
   a usage mode that makes minimal (but visible) chrome elements available
   does need to preserve security indicators.

   <luis> ... in such a mode?

   <luis> For example, a Web browser which is interactively switched into
   a presentation mode that does not display any chrome need not preserve
   security indicators in primary user interface. On the other hand, a
   user agent such as a smart phone, airline seatback or TV set which has
   a usage mode that makes minimal (but visible) chrome elements available
   does need to preserve security indicators in...

   <luis> ...such a mode.

   <tlr> For example, a Web browser which is interactively switched into a
   presentation mode that does not display any chrome need not preserve
   security indicators in primary user interface. On the other hand, a
   user agent such as a smart phone, air plane seatback or TV set which
   has a usage mode that makes minimal (but visible) chrome elements
   available does need to preserve security indicators in such a mode.

   <Mez> a) replacing the existing two sentences with this one in 6.1.1,
   end of 2nd paragraph

   <Mez> b) do nothing

   <Mez> c) don't care

   <PHB2> a

   <Mez> issue-212?

   <trackbot-ng> ISSUE-212 -- devices and low-chrome mode -- OPEN

   <trackbot-ng> [76]http://www.w3.org/2006/WSC/track/issues/212

   tlr: there is a separate part to this issue

   <tlr> second part; Replace "Note that ...." in 6.3 by "As in the case
   of the identity signal, there may be usabe modes during which this
   requirement does not apply."

   tlr: I think that qualifies as a "friendly ammendment"

   <Mez> a) replace the text in both 6.1.1 and 6.3 with the proposed text

   <Mez> b) do nothing

   <Mez> c) abstain

   <PHB2> a

   <Mez> phil already voted a; unless he votes again, that counts

   <Mez> phil is awake

   <johnath> a

   <luis> A

   <jvkrey> a

   <csant> a

   <anil> A

   <Mez> c

   <tlr> a

   <yngve> a

   <tlr> ACTION: tlr to replace text in 6.1.1 and 6.3 as drafted above.
   [recorded in
   [77]http://www.w3.org/2008/05/14-wsc-minutes.html#action22]

   <trackbot-ng> Created ACTION-471 - Replace text in 6.1.1 and 6.3 as
   drafted above. [on Thomas Roessler - due 2008-05-21].

Issue-206

   Issue-206?

   <trackbot-ng> ISSUE-206 -- Smartphone Considerations -- OPEN

   <trackbot-ng> [78]http://www.w3.org/2006/WSC/track/issues/206

   Mez: do we have text for here

   <Mez>
   [79]http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0067.html

   johnath: if I remember correctly, we blew through all but 6.1.1 and
   ACTION-433 text

   Mez: okay, the 6.1.1 text is not an issue any more
   ... so what was the deal with 433?
   ... so is there a third place that should have the change from
   ISSUE-212?

   luis: didn't we agree that for 433, we would just stop short before the
   "e.g."?

   johnath: yes

   Mez: so if we remove the 6.1.1 and action-433 parts, do we take the
   rest

   johnath: I think the consensus was that in the other places we would
   just drop the word "desktop" before "web user agents"

   luis: that's okay

   <luis> ACTION: anil to drop "desktop" in 4.2.1 3rd and 5th paragraphs
   [recorded in
   [80]http://www.w3.org/2008/05/14-wsc-minutes.html#action23]

   <trackbot-ng> Created ACTION-472 - Drop \"desktop\" in 4.2.1 3rd and
   5th paragraphs [on Anil Saldhana - due 2008-05-21].

   luis: is the text in 5.1.1 okay?

   jvkrey: device manufacturers is more generic

   <luis> ACTION: anil to add "device manufactures" to list in 5.1.1, 2nd
   paragraphs [recorded in
   [81]http://www.w3.org/2008/05/14-wsc-minutes.html#action24]

   <trackbot-ng> Created ACTION-473 - Add \"device manufactures\" to list
   in 5.1.1, 2nd paragraphs [on Anil Saldhana - due 2008-05-21].

   <luis> comments on 7.2?

   jvkrey: I propose again removing the "desktop/smartphone" reference and
   just mention "browsers"

   <luis> Change from: For example, the location bar commonly found on
   desktop browsers is

   <luis> often used to both display the "padlock" security indicator,

   <luis> to "For example, the location bar commonly found on browsers is
   often used to both display the "padlock" security indicator,

   Mez: ready to vote?

   <Mez> a) make the change

   <PHB2> a

   <jvkrey> a

   <Mez> b) do nothing

   <csant> a

   <Mez> c) abstain

   <johnath> a

   <luis> A

   <anil> A

   <yngve> a

   <Mez> c

   <luis> ACTION: anil to drop word "desktop" in 7.2 1st paragraph
   [recorded in
   [82]http://www.w3.org/2008/05/14-wsc-minutes.html#action25]

   <trackbot-ng> Created ACTION-474 - Drop word \"desktop\" in 7.2 1st
   paragraph [on Anil Saldhana - due 2008-05-21].

   <Mez> issue-199?

   <trackbot-ng> ISSUE-199 -- WebAPI does not specify any TLS error
   handling for XMLHttpRequest -- OPEN

   <trackbot-ng> [83]http://www.w3.org/2006/WSC/track/issues/199

   Mez: alright, the only issue we have against wsc that does not have a
   resolution is ISSUE-199

ISSUE-199

   (fallen off - redialing)

   tlr: this is an issue against another working group's last call, as
   much as our own
   ... if we can resolve it by LC, great, but basically I think I'm ready
   to time-out on it
   ... there are two obvious ways to solve it, each of which requires an
   obvious change to our spec

   Mez: the message implied that they need to make changes

   tlr: yes, but our change would be to acknowledge their decision
   ... I think we've done what we need to do, and we can talk it over with
   the chair tonight

   Mez: we are out of issues

   <all> : woohoo

   Mez: other things before last call

   <PHB2> woohoo

   Mez: I think we should remove the appendices

   johnath: I have to read them again
   ... I'm in favour of removing them for june LC

   <Mez> [84]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#appendices

Appendix Removal

   Mez: any problems, any discussion?

   tlr: question - where do we move them?
   ... am I about to create another document?

   Mez: too bad we can't preserve it in a wiki.
   ... this version is around forever
   ... so they are not lost

   tlr: I can take an action to move it to a separate directory called
   "post-june"

   Mez: is that the "more correct" thing to do?

   tlr: that's what I would do

   Mez: alright

   <Mez> a) remove the appendices, to another directory/file

   <tlr> [85]http://www.w3.org/2006/WSC/drafts/wsc-content/

   <Mez> b) do nothing

   <Mez> c) abstain

   <tlr> (that's something else)

   <tlr> a

   <Mez> a

   <anil> A

   <csant> a

   <luis> A

   <johnath> A - with the assumption that we will revisit these, since
   many of the original authors are not present at the moment

   <jvkrey> c

   <PHB2> a

   <yngve> A

   <scribe> ACTION: tlr to move appendix content to a new document for
   "post-june" [recorded in
   [86]http://www.w3.org/2008/05/14-wsc-minutes.html#action26]

   <trackbot-ng> Created ACTION-475 - Move appendix content to a new
   document for \"post-june\" [on Thomas Roessler - due 2008-05-21].

   Mez: anything else before LC?

   tlr: one half-serious question is whether the current title remains
   relevant

   Mez: I think there's Indicators, Experience, and Trust

   tlr: So, where's "trust"

   Mez: in the authorities, in our continued reliance on validated and AA
   certs

   tlr: my point would be that I'd love us to come up with something that
   is more self-descriptive

   luis: "Strong TLS algorithms" lacks definition

   Mez: this is a recent issue, and we resolved it
   ... ISSUE-128 generated ACTION-426 to resolve this

   luis: I see, some text coming from bill

   Mez: it will get taken care of
   ... anything else?

   tlr: FYI section 8 and the appendix are gone

   Mez: Would it be appropriate to ask the group to take this to last
   call, presuming that the pending issues are resolved unsurprisingly?

   johnath: +1 for me - I have no hidden issues or new suggestions

   <luis> +1

   <tlr> +1

   <jvkrey> AOL

   PROPOSAL: That the group take this document to last call, presuming
   that pending actions are resolved and issues closed unsurprisingly,
   along with minor editorial changes.

   <jvkrey> = +1

   <PHB2> +1

   <csant> +1

   <Mez> a) support the resolution

   <Mez> b) do not support the resoution

   <Mez> c) abstain

   <johnath> A

   <yngve> a

   <jvkrey> a

   <csant> a

   <tlr> a

   <PHB2> a

   <anil> A

   <luis> A

   <Mez> a

   <Mez> we resolve

   RESOLUTION: The group will take this document to last call, presuming
   that pending actions are resolved and issues closed unsurprisingly,
   along with minor editorial changes.

   Mez: editors - ETA on final document

   anil: should be done by next week

   tlr: overloaded through this month, not making any promises till early
   june
   ... ETA June 10

   <PHB2> can someone buy me a troll?

   <Mez> phb, seriously?

   Mez: I plan to focus on usability testing next week

   ifette: I will take a first pass on cleaning up minutes, per tlr's
   request

   <Mez> thank you all; have a fine day/ evening

Summary of Action Items

   [NEW] ACTION: anil to add "device manufactures" to list in 5.1.1, 2nd
   paragraphs [recorded in
   [87]http://www.w3.org/2008/05/14-wsc-minutes.html#action24]
   [NEW] ACTION: anil to add a couple of sentences about what the security
   consideration section means [recorded in
   [88]http://www.w3.org/2008/05/14-wsc-minutes.html#action09]
   [NEW] ACTION: anil to add section 9.2 based on issue-205 text [recorded
   in [89]http://www.w3.org/2008/05/14-wsc-minutes.html#action05]
   [NEW] ACTION: anil to alter 6.4.1 accordingly [recorded in
   [90]http://www.w3.org/2008/05/14-wsc-minutes.html#action12]
   [NEW] ACTION: anil to correct link words that have a definition (such
   as Web user agents) in the first occurrence in a subsection [recorded
   in [91]http://www.w3.org/2008/05/14-wsc-minutes.html#action13]
   [NEW] ACTION: anil to create an issue for concrete proposals around
   "can we just make text generic to not refer to desktops or smart phones
   or hand held devices" [recorded in
   [92]http://www.w3.org/2008/05/14-wsc-minutes.html#action17]
   [NEW] ACTION: anil to cut off "before " e.g. by switching to [recorded
   in [93]http://www.w3.org/2008/05/14-wsc-minutes.html#action18]
   [NEW] ACTION: anil to cut off action433 result before the "e.g. by
   switching to ....." [recorded in
   [94]http://www.w3.org/2008/05/14-wsc-minutes.html#action20]
   [NEW] ACTION: anil to do issue-207 [recorded in
   [95]http://www.w3.org/2008/05/14-wsc-minutes.html#action10]
   [NEW] ACTION: anil to drop "desktop" in 4.2.1 3rd and 5th paragraphs
   [recorded in
   [96]http://www.w3.org/2008/05/14-wsc-minutes.html#action23]
   [NEW] ACTION: anil to drop word "desktop" in 7.2 1st paragraph
   [recorded in
   [97]http://www.w3.org/2008/05/14-wsc-minutes.html#action25]
   [NEW] ACTION: anil to make spelling changes in ISSUE-209 [recorded in
   [98]http://www.w3.org/2008/05/14-wsc-minutes.html#action19]
   [NEW] ACTION: anil to merge acknowledgments (sections 10 and 2) to 2
   [recorded in
   [99]http://www.w3.org/2008/05/14-wsc-minutes.html#action15]
   [NEW] ACTION: anil to update section 5.3 to include proposal 2 text
   [recorded in
   [100]http://www.w3.org/2008/05/14-wsc-minutes.html#action01]
   [NEW] ACTION: johnath to dd that wording to 5.1.2 [recorded in
   [101]http://www.w3.org/2008/05/14-wsc-minutes.html#action06]
   [NEW] ACTION: phb to give overview of why logotypes are interesting in
   security considerations section [recorded in
   [102]http://www.w3.org/2008/05/14-wsc-minutes.html#action08]
   [NEW] ACTION: tlr to add extension text to section 4.1, and possibly
   merge/reorg sections 3 and 4 [recorded in
   [103]http://www.w3.org/2008/05/14-wsc-minutes.html#action02]
   [NEW] ACTION: tlr to add ISSUE-210 text to section 9, with edit to
   reference "managing user attention" section [recorded in
   [104]http://www.w3.org/2008/05/14-wsc-minutes.html#action14]
   [NEW] ACTION: tlr to create FPWD of best practices for web authors,
   remove section 8 and references from wsc-xit [recorded in
   [105]http://www.w3.org/2008/05/14-wsc-minutes.html#action21]
   [NEW] ACTION: tlr to include ISSUE-208 text in section 9 (with edits as
   needed) [recorded in
   [106]http://www.w3.org/2008/05/14-wsc-minutes.html#action11]
   [NEW] ACTION: tlr to move appendix content to a new document for
   "post-june" [recorded in
   [107]http://www.w3.org/2008/05/14-wsc-minutes.html#action26]
   [NEW] ACTION: tlr to remove sqbrackets from identity signal section
   [recorded in
   [108]http://www.w3.org/2008/05/14-wsc-minutes.html#action16]
   [NEW] ACTION: tlr to replace text in 6.1.1 and 6.3 as drafted above.
   [recorded in
   [109]http://www.w3.org/2008/05/14-wsc-minutes.html#action22]
   [NEW] ACTION: tlr to say why validated certs are worthy of so much
   reliance, for security considerations [recorded in
   [110]http://www.w3.org/2008/05/14-wsc-minutes.html#action07]
   [NEW] ACTION: tlr to update 5.5.1 with wiki text, and possibly edit
   5.1.5 to avoid "pinning" repetition [recorded in
   [111]http://www.w3.org/2008/05/14-wsc-minutes.html#action03]
   [NEW] ACTION: yngve to provide initial draft of security considerations
   for EV mixed with DV case [recorded in
   [112]http://www.w3.org/2008/05/14-wsc-minutes.html#action04]

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [113]scribe.perl version 1.128
    ([114]CVS log)
    $Date: 2008/06/04 12:02:02 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Member/member-wsc-wg/2008May/0004.html
   3. http://www.w3.org/2008/05/14-wsc-irc
   4. http://www.w3.org/2008/05/14-wsc-minutes.html#agenda
   5. http://www.w3.org/2008/05/14-wsc-minutes.html#item01
   6. http://www.w3.org/2008/05/14-wsc-minutes.html#item02
   7. http://www.w3.org/2008/05/14-wsc-minutes.html#item03
   8. http://www.w3.org/2008/05/14-wsc-minutes.html#item04
   9. http://www.w3.org/2008/05/14-wsc-minutes.html#item05
  10. http://www.w3.org/2008/05/14-wsc-minutes.html#item06
  11. http://www.w3.org/2008/05/14-wsc-minutes.html#item07
  12. http://www.w3.org/2008/05/14-wsc-minutes.html#item08
  13. http://www.w3.org/2008/05/14-wsc-minutes.html#item09
  14. http://www.w3.org/2008/05/14-wsc-minutes.html#ActionSummary
  15. http://lists.w3.org/Archives/Member/member-wsc-wg/2008May/0004.html
  16. http://www.w3.org/2006/WSC/track/issues/200
  17. http://www.w3.org/2006/WSC/track/issues/183
  18. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0033.html
  19. http://www.w3.org/2005/10/Process-20051014/policies.html#Votes
  20. http://www.w3.org/2006/WSC/track/issues/133
  21. http://www.w3.org/2008/05/14-wsc-minutes.html#action01
  22. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0049.html
  23. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0055.html
  24. http://www.w3.org/2008/05/14-wsc-minutes.html#action02
  25. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0056.html
  26. http://www.flickr.com/photos/matthewj/sets/72157604988911230/
  27. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0056.html
  28. http://www.w3.org/2006/WSC/track/issues/169
  29. http://pastebin.mozilla.org/431034
  30. http://www.w3.org/2006/WSC/wiki/Revised551-May14
  31. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#mitm-initial
  32. http://www.w3.org/2008/05/14-wsc-minutes.html#action03
  33. http://www.w3.org/2006/WSC/track/issues/203
  34. http://www.w3.org/2006/WSC/track/issues/203
  35. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#Overview
  36. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#Conformance
  37. http://www.w3.org/2008/05/14-wsc-minutes.html#action04
  38. http://www.w3.org/2006/WSC/track/issues/205
  39. http://www.w3.org/2006/WSC/track/issues/204
  40. http://www.w3.org/2006/WSC/track/issues/205
  41. http://www.w3.org/2008/05/14-wsc-minutes.html#action05
  42. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#concepts
  43. http://www.w3.org/2006/WSC/Group/cheatsheet
  44. http://www.w3.org/2006/WSC/track/issues/203
  45. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#tlsforweb
  46. http://www.w3.org/2008/05/14-wsc-minutes.html#action06
  47. http://www.w3.org/2008/05/14-wsc-minutes.html#action07
  48. http://www.w3.org/2008/05/14-wsc-minutes.html#action08
  49. http://www.w3.org/2008/05/14-wsc-minutes.html#action09
  50. http://www.w3.org/2006/WSC/track/issues/207
  51. http://www.w3.org/2008/05/14-wsc-minutes.html#action10
  52. http://www.w3.org/2006/WSC/track/issues/208
  53. http://www.w3.org/2008/05/14-wsc-minutes.html#action11
  54. http://www.w3.org/2008/05/14-wsc-minutes.html#action12
  55. http://www.w3.org/2006/WSC/track/actions/461
  56. http://www.w3.org/2008/05/14-wsc-minutes.html#action13
  57. http://www.w3.org/2006/WSC/track/issues/210
  58. http://www.w3.org/2006/WSC/track/issues/211
  59. http://www.w3.org/2008/05/14-wsc-minutes.html#action14
  60. http://www.w3.org/2006/WSC/track/issues/211
  61. http://www.w3.org/2008/05/14-wsc-minutes.html#action15
  62. http://www.w3.org/2006/WSC/track/issues/211
  63. http://www.w3.org/2006/WSC/track/issues/211
  64. http://www.w3.org/2008/05/14-wsc-minutes.html#action16
  65. http://www.w3.org/2006/WSC/track/issues/206
  66. http://www.w3.org/2008/05/14-wsc-minutes.html#action17
  67. http://www.w3.org/2006/WSC/track/actions/433
  68. http://www.w3.org/2008/05/14-wsc-minutes.html#action18
  69. http://www.w3.org/2008/05/14-wsc-minutes.html#action19
  70. http://www.w3.org/2006/WSC/track/issues/211
  71. http://www.w3.org/2008/05/14-wsc-minutes.html#action20
  72. http://www.w3.org/2006/WSC/track/issues/211
  73. http://www.w3.org/2008/05/14-wsc-minutes.html#action21
  74. http://www.w3.org/2006/WSC/track/issues/202
  75. http://www.w3.org/2006/WSC/track/issues/212
  76. http://www.w3.org/2006/WSC/track/issues/212
  77. http://www.w3.org/2008/05/14-wsc-minutes.html#action22
  78. http://www.w3.org/2006/WSC/track/issues/206
  79. http://lists.w3.org/Archives/Public/public-wsc-wg/2008May/0067.html
  80. http://www.w3.org/2008/05/14-wsc-minutes.html#action23
  81. http://www.w3.org/2008/05/14-wsc-minutes.html#action24
  82. http://www.w3.org/2008/05/14-wsc-minutes.html#action25
  83. http://www.w3.org/2006/WSC/track/issues/199
  84. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#appendices
  85. http://www.w3.org/2006/WSC/drafts/wsc-content/
  86. http://www.w3.org/2008/05/14-wsc-minutes.html#action26
  87. http://www.w3.org/2008/05/14-wsc-minutes.html#action24
  88. http://www.w3.org/2008/05/14-wsc-minutes.html#action09
  89. http://www.w3.org/2008/05/14-wsc-minutes.html#action05
  90. http://www.w3.org/2008/05/14-wsc-minutes.html#action12
  91. http://www.w3.org/2008/05/14-wsc-minutes.html#action13
  92. http://www.w3.org/2008/05/14-wsc-minutes.html#action17
  93. http://www.w3.org/2008/05/14-wsc-minutes.html#action18
  94. http://www.w3.org/2008/05/14-wsc-minutes.html#action20
  95. http://www.w3.org/2008/05/14-wsc-minutes.html#action10
  96. http://www.w3.org/2008/05/14-wsc-minutes.html#action23
  97. http://www.w3.org/2008/05/14-wsc-minutes.html#action25
  98. http://www.w3.org/2008/05/14-wsc-minutes.html#action19
  99. http://www.w3.org/2008/05/14-wsc-minutes.html#action15
 100. http://www.w3.org/2008/05/14-wsc-minutes.html#action01
 101. http://www.w3.org/2008/05/14-wsc-minutes.html#action06
 102. http://www.w3.org/2008/05/14-wsc-minutes.html#action08
 103. http://www.w3.org/2008/05/14-wsc-minutes.html#action02
 104. http://www.w3.org/2008/05/14-wsc-minutes.html#action14
 105. http://www.w3.org/2008/05/14-wsc-minutes.html#action21
 106. http://www.w3.org/2008/05/14-wsc-minutes.html#action11
 107. http://www.w3.org/2008/05/14-wsc-minutes.html#action26
 108. http://www.w3.org/2008/05/14-wsc-minutes.html#action16
 109. http://www.w3.org/2008/05/14-wsc-minutes.html#action22
 110. http://www.w3.org/2008/05/14-wsc-minutes.html#action07
 111. http://www.w3.org/2008/05/14-wsc-minutes.html#action03
 112. http://www.w3.org/2008/05/14-wsc-minutes.html#action04
 113. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
 114. http://dev.w3.org/cvsweb/2002/scribe/

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Friday, 6 June 2008 15:10:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 6 June 2008 15:10:31 GMT