Agenda: WSC WG distributed meeting, Wednesday, 2008-03-26 from Mary Ellen Zurko on 2008-03-25 (public-wsc-wg@w3.org from March 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Tue, 25 Mar 2008 07:57:34 -0400
To: public-wsc-wg@w3.org
Message-ID: <OFA20ECBFA.C8663F2E-ON85257413.004F0D73-85257417.0041BB7D@LocalDomain>
        Web Security Context (WSC) Call Agenda

Calling information:
Wednesday, 26 March 2008
11:00 am - 12:30 pm Eastern time
http://www.w3.org/2006/WSC/Group/#meetings
http://www.w3.org/Guide/1998/08/teleconference-calendar#D20080305


Agenda

1) Pick a scribe 
http://www.w3.org/2006/WSC/Group/cheatsheet#Scribing
http://www.w3.org/2006/WSC/scribes

2) Approve minutes from meetings
http://www.w3.org/2008/03/19-wsc-minutes.html

3) Weekly completed action items
(Usually checkpointed Friday am, US East Coast time) 
[pending review] ACTION-387: Phillip Hallam-Baker to Write replacement 
text for 5.1.3 - due 2008-02-13
[pending review] ACTION-388: Thomas Roessler to Update definition of 5.1.4 
- due 2008-03-14
[pending review] ACTION-391: Tyler Close to Extract out petnames content, 
provide definition independent of section 7 - due 2008-02-22
[pending review] ACTION-393: Thomas Roessler to Draft replacement text for 
section 9.1 (trust indicators in content) - due 2008-03-14
[pending review] ACTION-396: Thomas Roessler to Work with tyler to get 
wsc-usecases published as note - due 2008-03-05
[pending review] ACTION-399: Ian Fette to Try to craft some text that 
revolves around weak/strong signalling - due 2008-03-05
[pending review] ACTION-405: Thomas Roessler to Get johnath to clarify 
applicability and description of crossing chrome-content border, or find 
other volunteer - due 2008-03-26
[pending review] ACTION-408: Thomas Roessler to Merge ACTION-399 result 
and Mez's framework for TLS indicator. 

4) Open Action Items
http://lists.w3.org/Archives/Public/public-wsc-wg/2008Mar/0133.html

5) Action items closed due to inactivity 
[pending review] ACTION-345: Maritza Johnson to Begin designing lo-fi user 
study for Browser Lockdown - due 2008-02-28

6) Agenda bashing
7) Get a version of 6.1 ready for LC-June 
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#IdentitySignal
http://lists.w3.org/Archives/Public/public-wsc-wg/2008Mar/0051.html
The current rewrite took care of a number of issues raised. Here are the 
remaining ones with my suggestions on polls for resolutions: 

7.1) The recommendation currently takes up screen real estate indicating 
lack of an identity (which will be a common state): 
User interactions to access this identity signal MUST be consistent across 
all Web interactions facilitated by the user agent, including interactions 
during which the Web user agent has no trustworthy information about the 
[[identity]] of the Web site that a user interacts with. In this case, 
user agents MUST indicate that no information is available.
Poll - 
a) leave as is
b) substitute SHOULDs for both MUSTs
c) remove 

7.2) Allow for more understandable identity signals than DNS name
During interactions with a TLS-secured Web page for which the top-level 
resource has been retrieved through a strongly TLS-protected interaction 
that involves an validated certificate (including an augmented assurance 
certificate), the following applies:
The identity signal MUST include an applicable DNS name retrieved from the 
subject's Common Name attribute or from a subjectAltName extension.
Poll - 
a) leave as is
b) change to SHOULD
c) MUST for AA; SHOULD for validated certs in general 
d) remove

7.3) Contention on logotypes (current uptake). 
For AA certs, currently say:
For Web user agents that use a visual user interface capable of displaying 
bitmap graphics the identity signal [[MAY | SHOULD]] include display of a 
suitable logotype, selected according to the rules in 5.1.5 Logotype 
Certificates.
Poll - 
a) SHOULD
b) MAY
c) remove

7.4) ISSUE-137 
http://www.w3.org/2006/WSC/track/issues/137
Poll - 
a) accept proposal
b) reject proposal

7.5) ISSUE-138
http://www.w3.org/2006/WSC/track/issues/138
The identity signal MUST include the Issuer field's Organization attribute 
MUST be displayed as part of the identity signal to inform the user about 
the party responsible for that information.
Poll -
a) leave as is
b) SHOULD
c) MAY

7.6) Internal inconsistency on logotype displays, as called out in 
comments.
In 6.1.2:
Logotypes derived from certificates SHOULD NOT be rendered, unless the 
certificate used is an augmented assurance certificate.
In 5.1.5: 
Otherwise, when the logotype information is derived from a validated 
certificate, then the issuer logotype MUST be rendered, if present.
Poll -
a) remove the line from 5.1.5
b) remove the line from 6.1.2
c) remove both 

8) Next meeting - 02 April 2008
Continue through the ISSUES on the text text for LC June

The April 9 meeting will be cancelled, as both Thomas and I are at RSA.
Received on Tuesday, 25 March 2008 11:58:27 UTC