W3C home > Mailing lists > Public > public-wsc-wg@w3.org > September 2008

Meeting record: WSC WG weekly 2008-09-03

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 17 Sep 2008 17:06:39 +0200
To: WSC WG <public-wsc-wg@w3.org>
Message-ID: <20080917150639.GA9144@iCoaster.does-not-exist.org>

Minutes from our meeting on 2008-09-03 were approved and are
available online here:

   http://www.w3.org/2008/09/03-wsc-minutes.html

A text version is included below the .signature.

-- 
Thomas Roessler, W3C  <tlr@w3.org>




   [1]W3C

               Web Security Context Working Group Teleconference
                                  03 Sep 2008

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          ifette, Thomas, Bill_Doyle, jvkrey, +1.408.536.aaaa, joesteele,
          yngve, +1.312.933.aabb, PHB, anil, Tyler, +1.917.338.aacc,
          schutzerd

   Regrets
          johnath, mez

   Chair
          tlr

   Scribe
          yngve

Contents

     * [4]Topics
         1. [5]approve minutes
         2. [6]action items
         3. [7]browser security models vs indicators
         4. [8]google chrome
         5. [9]last call comments
         6. [10]CR preparation
     * [11]Summary of Action Items
     __________________________________________________________________



   <tlr> Scribe: yngve

approve minutes

   <tlr> [12]http://www.w3.org/2008/08/20-wsc-minutes.html

   <tlr> [13]http://www.w3.org/2008/08/27-wsc-minutes.html

   <joesteele> agreed!

   <tlr> RESOLUTION: minutes approved

   tlr: minutes approved

   <tlr> [14]http://www.w3.org/2002/09/wbs/35125/TPAC2008/

   tlr:Reminder: All should register for the plenary, conference hotel
   rate block expire soon

action items

   <tlr> ACTION-499 closed

   <trackbot> ACTION-499 Frame review of contnt transform guidelines
   closed

   <tlr> ACTION-505 closed

   <trackbot> ACTION-505 Propose comment re https lnk rewriting,
   client-side certs and channel bindings closed

   <tlr> ACTION-504 closed

   <trackbot> ACTION-504 Propose comment on mobileOK test; propose on list
   with 24h objection period closed

   <tlr> ACTION-500 closed

   <trackbot> ACTION-500 Inquire phb about ev cert for test environment
   closed

browser security models vs indicators

   <tlr>
   [15]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0001.html

   tyler: cross-frame security in Javascript have no concept of security
   level
   ... can allow MITM to insert controlling code by tricking user to
   accept certificate then allow all traffic to second frame go unhindered
   ... meaning that security for the second frame/tab is shown using full
   security
   ... attacker can listen in on keypresses etc. from hidden frame/tab

   joe: Is victim.com bound to two different IP addresses?

   tyler: Not necessarily, attack can be mounted at network level,
   spoofing IP addresses

   tlr: Worst case will be mixed content having low and high security
   indicators

   tyler: [In this case the] victim user is opening up the hole, for mixed
   mode the attacker does it

   tlr: so, mixed content in one frame is mixed content everywhere, which
   isn't reflected in the current work. Ouch.

   yngve: client cert authenticated connections

   yngve: client cert authenticated connections are single way for
   end-to-end auth both directions

   ... assume a server that requires client authentication ...

   ... MITM would not be able to handle that ...

   ... but can get control over a frame that is not authenticated [then
   access the authenticted frame]...

   tyler: client auth doesn't help

   yngve: [No,] it won't!

   tlr: so, we have one connection with client cert and one without. The
   one without can script the one with.

   yngve: yes

   tlr: what do we do about it?

   yngve: use security level or information in [Javascript/DOM] domain
   matching

   ... cross-server communication is more difficult to [handle with such a
   scheme] ...

   tyler: can we suggest something about that?

   tlr: can talk to HTML WG

   tyler: might be hard to introduce more changes at this point

   yngve: we (Opera) are discussing this [internally]

   ifette: propose that everything that is scriptable must share the
   weakest security indicator

   tyler: suggested something along those lines in the email
   ... browser might give warning if it sees such inconsistency in
   security level on same server

   tlr: wsc-ui already make statements about handling of different
   certificate classes for same server in short period

   tyler: can ifette's suggestion work?

   yngve: There will be a timing issue if user inspects security
   indicators as they arrive on a page, but the attacker waits until real
   action starts, [resulting in security lowered later]

   <tlr> ACTION: ifette to draft spec language about downgrading
   indicators to level of least-secure frame [recorded in
   [16]http://www.w3.org/2008/09/03-wsc-minutes.html#action01]

   <trackbot> Created ACTION-508 - Draft spec language about downgrading
   indicators to level of least-secure frame [on Ian Fette - due
   2008-09-10].

   tlr: Two actions possibilities: within WSC use Ian's suggestion and
   lower security level, and warn about such quick changes in certificates
   ... second: Suggest changes in policy in browsers, even if they have
   recently agreed on new policies?

   tyler: the authors are recommending not making finer grained "domains"

   joe: What if the two certificates [(also the one used by the
   attacker)]are *both* legitimate?

   tlr: Nothing the spec trigger on it currently, and doing so might cause
   problems
   ... Would create an incentive to only ever use a single certificate for
   a server

   tyler: We assume that CAs will not issue a certificate (AA or non-AA)
   to a non-controlling entity

   tlr: WSC-UI does not currently state that assumption

   <tlr> ACTION: tyler to draft additional security considerations about
   assumption that DV not issued wehn AA is available [recorded in
   [17]http://www.w3.org/2008/09/03-wsc-minutes.html#action02]

   <trackbot> Created ACTION-509 - Draft additional security
   considerations about assumption that DV not issued wehn AA is available
   [on Tyler Close - due 2008-09-10].

   tlr: Should update security consideration section if necessary

   tyler: Assumption in attack is that attacker can use a selfsigned
   certificate to trick user
   ... One scenario if user have pinned a certificate, will have different
   security levels for two frames
   ... second if user have not pinned a certificate

   joesteele: if the state changes, there needs to be something in the
   user's face

   tlr: should ian's action include joe's suggestion, or should joe take
   on drafting that?

   <tlr> ACTION: steele to draft "security state change needs to be in
   user's face" language [recorded in
   [18]http://www.w3.org/2008/09/03-wsc-minutes.html#action04]

   <trackbot> Created ACTION-510 - Draft \"security state change needs to
   be in user's face\" language [on Joe Steele - due 2008-09-10].

google chrome

   tlr: ifette to tell us about security UI

   ifette: No idea if Google Chrome (Browser) is compliant at present
   ... think we may be mostly compliant, but not willing to make claims
   ... goal to minimize chrome area, reduces area available to indicators

   ... for HTTPS: address bar yellow, https green, lock on RHS of address
   bar

   ... for EV, cert subject name displayed in address bar

   phb: Playing around this morning
   ... messaging problem about paypal concerning the green bar

   ifette: does not show green for EV at the moment [discussion about EV
   and green]
   ... just checks the certificate
   ... No logotypes
   ... uses padlock, no favicons in the addressbar
   ... planning stricter handling of mixed secure/unsecure content
   ... Currently turn off security indication, changes padlock to "!"-mark
   ... have advanced option to choose allow all, allow images but not
   script/CSS images overlaid by unsecure indicator, and block all mixed
   content
   ... allows "paranoids" to block, or webmasters to check for miced
   content

   tlr: how about CR testing?

   ifette: will fill in the matrix; Mez already asked

   yngve: [Considering talking to other vendors] about getting to a
   stricter mixed content policy

   ifette: that kind of policy broke many sites when testing Google Chrome

   tlr: asks ifette to ask for feedback about what spec parts will cause
   problems

   ifette: will go back and see if there was info about things that might
   break heavily

   <tlr> ACTION: ifette to fill in feature table with Google Chrome
   information, generally come back with feed-back - due 2008-09-10
   [recorded in
   [19]http://www.w3.org/2008/09/03-wsc-minutes.html#action05]

   <trackbot> Created ACTION-511 - fill in feature table with Google
   Chrome information, generally come back with feed-back [on Ian Fette -
   due 2008-09-10].

   ifette: Will also go back and check if there are other implementation
   difficulties that were not brought up during earlier dicussions

last call comments

   <tlr>
   [20]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
   724

   <tlr>
   [21]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
   724/2058

   <tlr> LC-2058

   tlr: propose making suggested editorial changes

   <tlr> PROPOSED: to adopt resolution of LC-2058 as outlined

   <tlr> RESOLVED: LC-2058 resolution accetped

   <tlr> LC-2055

   <tlr>
   [22]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0007.html

   <tlr>
   [23]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
   724/2055

   tlr: reference to relaxed validation should have been removed

   <tlr> RESOLUTION: LC-2055 resolution accepted

   <joesteele> [reads LC-2059] ok -- looks fine

   <tlr> RESOLUTION: LC-2059 accepted: adopt all changes

   <tlr> ACTION: thomas to incorporate LC-2059 changes [recorded in
   [24]http://www.w3.org/2008/09/03-wsc-minutes.html#action06]

   <trackbot> Created ACTION-512 - Incorporate LC-2059 changes [on Thomas
   Roessler - due 2008-09-10].

   <tlr> LC-2088
   [25]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
   724/2088

   tlr: Suggest that a few people read it and propose how to handle it

   tyler: was some comments about petnames, can review that

   <tlr> ACTION: tyler to propose response for petname-related parts of
   LC-2088 [recorded in
   [26]http://www.w3.org/2008/09/03-wsc-minutes.html#action07]

   <trackbot> Created ACTION-513 - Propose response for petname-related
   parts of LC-2088 [on Tyler Close - due 2008-09-10].

   <tlr>
   [27]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
   724/2087

   <joesteele> section 6.1.2

   <tlr> "Subject logotypes derived from certificates SHOULD NOT be
   rendered, unless the certificate used is an augmented assurance
   certificate."

   joe: think it should be MUST NOT

   pbaker: think it should be MUST NOT

   ... thought we had done MUST NOT

   yngve: No problem with MUST NOT

   joe: One more comment, distinction between primary and secondary , was
   there some intention to allow display in secondary?

   phb: Not happy about displaying in secondary chrome. Don't think anyone
   would be interested in buying logotype certificates that display only
   in secondary chrome

   tlr: Maybe add language about not using non-AA logotypes in UI

   <tlr> ACTION: hallam-baker to propose change to 6.1.2 to accomodate
   "SHOULD NOT" concern for logotypes, possibly relating to overall AA
   language [recorded in
   [28]http://www.w3.org/2008/09/03-wsc-minutes.html#action09]

   <trackbot> Created ACTION-514 - Propose change to 6.1.2 to accomodate
   \"SHOULD NOT\" concern for logotypes, possibly relating to overall AA
   language [on Phillip Hallam-Baker - due 2008-09-10].

CR preparation

   <tlr> ACTION-503 closed

   <trackbot> ACTION-503 Frame discussion about interaction of navigation
   policy and security indicators closed

   <tlr> ACTION-496: no progress on Jan Vidar's side

   <trackbot> ACTION-496 Fill out the Opera column in our features at risk
   table notes added

   <tlr> ACTION-496 reassigned to Yngve

   <trackbot> ACTION-496 -- Yngve Pettersen to fill out the Opera column
   in our features at risk table -- due 2008-09-17 -- OPEN

   <trackbot> [29]http://www.w3.org/2006/WSC/track/actions/496

   <tlr> action-502?

   <trackbot> ACTION-502 -- Phillip Hallam-Baker to drive test case matrix
   for 6.12 -- due 2008-09-03 -- OPEN

   <trackbot> [30]http://www.w3.org/2006/WSC/track/actions/502

   <tlr> [31]http://www.w3.org/2006/WSC/wiki/TestCases

   phb: (action 502) some MAY cases that was hard to write testcases for
   ... not tests that says "you comply"
   ... not distinguishing between conformant not implemented and
   conformant implemented

   <tlr> ACTION-502 closed

   <trackbot> ACTION-502 drive test case matrix for 6.12 closed

   phb: test-certificate: can't get an EV certificate due to requirements,
   but may be able to get one for W3C

   tlr: Let's take talks of that offline

   <tlr> [32]http://www.w3.org/2006/WSC/wiki/TestCases

   tlr: people SHOULD read the wiki testcase node, ASAP

Summary of Action Items

   [NEW] ACTION: hallam-baker to propose change to 6.1.2 to accomodate
   "SHOULD NOT" concern for logotypes, possibly relating to overall AA
   language [recorded in
   [33]http://www.w3.org/2008/09/03-wsc-minutes.html#action09]
   [NEW] ACTION: ifette to draft spec language about downgrading
   indicators to level of least-secure frame [recorded in
   [34]http://www.w3.org/2008/09/03-wsc-minutes.html#action01]
   [NEW] ACTION: ifette to fill in feature table with Google Chrome
   information, generally come back with feed-back - due 2008-09-10
   [recorded in
   [35]http://www.w3.org/2008/09/03-wsc-minutes.html#action05]
   [NEW] ACTION: joesteele to draft "security state change needs to be in
   user's face" language [recorded in
   [36]http://www.w3.org/2008/09/03-wsc-minutes.html#action03]
   [NEW] ACTION: pbaker to propose change to 6.1.2 to accomodate "SHOULD
   NOT" concern for logotypes, possibly relating to overall AA language
   [recorded in
   [37]http://www.w3.org/2008/09/03-wsc-minutes.html#action08]
   [NEW] ACTION: steele to draft "security state change needs to be in
   user's face" language [recorded in
   [38]http://www.w3.org/2008/09/03-wsc-minutes.html#action04]
   [NEW] ACTION: thomas to incorporate LC-2059 changes [recorded in
   [39]http://www.w3.org/2008/09/03-wsc-minutes.html#action06]
   [NEW] ACTION: tyler to draft additional security considerations about
   assumption that DV not issued wehn AA is available [recorded in
   [40]http://www.w3.org/2008/09/03-wsc-minutes.html#action02]
   [NEW] ACTION: tyler to propose response for petname-related parts of
   LC-2088 [recorded in
   [41]http://www.w3.org/2008/09/03-wsc-minutes.html#action07]

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [42]scribe.perl version 1.133
    ([43]CVS log)
    $Date: 2008/09/17 15:06:17 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0004.html
   3. http://www.w3.org/2008/09/03-wsc-irc
   4. http://www.w3.org/2008/09/03-wsc-minutes.html#agenda
   5. http://www.w3.org/2008/09/03-wsc-minutes.html#item01
   6. http://www.w3.org/2008/09/03-wsc-minutes.html#item02
   7. http://www.w3.org/2008/09/03-wsc-minutes.html#item03
   8. http://www.w3.org/2008/09/03-wsc-minutes.html#item04
   9. http://www.w3.org/2008/09/03-wsc-minutes.html#item05
  10. http://www.w3.org/2008/09/03-wsc-minutes.html#item06
  11. http://www.w3.org/2008/09/03-wsc-minutes.html#ActionSummary
  12. http://www.w3.org/2008/08/20-wsc-minutes.html
  13. http://www.w3.org/2008/08/27-wsc-minutes.html
  14. http://www.w3.org/2002/09/wbs/35125/TPAC2008/
  15. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0001.html
  16. http://www.w3.org/2008/09/03-wsc-minutes.html#action01
  17. http://www.w3.org/2008/09/03-wsc-minutes.html#action02
  18. http://www.w3.org/2008/09/03-wsc-minutes.html#action04
  19. http://www.w3.org/2008/09/03-wsc-minutes.html#action05
  20. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724
  21. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2058
  22. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Sep/0007.html
  23. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2055
  24. http://www.w3.org/2008/09/03-wsc-minutes.html#action06
  25. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2088
  26. http://www.w3.org/2008/09/03-wsc-minutes.html#action07
  27. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724/2087
  28. http://www.w3.org/2008/09/03-wsc-minutes.html#action09
  29. http://www.w3.org/2006/WSC/track/actions/496
  30. http://www.w3.org/2006/WSC/track/actions/502
  31. http://www.w3.org/2006/WSC/wiki/TestCases
  32. http://www.w3.org/2006/WSC/wiki/TestCases
  33. http://www.w3.org/2008/09/03-wsc-minutes.html#action09
  34. http://www.w3.org/2008/09/03-wsc-minutes.html#action01
  35. http://www.w3.org/2008/09/03-wsc-minutes.html#action05
  36. http://www.w3.org/2008/09/03-wsc-minutes.html#action03
  37. http://www.w3.org/2008/09/03-wsc-minutes.html#action08
  38. http://www.w3.org/2008/09/03-wsc-minutes.html#action04
  39. http://www.w3.org/2008/09/03-wsc-minutes.html#action06
  40. http://www.w3.org/2008/09/03-wsc-minutes.html#action02
  41. http://www.w3.org/2008/09/03-wsc-minutes.html#action07
  42. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  43. http://dev.w3.org/cvsweb/2002/scribe/

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 17 September 2008 15:07:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 September 2008 15:07:15 GMT