- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 13 Aug 2007 10:25:07 +0200
- To: public-wsc-wg@w3.org
The minutes from our meeting on 1 August have been approved:
http://www.w3.org/2007/08/01-wsc-minutes
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context WG Teleconference
1 Aug 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
Mary Ellen Zurko, Thomas Roessler, Maritza Johnson, Rachna
Dhamija, Ian, Fette, Tim Hahn, Tyler Close, Anil Asaldhan
Regrets
Johnathan_N, Dan_S, Chuck, W
Chair
MEZ
Scribe
Maritza Johnson
Contents
* [4]Topics
1. [5]Approve minutes from last meeting
2. [6]Action items closed due to inactivity
3. [7]Agenda bashing
4. [8]Update on the status of usability testing
5. [9]wsc-usecases progress toward last call
6. [10]Consensus and decision making
7. [11]Primary SCI discussion
8. [12]Next meeting - Wednesday, August 8
* [13]Summary of Action Items
__________________________________________________________________
<trackbot> Date: 01 August 2007
<ifette> Zaki, what conference is this?
<tlr> ScribeNick: maritzaj
Approve minutes from last meeting
[14]http://www.w3.org/2007/07/18-wsc-minutes
Action items closed due to inactivity
mez: actions that are overdue and haven't received attention
tlr: on action-256, let's keep it open and see if johnath will pick it
up
... don't think it should be lost
mez: won't keep it open but we can reassign
... anything else about closing action items?
Agenda bashing
mez: does audian want to say anything about our process
... he's not on the call
... recap agenda
... anyone want to bash the agenda?
tlr: would it be useful to talk about the structure of the rec track
document either at the end today or next week
... i see overlap and i think we should merge
... go through the indicator themed proposals
<tlr> mez, was that a "yes" or "no"?
Update on the status of usbility testing
<rachna>
[15]http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFi
rstCut
<Mez> yes, "so noted" is an affirmation
Rachna: we've started to walk through the recommendations to evaluate
them
... this is a work in progress
... we want to see if there are proposals we can test together or group
... we want feedback from the group or from the recommendation authors
... did we capture what you intended
... as tlr also mentioned, to do anything more detailed than what we've
done we need lo-fi prototypes where there's interaction to be tested
tlr: this is useful, second thing, the suggested experiments for the ev
experience, right now it looks like the study proposes using them as a
tool against the user
... another option would be to test a pop-up you are accessing a site
with an EV cert
... we want to know is user's trust ev certs
<tlr> alert("You are accessing an extended validation protected site.
You are now secure.");
<Zakim> ifette, you wanted to discuss malware issues in indicator
ifette: i see a lot of security indicators and i was wondering if
malware is in-scope or out-of-scope
<tlr> Software installation user experience is in scope. Subverted
systems are our of scope.
mez: see wsc-usecases for general things
Rachna: i would say an indicator that says you're at a bad site is in
scope
ifette: i hope that's in scope
mez: i haven't had time to read through this
Rachna: we haven't had time to review each other's work, we just wanted
to get this out
tim: glad to see this in our wiki, haven't had a chance to get through
it
mez: sounds like props all around and criticism to come
... thanks and let me know if you need time on a call to talk about
this
Rachna: we need more detail on the proposals to go forward
... i think tlr wants to touch on this
mez: please put in mail what the process will be for this
wsc-usecases progress toward last call
<Mez> [16]http://www.w3.org/2006/WSC/Group/track/products/2
mez: i think we're going good on this, we've made progress on the
issues
... all but issue-25 are moving toward consensus
... i think that's a good state to take us to last call
... meaning I need to send the chair a heads up and I need a refresh on
the process
... unless someone has an issue to bring up
tlr: i'd like to hear how far the editing of the document is going
mez: there are 6 substantive issues that don't have consensus declared
tlr; right, i know we're close on some, has tyler had a chance to fold
them in
mez: tyler, could you remind us which have consensus
tyler: i don't know
mez: issue-6 does, issue-73 does not
... i give the shy and slow people a week to speak up against consensus
tlr: is issue-76 ready?
mez: it is
tlr: i think issue-83 is still open?
mez: yes
tlr: looks like we need to resolve these issues and make the changes
... the meaning of last call is the group thinks we're done with the
document
... or at the very least there is a document and a very clear list of
edits
mez: pointer?
tlr: fundamental meaning of last call, we get comments like good job,
then we try not to make further edits
<Zakim> ifette, you wanted to talk about adding a use case
ifette: looking through the use-cases, if i return to a previously
visited site that's now on a blacklist, how is that communicated?
... i'd like to see a use case on that
mez: the process for doing that is to create an issue
<tlr> ACTION: fette to supply use case on previous interaction site
being blacklisted - due 2007-08-03 [recorded in
[17]http://www.w3.org/2007/08/01-wsc-minutes.html#action01]
<trackbot> Sorry, couldn't find user - fette
<tlr> trackbot, reload
<tlr> ACTION: tlr to make fette supply use case on previous interaction
site being blacklisted - due 2007-08-03 [recorded in
[18]http://www.w3.org/2007/08/01-wsc-minutes.html#action02]
<trackbot> Created ACTION-275 - make fette supply use case on previous
interaction site being blacklisted [on Thomas Roessler - due
2007-08-03].
Concensus and decision making
mez: i found the pointers for the w3c documentation on the process, it
was sent in email to the list
<Mez>
[19]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0310.html
mez: i'm hoping anyone concerned has read this
... if you don't follow the process, you'll get directed there
Primary SCI discussion
<Mez> [20]http://www.w3.org/2006/WSC/drafts/rec/#favicon
mez: My proposal for coming to consensus on the proposals is to start
with the ones that are available to the user during their primary
tasks, recs that highlight something we're doing wrong seem to be a
good start
... favicons seems like a good place to start
... we need consensus on the conformance language and a few other
things
... the conformance language defines what it means to conform to the
standard
... looking at the proposal, 2.1.4, one of them reflects tlr's belief
and the other reflects what tlr thinks is Mike McCormick's
interpretation
... anyone have questions before we get started?
... the two variants are on how we talk about where SCI is displayed
... I like variant 1 better
... let's do a straw poll on what we think is better
... everyone give an opinion on 2.1.4.1
<Mez> I say good
<tlr> sorry
<asaldhan> I need to pass
<asaldhan> will get back
<tjh> good
I like 2.1.4.1, we may have a better chance at saying where we want to
communicate trust information than what the user expects to be under
the control of the user agent
<ifette> I can liv e with, prefer variant 2
<asaldhan> today I am using this complex conferencing system that I
need time to figure out how to unmute
can live with, edging towards good
rachna: i can live with it
... but it's not very defined
tlr: i prefer variant 1
... i'm in the can live with part of variant 2, but strong preference
for 1
tyler: i can live with
<asaldhan> I prefer variant1
<tlr> some people were strongly objecting against variant 2 in Dublin
<Zakim> ifette, you wanted to discuss preference for 2.1.4
ifette -- could you put that in irc?
<ifette> sure
thx
tlr: the intent of variant 1 is to abstract from saying you should not
put favicons where people would normally look for SCI
<ifette> My preference towards 2.1.4.2 was to protect users who are
familiar with a particular browser, and have an expectation to find
indicators in a specific location, I want those users to be protected
if they switch to a different browser. However, if that is deemed to
fall under "areas... commonly used" then I have no objection with rev.
1
tlr: i think the intent is to address the concern you brought up
... we want to address the concern without deprecating the favicon
<Mez> rachna, I really want to hear what you were looking for in
definitions
<asaldhan> I prefer if browsers follow the same setup/lookup/location
as far as security is concerned
<Mez> will you go on queue? Or I can remember to call you when it gives
out (but easier for me ifyou queue up)
tyler: to tlr, one way to gain that is to adjust user's expectations
for where the favicon should be used, so we can hold on to use
... this calls out bitmaps when it seems like we might have the same
problem with text
tlr: you're right about that, and we don't talk about scripts either
... change to visual information
... or something along those lines
... the fundamental contract is tied to visual presentation, the
underlying is requirement is SCi should be differentiated from content
... that point is too general to be useful
... want to keep this clear that it addresses favicons, but there's
also something more general here
mez: i like and support that temptation
rachna: to comment on tlr?
<tlr> ACTION: thomas to rewrite favicons material in light of call's
discussion (try generalizing usefully) [recorded in
[21]http://www.w3.org/2007/08/01-wsc-minutes.html#action03]
<trackbot> Created ACTION-276 - Rewrite favicons material in light of
call\'s discussion (try generalizing usefully) [on Thomas Roessler -
due 2007-08-08].
mez: you seemed to have a question about the terms used
rachna: i take my point back, is it the user's interpretation of where
trust is communicated or ours?
... where are the areas?
... are the areas where other information appears? I don't know what a
trusted area is.
tlr: to get compliance with this we'd need user testing, i wonder if we
even need to step back and say what the high level idea is, then have a
longer list of techniques/approaches that cover it
<Zakim> Mez, you wanted to talk about doing user testing to comply
mez: so you think user testing is scary, one of the things that came up
at SOUPS -- will we need to specify something about conformance for our
testing in order to get recommendations that will have a positive
impact
... statements on how to do things
... having conformance language on how we're testing and whether or not
it is user testing
tlr: interesting thought.
... i'll put a note into the draft -- we aren't sure how you would
implement conformance language on this
mez: does anyone think variant 2 is stronger?
<rachna> variant 2 is at least more specific.
mez: let's say variant 2 will be removed
<tlr> RESOLUTION: variant 2 dropped. Result of straw poll: 3 good, 0
bad, 3 can live with.
mez: we have some more conformance language on the favicon proposal
under techniques
... i'm assuming anything using must, may, should in all caps is
meaning to be conformance language
<tlr> variant 2 is section 2.1.4.2 in r1.54 of
[22]http://www.w3.org/2006/WSC/drafts/rec/Overview.html; resolution
provides input to ACTION-276
mez: let's look at 2.1.5
<Zakim> ifette, you wanted to talk about favicon
ifette: question -- if the browser doesn't display the favicon in the
chrome, but wants to put it in the bookmark list, does it conform?
<Zakim> tlr, you wanted to talk about compliance
<tyler> [23]http://www.w3.org/2006/WSC/drafts/note/#misleading-bookmark
tlr: the current draft, the must is used as a sufficient but necessary
... we should make it clear that this is one way to implement, but not
mandatory
... would be a sufficient technique
... the MUST should be MAY
tyler: we've had discussion about having the favicon in the bookmarks,
in the threat tree doc, we identify getting the user to select the
wrong site from bookmarks as a threat
tlr: if this happens, it seems very likely i'd fall for the phish
<ifette> ack tyler's point, but I think if you can get phishing sites
into a user's bookmarks they're in trouble anways
mez: can you push a bookmark through webcontent
tley: you can prompt a dialog to get the user to click ok and create a
bookmark
tlr: if an attacker can push a bookmark, then this is an attack we
might wish to deal with
... this is a trust decision
mez: let's not lose this as a robustness practice
<Zakim> tlr, you wanted to ask about status bar?
tlr -- could you put that in irc, i missed it
<tlr> tlr: mention status bar as a place where you really don't want to
have favicons?
thx
<tlr> ... could think of "cool" ui metaphors that might cause trouble
...
tlr: could also look into visual interaction, what is a useful visual
separation?
mez: time for another straw poll, consensus on the language of 2.1.5?
<tlr> putting it on the record.... I would also like to hear about the
"MAY" in the third one
<tlr> +1 to these two
<tjh> can live with - assuming Location Bar is defined in the glossary
<Mez> good with both
<tlr> rachna, the location bar is primary ui, the second is about
secondary
<ifette> can live with
<asaldhan> live with
<rachna> ok you are right.
<Zakim> ifette, you wanted to discuss consistency issue between first
two bullets re: favorite icons beinf suffixed with [FAVICON]
result of straw poll: 2 good, 0 bad, 6 can live with
mez: do we have location bar in the glossary
<tlr> ACTION: tjh to supply definition of "location par" and put it
into glossary [recorded in
[24]http://www.w3.org/2007/08/01-wsc-minutes.html#action04]
<trackbot> Created ACTION-277 - Supply definition of \"location bar\"
and put it into glossary [on Tim Hahn - due 2007-08-08].
<rachna> why isn't bullet one phrased the same way bullet 2 is? That is
why is the Location Bar singled out from all content used to enable
trust decisions.
rachna: so bullet one is about primary ui and 2 is about secondary, why
is the first only talking about the location bar?
... just wondering if there's a reason
tlr: the assumption is the users might be using different browsers
... first technique is still drill down the most egregious case we can
think of
... and also put a stop where secondary UI is concerned
... specify things you really don't want to do
mez: looks like consensus
<tlr> argh
tlr: have we agreed on wording on meaning?
... i do have an action item on the wording
mez: adding definitions doesn't change but helps the conformance
language
... i think the focus of the straw poll needs to be recorded
... i was going for the actual wording because the wording is important
in conformance
tlr: i'm going to make minor changes
... i don't want to have every word in concrete
... there are probably changes that will be made, but the intent won't
be changed
mez: i'm happy to do straw polls on alternative things, but they need
to be written down so we know what we're voting on
<tlr> PROPOSED: agree on meaning of first two techniques; editor has
license to refine language
mez: i downgrade to can live with
... i'm unclear on the meaning of doing this as a process
<tlr> RESOLUTION: so accepted
<tlr> rragent, bookmark
mez: i think that's all the conformance language in the favicon
proposal
... and we're done with the agenda items
Next meeting - Wednesday, August 8
mez: tlr wants to talk about what we'll put in the rec track document
tlr: IdentitySignal seems to indicate trust, identity and security, we
should attempt to extract what's in EV, what's in Secure letterhead and
put that up for discussion
... i've begun the process, but i think we should try to combine the
various proposals and discuss the various alternative
mez: we should give time for reading before we discuss
tlr: i can't have it by this week
mez: we'll discuss identitySignal
... we'll use whatever is there Friday morning and we can pull anything
else into discussion
tlr: to prepare -- is anyone thinking of any other proposals that
should be folded in with IdentitySignal
mez: send out mail, not everyone's on the call
... maritza, rachna, who's looking at PII EditorBar
tyler: i have questions/discussion who should I talk to about this
... i need clarification on some things, expensive by email
rachna: I'm hoping the expected user behavior will be agreed on
tlr: i'm trying to figure out if i want to start identify issues or if
i should wait
tyler: i don't have a good idea of what comments you have in mind
rachna: to answer your question, no we haven't looked at what will or
will not conform
tlr: you might want to and start trimming the edges
... could also be a useful exercise for evaluation
mez: so tyler and rachna will clarify and report back
<tlr> meeting adjourned
Summary of Action Items
[NEW] ACTION: fette to supply use case on previous interaction site
being blacklisted - due 2007-08-03 [recorded in
[25]http://www.w3.org/2007/08/01-wsc-minutes.html#action01]
[NEW] ACTION: thomas to rewrite favicons material in light of call's
discussion (try generalizing usefully) [recorded in
[26]http://www.w3.org/2007/08/01-wsc-minutes.html#action03]
[NEW] ACTION: tjh to supply definition of "location par" and put it
into glossary [recorded in
[27]http://www.w3.org/2007/08/01-wsc-minutes.html#action04]
[NEW] ACTION: tlr to make fette supply use case on previous interaction
site being blacklisted - due 2007-08-03 [recorded in
[28]http://www.w3.org/2007/08/01-wsc-minutes.html#action02]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [29]scribe.perl version 1.128
([30]CVS log)
$Date: 2007/08/13 08:22:08 $
__________________________________________________________________
Scribe.perl diagnostic output
[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.128 of Date: 2007/02/23 21:38:13
Check for newer version at [31]http://dev.w3.org/cvsweb/~checkout~/2002/scribe/
Guessing input format: RRSAgent_Text_Format (score 1.00)
Succeeded: s/proposal/proposals/
Succeeded: s/ceret/cert/
Succeeded: s/out/our/
Succeeded: s/2.1.4/2.1.4.1/
Succeeded: s/the intent/tlr: the intent/
Succeeded: s/bookmakr/bookmark/
Succeeded: s/location par/location bar/
Found ScribeNick: maritzaj
Inferring Scribes: maritzaj
WARNING: No "Present: ... " found!
Possibly Present: Bill_Doyle DanSchutzer HP Maritza_Johnson MaryEllen_Zurko PRO
POSED Rachna ScribeNick Thomas Tim_Hahn aaaa aabb aacc aadd asaldhan ifette joi
ned mez tim tjh tley tlr trackbot tyler wsc
You can indicate people for the Present list like this:
<dbooth> Present: dbooth jonathan mary
<dbooth> Present+ amy
Regrets: Johnathan_N Dan_S Chuck W
Agenda: [32]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0361.html
Found Date: 1 Aug 2007
Guessing minutes URL: [33]http://www.w3.org/2007/08/01-wsc-minutes.html
People with action items: fette thomas tjh tlr
[End of [34]scribe.perl diagnostic output]
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0361.html
3. http://www.w3.org/2007/08/01-wsc-irc
4. http://www.w3.org/2007/08/01-wsc-minutes.html#agenda
5. http://www.w3.org/2007/08/01-wsc-minutes.html#item01
6. http://www.w3.org/2007/08/01-wsc-minutes.html#item02
7. http://www.w3.org/2007/08/01-wsc-minutes.html#item03
8. http://www.w3.org/2007/08/01-wsc-minutes.html#item04
9. http://www.w3.org/2007/08/01-wsc-minutes.html#item05
10. http://www.w3.org/2007/08/01-wsc-minutes.html#item06
11. http://www.w3.org/2007/08/01-wsc-minutes.html#item07
12. http://www.w3.org/2007/08/01-wsc-minutes.html#item08
13. http://www.w3.org/2007/08/01-wsc-minutes.html#ActionSummary
14. http://www.w3.org/2007/07/18-wsc-minutes
15. http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCut
16. http://www.w3.org/2006/WSC/Group/track/products/2
17. http://www.w3.org/2007/08/01-wsc-minutes.html#action01
18. http://www.w3.org/2007/08/01-wsc-minutes.html#action02
19. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0310.html
20. http://www.w3.org/2006/WSC/drafts/rec/#favicon
21. http://www.w3.org/2007/08/01-wsc-minutes.html#action03
22. http://www.w3.org/2006/WSC/drafts/rec/Overview.html;
23. http://www.w3.org/2006/WSC/drafts/note/#misleading-bookmark
24. http://www.w3.org/2007/08/01-wsc-minutes.html#action04
25. http://www.w3.org/2007/08/01-wsc-minutes.html#action01
26. http://www.w3.org/2007/08/01-wsc-minutes.html#action03
27. http://www.w3.org/2007/08/01-wsc-minutes.html#action04
28. http://www.w3.org/2007/08/01-wsc-minutes.html#action02
29. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
30. http://dev.w3.org/cvsweb/2002/scribe/
31. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/
32. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0361.html
33. http://www.w3.org/2007/08/01-wsc-minutes.html
34. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
Received on Monday, 13 August 2007 08:25:11 UTC