- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 19 Dec 2007 19:55:38 +0100
- To: public-wsc-wg@w3.org
Minutes from our meeting on 2007-11-28 were approved and are available online here: http://www.w3.org/2007/11/28-wsc-minutes.html A text version is included below the .signature. -- Thomas Roessler, W3C <tlr@w3.org> [1]W3C - DRAFT - Web Security Context Working Group Teleconference 28 Nov 2007 [2]Agenda See also: [3]IRC log Attendees Present Bill_Doyle,Hal_Lockhart,Maritza_Johnson,Mez,MikeMc,asaldhan,bill -d,ifette,johnath, luis,rachna,schutzer,serge,stephenf,tjh,tlr,tyler,yngve, jvkrey Regrets Johnathan_N, Tim_H Chair Mez Scribe Serge Contents * [4]Agenda 1. [5]mintues approval 2. [6]Newly completed action items 3. [7]Open action items 4. [8]Agenda bashing 5. [9]Issue-111: login form interactions 6. [10]Issue-114: self-signed certificate changeover * [11]Summary of Action Items __________________________________________________________________ mintues approval yngve: questions about the flash case stephenF: I took it out <tlr> <yngve> [pointed out a flash-only site with mixed content] Mez: No other issues? <tlr> RESOLVED: minutes apporved Newly completed action items Mez: Newly completely action items ... thanks to Maritza, Yngve, and Hal <asaldha1> I will be back <tlr> ACTION-331? <trackbot-ng> ACTION-331 -- Maritza Johnson to work toward worked example of usability testing for conformance -- due 2007-11-23 -- CLOSED <trackbot-ng> [12]http://www.w3.org/2006/WSC/track/actions/331 Open action items Mez: no more discussion on action items? ... we'll go through and identify next steps along with approving and reading through ifette: I'm lazy and want a link I can double click, because although I read my email I archive it and don't want to switch away from IRC to search for that email, please help me Agenda bashing Mez: issue with reconfiguring primary chrome, trouble parsing potential proposal ... anything else? <Mez> [13]http://www.w3.org/2006/WSC/track/issues/111 Issue-111: Login form interactions Mez: ISSUE: 111, login form interactions Mez: PII editor bar, browser components for login interactions ifette: change the issue for less material ... I'll create a new issue tlr: typical login interaction is more constrained than general form interaction ... maybe a more constraining behavior? PHB2: make the web a safe place for credit cards vs. never entering them and authenticate other ways ... we should look at the second approach ... not practical for a system with a safe mode <Mez> there's some quote about german banks in our kickoff workshop (were you there?) on iTAN <tlr> iTan is an authorization nonce for a particular transaction that you get out of band tlr: close to some aspects of the bar <tlr> I'm only talking UI level for repeated interactions, not protocol level. PHB2: cardspace solves this but isn't adopted <serge> except that cardspace doesn't work... <tlr> e.g., I don't want to have a text entry field activated when I hit HTTP auth PHB2: leading a way to have more secure components as they become available <Zakim> stephenF, you wanted to ask what auth protocol tlr means stephenF: tlr please elaborate tlr: we have heuristics for the form-based password case ... if we have an easily-recognized UI (maybe tied to certs), it's more difficult to login to a phishing site stephenF: if we can give guidance, maybe w/ heuristics, we can help users with entering stuff on phishing sites ifette: if not legitimate/unknown interaction, it's very difficult to determine legitimacy ... but others say users will become accustomed! still is #1 <stephenF> what I meant to say was more "this would be worthwhile iff it helped users not enter credentials to phishing sites" tlr: reliance on habituation is a generic argument serge: bigger problem is users don't understand domain names Mez: can you, tlr, do a proposal? tlr: <waffling>uhhhhhh....responsibility! no!!!</waffling err, "I'll try" <ifette> :-) <rachna> aren't we supposed to have a discussion of PII (a walk through of the usability analysis) soon? aww <rachna> I thought Tyler volunteered last time Mez: issue? action item? won't somebody please think of the children?! <tlr> yes Mez: I feel good about 111 next steps? ... moving on...issue 114 Issue-114: self-signed certificate changeover <Mez> [14]http://www.w3.org/2006/WSC/track/issues/114 Mez: self signed certificate changeover tlr: if they use a self-signed cert for a while, we trust it, but what if it changes? ... maybe a better indicator for a ca-signed? <stephenF> section 5.3.3 maybe tlr: I would like to listen to Ian, but not really <tlr> [15]http://www.w3.org/2006/WSC/drafts/rec/#selfsignedcerts <tlr> [16]http://www.w3.org/2006/WSC/drafts/rec/#errors-basic ifette: I was aware of displaying an error, but why a ban on a click-through? <Zakim> stephenF, you wanted to say this is just hard stephenF: it's a hard problem, how do we distinguish? <serge> what do we mean by a "hard error"? Mez: I need a sequence of prototypes for these recommendations ... just a heads up, since we'll need it to close the recommendations PHB2: this is why we need no-interaction certificates stephenf: I disagree, many are just looking for encryption PHB2: I agree it's not an answer to the issue, but what about embedded devices? so that's a place for a self-signed cert.... <stephenF> what's domain-validation? PHB2: the question becomes what you get by not paying for a certificate <stephenF> answer MUST NOT be paying is required for user interaction IMO PHB2: everyone should give money to Verisign stephenF: some folks of modest means need other options when there little need to pay a CA <stephenF> doesn't address re-install from scratch PHB2: we should have a hierarchy ... one self-signed root per site, most folks will keep it for many years bill-d: many intranets use self-signed certs <stephenF> your welcome <serge> install the roots ifette: install the roots <stephenF> radio waves tunnel through tlrs head tlr: sitting next to a wireless router, accessing by HTTPS ... after accessing it at an IP for a while, it should trust it <stephenF> +1 to accomodating as well as we can <serge> if it only trust a self-signed cert after a while, it's going to confuse a lot of users. <stephenF> don't think sub-op[timal is the right phrase here <tlr> in that case, MAY have click-through schutzer: another aspect is what happens when certs are updated? serge: two issues: self-signed certs, and certificate consistency PHB2: I suggested a suboptimal user experience in certain cases, e.g. rollover, but we can eliminate that for cases where we don't want interaction ... we can do things similar to checking programs which haven't been run before, community review, etc. <stephenF> +1 to different display <tlr> +1 to that as well <tlr> (it's in the current spec text, actually) <stephenF> -1 to "how much authentication" which isn't decidable on the client tlr: we have self-signed certificates that create a user experience the first time they're displayed <MikeMc> Mike waves back :) tlr: error detection when certificate, but we need some assurance that ??? (couldn't hear) <ifette> 312 is chicagoland? <ifette> 415 is not yet taken care of... Mez: any proposed next steps? <serge> I think we should argue some more <stephenF> mean or poor or just installed a server that generates an SSC serge: this shouldn't be about who paid more <stephenF> +1 to SSCs aren't good here ifette:SSCs aren't good at some things, they have problems in certain areas. People using them are already accepting these problems, I don't think we need to kill ourselves to try to fix the SSCs to be good at something they are inherently not good at. <tlr> we don't want to end up in a situation where people are willing to pay $100 for the self-signed certificate experience.... <tlr> sidetrack tlr: I agree, willingness to pay money doesn't translate <serge> I'm not sure it has to stephenF: the argument to just spend money doesn't apply here ... there are people who need SSCs ... we can do something if a new SSC turns up <Zakim> ifette, you wanted to say if we have to dictate the override experience, or leave that to implementations ifette:you have already agreed to problems as a trade-off of what you get vs what you can/are willing to pay for, these problems exist, and there's really not anything that we can do for some of them. We should do what we can for things like key-continuitity, but when it breaks, there are known problems and that's one of the trade-offs of using a SSC. <Mez> +1 to what can you do if you have neither a trust root nor key cont? <tyler> The difference between a self-signed cert and a self-managed CA is just a small matter of programming. <tyler> We could tell people to use a self-managed CA PHB2: it's hard to provide seemless experience and prevent attacks at same time <Zakim> serge, you wanted to bring up point again about writing down issues of contention schutzer: follow up step: we liked EV and safe mode because there are too many kinds of certificates ... we need something that browser developers find practical to fully integrate <stephenF> ...or its just a v. hard problem <serge> well, I plan on conducting a study, but it's going to be in 6+ months tyler: this is in the safe web form proposal <serge> I don't think we should make any recommendations without empirical evidence tyler: let's not make recs until we test this <maritzaj> i have to get to another meeting, bye. ifette: no progress on the issue <stephenF> mex it remains an "issue" though maybe not an "ISSUE" Mez: let's close and wait for a better idea <ifette> I would really like to keep the issue open tjh: we should handle this with comments <tlr> +1 tio ifette <stephenF> +1 to ian <ifette> It's an issue that we know about <ifette> we don't have a solution yet, but we know it's an issue :( <serge> we need data before recommending anything ... this is utterly silly to argue over without it <ifette> 2008-05-31 <rachna> is anything going to happen between now and 3 months to change the discussion? <ifette> I just don't want to lose track of it <tlr> ACTION: tlr to request ISSUE-1144 on f2f agenda - due 2008-01-15 [recorded in [17]http://www.w3.org/2007/11/28-wsc-minutes.html#action01] <trackbot-ng> Created ACTION-352 - request ISSUE-1144 on f2f agenda [on Thomas Roessler - due 2008-01-15]. <ifette> we didn't get to 115 either, did we? Mez: we didn't get to 115 or the others, so for next meeting <ifette> k Summary of Action Items [NEW] ACTION: tlr to request ISSUE-1144 on f2f agenda - due 2008-01-15 [recorded in [18]http://www.w3.org/2007/11/28-wsc-minutes.html#action01] References 1. http://www.w3.org/ 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0122.html 3. http://www.w3.org/2007/11/28-wsc-irc 4. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0122.html 5. http://www.w3.org/2007/11/28-wsc-minutes.html#item01 6. http://www.w3.org/2007/11/28-wsc-minutes.html#item02 7. http://www.w3.org/2007/11/28-wsc-minutes.html#item03 8. http://www.w3.org/2007/11/28-wsc-minutes.html#item04 9. http://www.w3.org/2007/11/28-wsc-minutes.html#item05 10. http://www.w3.org/2007/11/28-wsc-minutes.html#item06 11. http://www.w3.org/2007/11/28-wsc-minutes.html#ActionSummary 12. http://www.w3.org/2006/WSC/track/actions/331 13. http://www.w3.org/2006/WSC/track/issues/111 14. http://www.w3.org/2006/WSC/track/issues/114 15. http://www.w3.org/2006/WSC/drafts/rec/#selfsignedcerts 16. http://www.w3.org/2006/WSC/drafts/rec/#errors-basic 17. http://www.w3.org/2007/11/28-wsc-minutes.html#action01 18. http://www.w3.org/2007/11/28-wsc-minutes.html#action01 -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 19 December 2007 18:55:53 UTC