- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 6 Feb 2007 18:34:46 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes of the WSC WG's weekly meeting on 23 January have been
approved today. They are available online here:
http://www.w3.org/2007/01/23-wsc-minutes.html
Thanks to Brad Porter for scribing.
A text/plain version is included below.
--
Thomas Roessler, W3C <tlr@w3.org>
WSC weekly
23 Jan 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
beltzner, Brad_Porter, Chuck_Wade, tlr, Tyler, staikos,
Maritza_Johnson, mez, Bill_Doyle, Hal_Lockhart, Yakov_Sverdlov,
+1.908.654.aaaa, BobPinheiro, PHB, Sunil_Agrawal, Tim_Hahn
Regrets
Chair
mez
Scribe
brad
Contents
* [4]Topics
1. [5]Pick a scribe
2. [6]Approve minutes from last meeting:
http://www.w3.org/2007/01/16-wsc-minutes
3. [7]action item review, see agenda
4. [8]Use case: Debugging
5. [9]Use case: TLSMiddleMan
6. [10]Use case: CAAcceptance
7. [11]Use case: Revisiting Past Decisions
* [12]Summary of Action Items
_________________________________________________________________
Pick a scribe
<tlr> Scribe: brad
Approve minutes from last meeting: [13]http://www.w3.org/2007/01/16-wsc-minutes
Minutes approved
<tlr> RESOLVED: minutes approved
action item review, see agenda
Action items closed
Use case: Debugging
<tlr> [14]http://www.w3.org/2006/WSC/wiki/UserDebugging
<beltzner> debugging use case:
[15]http://www.w3.org/2006/WSC/wiki/UserDebugging
Mez: Debugging use case is about making lower level security context
information available in some fashion... applicable in use cases where
someone is trying to help a user and needs lowerlevel information to assess
what is happening
... Outside of the remote debugging category, group has generally said lower
level information should not be available to user
... there are other cases such as browser evaluation where more details is
helpful
Mez: We also note that it seems outside our scope to specify how lower level
details are presented
... but we don't want to do anything that precludes it
Bob: Is there anything on the website that describes the process from use
case->recommendation
Mez: We don't have a document describing our process, W3C has a very large
document on W3C Process
TLR: Charter that describes general proceeding
... suggest for debugging use case that we take this one into the note with
a remark that this is a use case we do not want to preclude
chuck: might not want to throw this out so quickly... users do want to be
able to get some 'confirmation'
chuck: what we're talking about is not so different than clicking on the
lock icon
... is there justification for putting a button in the chrome that means 'i
want additional information and confirmation of this site and if you want
3rd-party review, click here'
... this could be very useful to users and may be something that we would
want in scope
hal: I think we should say that this information should be only "on demand"
<beltzner> bwporter: I think you're designing the ui and back-fitting the
use case; the motivation should begin with what the user wants, and I
suspect that you're actually talking about a different use case than Mez
hal: may want this data to analyze network configuration
<Tyler> Do any of the arguments made in favour of debugging information
require a consistent user interface across all web user agents? I think no.
beltzner: we're splitting this from the original use case where the user
wants help which is different from the use case where the user wants to
verify or debug
beltzner: we should focus on core and let browser vendors innovate at the
edges
chuck: this is an area where we need browsers to be consistent
... at one level this is a tool for users to gain additional confidence
... for example, my daughter was going through a credit application for a
student loan... at that point, IE7 started complaining that the cert had
been revoked
... i was at a standstill to try to figure out what was going on
... we have the debugging problem and the question -- what is the interface?
tlr: i see this use case as a 'catch-all' that we should document that we do
not want to preclude expert interface
... what i hear from chuck is a use case that is quite different from the
'catch-all' use case
... would you be willing to write up that use case?
<tlr> ACTION: chuck to document the debugging-related "positive" use case
[recorded in [16]http://www.w3.org/2007/01/23-wsc-minutes.html#action01]
<trackbot> Sorry, couldn't find user - chuck
chuck: I would be willing to write it up, i think it has some overlap with
what is already here, but it may help flesh out the different issues
<tjh> there is a difference between "expert investigation" (sometimes called
debugging) and "end user alerting"
tyler: this might fit into the non-goals section that we removed... shall i
add it back in?
<tlr> tjh, right, that's the point
mez: why don't you float it out and see if there is consensus?
... i hear some dissention about whether this is a non-goal or not
Use case: TLSMiddleMan
<tlr> [17]http://www.w3.org/2006/WSC/wiki/TLSMiddleMan
<Tyler> [18]http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM
<tlr> [19]http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM
tlr: question is what should happen if the TLS information doesn't match...
recommend that this is something we should take up in the final document
tlr: discussion on the mailing list that 'misconfigured' certificates like
this might be 'ok'
george: there are some cases where we allow a certificate to go through in a
scenario that has to do with a horribly configured server
... we should deal with this directly
... if browsers aren't consistent, people just switch browsers
mez: why would we consider certain types of security information worse than
no security information
george: we start to reduce the number of different cases... closer to
boolean
... isn't boolean today -- lockbox and dialogs today
tyler: urls set up by https are setting an expectation that the session is
going to be well configurated
brad: fail fast policy is simpler, easier for users, and cleaner to
implement
hal: believe the RFC states that you should flag an error explicitly
<tlr> ACTION: hal to dig out TLS RFC's normative language on mismatch
between cert and domain name [recorded in
[20]http://www.w3.org/2007/01/23-wsc-minutes.html#action02]
<staikos> and definitely no-one is doing that now :-)
<trackbot> Created ACTION-83 - Dig out TLS RFC\'s normative language on
mismatch between cert and domain name [on Hal Lockhart - due 2007-01-30].
<Tyler> Are we all happy with the wording of this use case in the Note?
<Mez> Are we unhappy?
phb: folks are also looking into a situation where a cert has multiple
domains listed
<tlr> Doesn't subjectAltName take care of that?
<tlr> (or whatever it's called)
<Tyler> Theres a TLS extension for handling Phil's case
phb: ssl session needs to be set up before website domain is established
mez: is there a link to something that describes this scenario?
<tlr> ACTION: Hallam-Baker to produce material on name-based virtual hosting
and TLS [recorded in
[21]http://www.w3.org/2007/01/23-wsc-minutes.html#action03]
<trackbot> Created ACTION-84 - Produce material on name-based virtual
hosting and TLS [on Phillip Hallam-Baker - due 2007-01-30].
<tjh> perhaps an example there of what certificates contain (including
wildcards) and what implications that has on systems/IP stacks, etc.
<tjh> would be good
chuck: picking up on phils point -- wildcarding has left browsers and users
in a state of confusion... may be an opportunity here
<staikos> phb: I believe that using SSL on a multi-domain host, thereby
causing domain mismatch errors would also be considered broken system
administration and an error case
mez: at a note level is there anything we want to address this?
<tjh> should we offer best practices/guidelines for web masters/hosters for
setting up certs along with their systems?
chuck: will summaries core issues
<Zakim> hal, you wanted to RFC 2818
<tlr> ACTION: chuck to summarize issues around deployment of certificates in
wildcard / virtual hosting situations [recorded in
[22]http://www.w3.org/2007/01/23-wsc-minutes.html#action04]
<trackbot> Sorry, couldn't find user - chuck
<tlr> ACTION: wade to summarize issues around deployment of certificates in
wildcard / virtual hosting situations [recorded in
[23]http://www.w3.org/2007/01/23-wsc-minutes.html#action05]
<trackbot> Sorry, couldn't find user - wade
hal: RFC 2818 describes HTTP over TLS and does discuss processing by client
<tlr> traackbot, initialize
<tlr> trackbot, initialize
<trackbot> Tracking ISSUEs and ACTIONs from
[24]http://www.w3.org/2006/WSC/Group/track/
<tlr> ACTION: wade to summarize issues around deployment of certificates in
wildcard / virtual hosting situations [recorded in
[25]http://www.w3.org/2007/01/23-wsc-minutes.html#action06]
<trackbot> Sorry, couldn't find user - wade
hal: section called "server identity" states client MUST check against URI
<tlr> ACTION: thomas to prod chuck to summarize issues around deployment of
certificates in wildcard / virtual hosting situations [recorded in
[26]http://www.w3.org/2007/01/23-wsc-minutes.html#action07]
<trackbot> Created ACTION-85 - Prod chuck to summarize issues around
deployment of certificates in wildcard / virtual hosting situations [on
Thomas Roessler - due 2007-01-30].
phb: may be in an area where we're highlighting a problem in TLS
... we do not want to use chrome to fix a problem at the TLS layer -- layer
conflict
<Chuck> Changes to TLS, or to the way that http operates over TLShal
phb: if out-of-scope for our work, we may still want to file a defect report
with the TLS working group
tlr: focus on getting material for note, and then decide whether to use the
material on the note or on a defect report
hal: just a comment that current text in TLS man-in-the-middle is very
cryptic... is this use case a hack or normal behavior?
tlr: meant to be a description of an interaction we need to consider
tyler: do we need to answer the questions in the note or just document that
these are questions we want to answer?
hal: we should take a stance on whether this is correct or incorrect
behavior
Use case: CAAcceptance
<tlr> [27]http://www.w3.org/2006/WSC/wiki/CAAcceptance
<Tyler> [28]http://www.w3.org/2006/WSC/drafts/note/Overview.html#unknown-CA
<Tyler> "Click here to continue" as the CA name
<staikos> we could give the hex bytes for the UTF-8 encoding of the O field.
Do you trust "0x ......" :-)
tlr: how should user interface look when encountering an certificate that is
not signed by a trusted authority?
hal: generally feel that given all the ways a certificate can fail we may
find that each scenario needs to fail separately
<staikos> oh boy that's a big task for KDE :-) we pop up far too many
tlr: would like to ask browser vendor representatives to look through code
and help categorize failure modes
<tlr> ACTION: staikos to document what certificate validation errors
Konqueror displays [recorded in
[29]http://www.w3.org/2007/01/23-wsc-minutes.html#action08]
<trackbot> Created ACTION-86 - Document what certificate validation errors
Konqueror displays [on George Staikos - due 2007-01-30].
tyler: second notion that each should be a separate use case
<tlr> ACTION: yngve to document what certificate validation errors Opera
displays [recorded in
[30]http://www.w3.org/2007/01/23-wsc-minutes.html#action09]
<trackbot> Created ACTION-87 - Document what certificate validation errors
Opera displays [on Yngve Pettersen - due 2007-01-30].
<Zakim> tjh, you wanted to ask if the "user agent" cannot tell a bug/config
error from an attack/threat ... do we recommend "implied deny" or "implied
permit"?
<tlr> ACTION: beltzner to document what certificate validation errors
Firefox displays [recorded in
[31]http://www.w3.org/2007/01/23-wsc-minutes.html#action10]
<trackbot> Created ACTION-88 - Document what certificate validation errors
Firefox displays [on Mike Beltzner - due 2007-01-30].
tyler: extreme scenarios, but also rare occurences
<PHB> Reply from EKR on the TLS issue: "There is an extension designed to
support name-based virtual hosting.
<PHB> See RFC 4366 S 3.1"
<Tyler> and therefore important to be presented consistently across user
agents
<tlr> ACTION: thomas to ask Rob to do the same for IE7 [recorded in
[32]http://www.w3.org/2007/01/23-wsc-minutes.html#action11]
<trackbot> Created ACTION-89 - Ask Rob to do the same for IE7 [on Thomas
Roessler - due 2007-01-30].
tjh: can user agent tell the difference between bug and configuration error?
if user agent can't tell, can the user?
... implied deny or implied permit?
<tlr> ACTION: thomas to ask Rob Franco to document what certification
verification errors IE7 displays [recorded in
[33]http://www.w3.org/2007/01/23-wsc-minutes.html#action12]
<trackbot> Created ACTION-90 - Ask Rob Franco to document what certification
verification errors IE7 displays [on Thomas Roessler - due 2007-01-30].
maritza: should there be a difference between the types of dialogs a user
sees when they're accepting for one-time or for all-time?
brad: in favor of taking a hard stance and not document every edge case
tlr: helpful to understand what the browsers are doing... result might be an
appendix saying this is what happens today
brad: agreed on knowledge-gathering, frightened by evaluating each
one-by-one in designing solutions
Use case: Revisiting Past Decisions
<Tyler>
[34]http://www.w3.org/2006/WSC/drafts/note/Overview.html#warning-lost
<beltzner> Mez: do we have details on where within the BEA HQ we're supposed
to go, btw?
<beltzner> [35]http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners is
where this info should go, maybe?
<tlr> ACTION: thomas to start discussion about RevistingPastDecision on list
[recorded in [36]http://www.w3.org/2007/01/23-wsc-minutes.html#action13]
<trackbot> Created ACTION-91 - Start discussion about RevistingPastDecision
on list [on Thomas Roessler - due 2007-01-30].
<tlr> ACTION: hal to send more detailed geography info about meeting to
member-visible list [recorded in
[37]http://www.w3.org/2007/01/23-wsc-minutes.html#action14]
<trackbot> Created ACTION-92 - Send more detailed geography info about
meeting to member-visible list [on Hal Lockhart - due 2007-01-30].
<tlr> I'm collecting stuff at [38]http://www.w3.org/2006/WSC/f2f2.html
Summary of Action Items
[NEW] ACTION: beltzner to document what certificate validation errors
Firefox displays [recorded in
[39]http://www.w3.org/2007/01/23-wsc-minutes.html#action10]
[NEW] ACTION: chuck to document the debugging-related "positive" use case
[recorded in [40]http://www.w3.org/2007/01/23-wsc-minutes.html#action01]
[NEW] ACTION: chuck to summarize issues around deployment of certificates in
wildcard / virtual hosting situations [recorded in
[41]http://www.w3.org/2007/01/23-wsc-minutes.html#action04]
[NEW] ACTION: hal to dig out TLS RFC's normative language on mismatch
between cert and domain name [recorded in
[42]http://www.w3.org/2007/01/23-wsc-minutes.html#action02]
[NEW] ACTION: hal to send more detailed geography info about meeting to
member-visible list [recorded in
[43]http://www.w3.org/2007/01/23-wsc-minutes.html#action14]
[NEW] ACTION: Hallam-Baker to produce material on name-based virtual hosting
and TLS [recorded in
[44]http://www.w3.org/2007/01/23-wsc-minutes.html#action03]
[NEW] ACTION: staikos to document what certificate validation errors
Konqueror displays [recorded in
[45]http://www.w3.org/2007/01/23-wsc-minutes.html#action08]
[NEW] ACTION: thomas to ask Rob Franco to document what certification
verification errors IE7 displays [recorded in
[46]http://www.w3.org/2007/01/23-wsc-minutes.html#action12]
[NEW] ACTION: thomas to ask Rob to do the same for IE7 [recorded in
[47]http://www.w3.org/2007/01/23-wsc-minutes.html#action11]
[NEW] ACTION: thomas to prod chuck to summarize issues around deployment of
certificates in wildcard / virtual hosting situations [recorded in
[48]http://www.w3.org/2007/01/23-wsc-minutes.html#action07]
[NEW] ACTION: thomas to start discussion about RevistingPastDecision on list
[recorded in [49]http://www.w3.org/2007/01/23-wsc-minutes.html#action13]
[NEW] ACTION: wade to summarize issues around deployment of certificates in
wildcard / virtual hosting situations [recorded in
[50]http://www.w3.org/2007/01/23-wsc-minutes.html#action05]
[NEW] ACTION: wade to summarize issues around deployment of certificates in
wildcard / virtual hosting situations [recorded in
[51]http://www.w3.org/2007/01/23-wsc-minutes.html#action06]
[NEW] ACTION: yngve to document what certificate validation errors Opera
displays [recorded in
[52]http://www.w3.org/2007/01/23-wsc-minutes.html#action09]
[End of minutes]
_________________________________________________________________
Minutes formatted by David Booth's [53]scribe.perl version 1.127 ([54]CVS
log)
$Date: 2007/02/06 17:31:59 $
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0147.html
3. http://www.w3.org/2007/01/23-wsc-irc
4. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#agenda
5. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item01
6. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item02
7. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item03
8. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item04
9. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item05
10. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item06
11. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#item07
12. file://localhost/home/roessler/W3C/WWW/2007/01/23-wsc-minutes.html#ActionSummary
13. http://www.w3.org/2007/01/16-wsc-minutes
14. http://www.w3.org/2006/WSC/wiki/UserDebugging
15. http://www.w3.org/2006/WSC/wiki/UserDebugging
16. http://www.w3.org/2007/01/23-wsc-minutes.html#action01
17. http://www.w3.org/2006/WSC/wiki/TLSMiddleMan
18. http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM
19. http://www.w3.org/2006/WSC/drafts/note/Overview.html#MITM
20. http://www.w3.org/2007/01/23-wsc-minutes.html#action02
21. http://www.w3.org/2007/01/23-wsc-minutes.html#action03
22. http://www.w3.org/2007/01/23-wsc-minutes.html#action04
23. http://www.w3.org/2007/01/23-wsc-minutes.html#action05
24. http://www.w3.org/2006/WSC/Group/track/
25. http://www.w3.org/2007/01/23-wsc-minutes.html#action06
26. http://www.w3.org/2007/01/23-wsc-minutes.html#action07
27. http://www.w3.org/2006/WSC/wiki/CAAcceptance
28. http://www.w3.org/2006/WSC/drafts/note/Overview.html#unknown-CA
29. http://www.w3.org/2007/01/23-wsc-minutes.html#action08
30. http://www.w3.org/2007/01/23-wsc-minutes.html#action09
31. http://www.w3.org/2007/01/23-wsc-minutes.html#action10
32. http://www.w3.org/2007/01/23-wsc-minutes.html#action11
33. http://www.w3.org/2007/01/23-wsc-minutes.html#action12
34. http://www.w3.org/2006/WSC/drafts/note/Overview.html#warning-lost
35. http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
36. http://www.w3.org/2007/01/23-wsc-minutes.html#action13
37. http://www.w3.org/2007/01/23-wsc-minutes.html#action14
38. http://www.w3.org/2006/WSC/f2f2.html
39. http://www.w3.org/2007/01/23-wsc-minutes.html#action10
40. http://www.w3.org/2007/01/23-wsc-minutes.html#action01
41. http://www.w3.org/2007/01/23-wsc-minutes.html#action04
42. http://www.w3.org/2007/01/23-wsc-minutes.html#action02
43. http://www.w3.org/2007/01/23-wsc-minutes.html#action14
44. http://www.w3.org/2007/01/23-wsc-minutes.html#action03
45. http://www.w3.org/2007/01/23-wsc-minutes.html#action08
46. http://www.w3.org/2007/01/23-wsc-minutes.html#action12
47. http://www.w3.org/2007/01/23-wsc-minutes.html#action11
48. http://www.w3.org/2007/01/23-wsc-minutes.html#action07
49. http://www.w3.org/2007/01/23-wsc-minutes.html#action13
50. http://www.w3.org/2007/01/23-wsc-minutes.html#action05
51. http://www.w3.org/2007/01/23-wsc-minutes.html#action06
52. http://www.w3.org/2007/01/23-wsc-minutes.html#action09
53. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
54. http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 6 February 2007 17:33:26 UTC