- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 18 Jan 2007 19:56:08 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 9 January have been approved; the
are available online here:
http://www.w3.org/2007/01/09-wsc-minutes
A text/plain rendering is included below the .signature.
Thanks to Stephen Farrell for minuting.
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
WSC WG weekly
9 Jan 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
Thomas, Tyler, stephenF, Nadalin, beltzner, Maritza_Johnson,
Brad_Porter, PHB, Hal, Stuart, Rob Franco
Regrets
MEZ
Chair
Thomas
Scribe
stephenF
Contents
* [4]Topics
1. [5]convene, pick scribe, approve minutes, close actions,
announcements
2. [6]SharedUserSystem
3. [7]MultipleCertificateIdentity
4. [8]SelfSignedCertificates
5. [9]PossibleMalwareInstallation
6. [10]UserNotions
7. [11]Debugging
8. [12]UserExpectation
9. [13]missing use cases?
* [14]Summary of Action Items
_________________________________________________________________
convene, pick scribe, approve minutes, close actions, announcements
<tlr> Scribe: stephenF
<tlr> [15]http://www.w3.org/2007/01/02-wsc-minutes
tlr: minutes approval - approved
<tlr> RESOLVED: approved
<tlr>
[16]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0074.html
tlr: go through action items
tlr: bunch of them closed if nothing said...
tlr: hal wanted 53,56 & 62 to be closed
<tlr> Hal asked by ail to close ACTION-56, that was done last time
tlr: 56 was done
<tlr> ACTION-53, ACTION-62 closed
<tlr> ACTION-65 closed
<Tyler> Are we speaking in hexadecimal this morning?
tlr: reminder about 0xf2f
<tlr> [17]http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
tlr:reminder that usable security workshop CFP position papers are due by
jan 12
<tlr> [18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0022
<tlr> [19]http://www.w3.org/2006/WSC/wiki/NoteUseCases
<tlr> [20]http://www.w3.org/2006/WSC/wiki/PadlockIconMisuse
tlr: summarises problem (see the wiki)
<tlr> [21]http://www.w3.org/2006/WSC/wiki/NoteIndex
tlr: proposes moving to elsewhere in Note since its less a use-case than
something else
... maybe move to "problems with current stuff" section
<tlr> silence; agreement
Tyler: should I re-draft this as a use-case?
tlr: suggests leaving in descriptive mode
SharedUserSystem
<tlr> [22]http://www.w3.org/2006/WSC/wiki/SharedUserSystem
tlr: similar to last one
... once again, move to "stuff we deal with" section
... suggests tlr
... asks hal to suggest where to put this
hal: now thinking this is a bit far-out, happy to rework
... if that's what's wanted
<Tyler> +1 on calling shared computers out of scope
tlr: maybe morph to use-case & say that its out of scope or
... else extend out-of-scope section
<scribe> ACTION: hal to rework shared system use-case [recorded in
[23]http://www.w3.org/2007/01/09-wsc-minutes.html#action01]
<trackbot> Created ACTION-66 - Rework shared system use-case [on Hal
Lockhart - due 2007-01-16].
MultipleCertificateIdentity
Tyler: describes naming problem (e.g. re-directing etc)
... can guess, but nice if could standardise this go get
... rid of heursitc
<tlr> [24]http://www.w3.org/2006/WSC/wiki/MultipleCertificateIdentity
stephenF: bit worried about that
Tyler: explains...talking about matching on DNs as not good enough
... take root etc. into account and maybe that works
hal: practical difficulties big, CAs do different things
... might only get 30% solution, not 80%
Tyler: got 80% already!
PHB: worried also, not sure about ...
... naming vs. merges/splits etc.
... payflow? used to be vrsn now ebay
Tyler: not that level, has bank a/c with name1 for login server
... then 50 servers for transactions each with own DNS name
... but otherwise DNs are the same
... his widget spots that
PHB: not sure thats useful, his bank has no web server
... all outsurced (hopefully not to vrsn:-)
... distinction between trustworthy or not
... prefres EVS certs as a basis for ok'ing linkage
... between differnt PKI based credentials
tlr: hearing debate, so in-scope, but maybe we'll hit a wall
... later
Tyler: maybe I can demo
<tlr> ACTION: tyler to refine MultipleCertificateIdentity use case [recorded
in [25]http://www.w3.org/2007/01/09-wsc-minutes.html#action02]
<trackbot> Created ACTION-67 - Refine MultipleCertificateIdentity use case
[on Tyler Close - due 2007-01-16].
tlr: probably re-visit @ f2f
SelfSignedCertificates
tlr: recent note
<tlr>
[26]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0077.html
<Tyler> Stephen uses a self-signed cert for a small web site with about 10
users
<Tyler> Stephen would like some way of accurately presenting the security of
this scenario
Tyler: also had device use-case (furnance)
... furnace/DSL modem etc small device with https:// on the appliance
... is a good thing, but self-signed for cost and...
... not knowing name in advance
tlr: says in-scope so to be looked at later
<tlr> ACTION: tyler to formalize furnace self-signed use case [recorded in
[27]http://www.w3.org/2007/01/09-wsc-minutes.html#action03]
<trackbot> Created ACTION-68 - Formalize furnace self-signed use case [on
Tyler Close - due 2007-01-16].
tlr: suggests keeping these use-cases separate
Stuart: asking whether users will verify self-signed or whether
... users don't care about identity
tlr: says most interest is that its the same as last time and
... so different from last time
stuart: says this is like ssh leap of faith
stephenF: yes it is
PHB: case to be made for encrypting by default
... doesn't want to require authentication before
... allowing crypto
... prefers using crappy certs rather than nothing
tlr: is that a new use-case?
PHB: no new use case for now
PossibleMalwareInstallation
tlr: another fresh use-case
[28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0076.html
tlr: describes use-case
... suggests privileges/sandbox aspects out of scope.
... but where browser suggests to user an action that
...might violate TCB then that may be in-scope
hal: thorny issue maybe, recent debates about
... plug-ins continue even after we agree what they
... do
... so what is malware?
tlr: agree there's philosophy here
<tlr> ... trying to frame malware as "it might subvert computing base" ...
tlr: want to keep good/bad out of discussion
... user has to allow/disallow actions that change TCB
... browser knows that its changing TCB
... should that action/question from browser be in-scope
... or not
Tyler: are we talking about standardising some GUI so that
... browser will present something to user in this case?
tlr: trying to cover what interactions we deal with later, this is one
Rob: important scenario for users
... aveage users strugggle about what to allow/not
... important for us to tackle
hal: can anyone make that distinction?
... even up to code inspection
Rob: in black-box, maybe there's an engine browser can load (e.g.
anti-virus)
hal: anti-phising toolbar and spyware externally visible
... behaviour indistinguishable
tlr: what kind of informaiton is out there and how can it be
... presented usably
... hal's question is a level too deep
hal: willing to go along to see what happens
stephenF: +1 to hal's ok
<tlr> PROPOSED: keep this use case in, as an interaction that we'll deal
with
Tyler: easy to notice that an mp3 doesn't affect tcb, whereas
... another one does
tlr: that's what I was thinking about
... proposes keeing in scope
<beltzner> I'm willing to discuss it more, but this sounds like it overlaps
if what you're saying is: "help users understand where software is coming
from?" but that seems to get into software signing
silence; agreement or snoozing
<tlr> silence
<beltzner> can we add "make hotel internet not suck" to our InScope list?
UserNotions
[29]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0067.html
but defer to later
[30]http://www.w3.org/2006/WSC/wiki/NoteUseCases
Debugging
tlr: this is on mez, suggest deferring
UserExpectation
[31]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0078
PHB: difference between following link and typing URL
... if less-secure crypto in use then don't fool user
... into thinking it secure
... unless user has typed in e.g. https:// (maybe)
tlr: asks is this a use case?
silence aka ok-for-now
<scribe> ACTION: Hallam-Baker to draft differential use cases for security
expectation vs. none [recorded in
[32]http://www.w3.org/2007/01/09-wsc-minutes.html#action06]
<trackbot> Created ACTION-69 - Draft differential use cases for security
expectation vs. none [on Phillip Hallam-Baker - due 2007-01-16].
[33]http://www.w3.org/2006/WSC/wiki/NoteUrlTypo
tlr: other use-cases need discuission (some anyway)
... any missing use-cases?
missing use cases?
tlr: what interactions are we missing?
silence; uncertainty
<beltzner> do we think IM lure is sufficiently different from email lure?
<beltzner> (I don't think it is, but in the interest of being complete ...)
<beltzner> +1 to merging them as per stuart's suggestion
Stuart: merge into out-of-band lure?
tlr: will you make this more generic?
Stuart: sure
<tlr> ACTION: Stuart to propose generalization of email lure [recorded in
[34]http://www.w3.org/2007/01/09-wsc-minutes.html#action07]
<trackbot> Created ACTION-70 - Propose generalization of email lure [on
Stuart Schechter - due 2007-01-16].
tlr: I have a list...
... MITM (or something like it) detected
... or, what to do if cert looks odd
...another: TLS server proposes a new CA
... client accepts cert, wants more info about that
... user wants to check were a link leads, via status bar
... but what happens involves scripting
<scribe> ACTION: Farrell propose history related use-case [recorded in
[35]http://www.w3.org/2007/01/09-wsc-minutes.html#action09]
<trackbot> Created ACTION-71 - Propose history related use-case [on Stephen
Farrell - due 2007-01-16].
Rob: scriptable areas in browser chrome can be used to deceive
<tlr> ACTION: roessler to track RobFranco proposing use cases to deal with
scriptable areas [recorded in
[36]http://www.w3.org/2007/01/09-wsc-minutes.html#action10]
<trackbot> Created ACTION-72 - Track RobFranco proposing use cases to deal
with scriptable areas [on Thomas Roessler - due 2007-01-16].
users, tlr will propose action
tlr: wrap-up, mez back next week, more use-case discussion then
<Tyler> A reminder to everyone to get their text in by the 11th!
tlr: hal the next scribe stuckee
hal: I love doing that
<tlr> next meeting: 16 January, Hal to scribe, MEZ to chair
tlr: text for 11th Jan for 1st draft of note, do things today
bye
<tlr> ACTION: roessler to draft MITM use case [recorded in
[37]http://www.w3.org/2007/01/09-wsc-minutes.html#action11]
<trackbot> Created ACTION-73 - Draft MITM use case [on Thomas Roessler - due
2007-01-16].
<tlr> ACTION: roessler to draft CA acceptance use case [recorded in
[38]http://www.w3.org/2007/01/09-wsc-minutes.html#action12]
<trackbot> Created ACTION-74 - Draft CA acceptance use case [on Thomas
Roessler - due 2007-01-16].
<tlr> ACTION: roessler to draft revisit security decisions use case
[recorded in [39]http://www.w3.org/2007/01/09-wsc-minutes.html#action13]
<trackbot> Created ACTION-75 - Draft revisit security decisions use case [on
Thomas Roessler - due 2007-01-16].
<tlr> ACTION: roessler to draft follow-a-link / status bar use case
[recorded in [40]http://www.w3.org/2007/01/09-wsc-minutes.html#action14]
<trackbot> Created ACTION-76 - Draft follow-a-link / status bar use case [on
Thomas Roessler - due 2007-01-16].
Summary of Action Items
[NEW] ACTION: Farrell propose history related use-case [recorded in
[41]http://www.w3.org/2007/01/09-wsc-minutes.html#action09]
[NEW] ACTION: hal to rework shared system use-case [recorded in
[42]http://www.w3.org/2007/01/09-wsc-minutes.html#action01]
[NEW] ACTION: Hallam-Baker to draft differential use cases for security
expectation vs. none [recorded in
[43]http://www.w3.org/2007/01/09-wsc-minutes.html#action06]
[NEW] ACTION: PHB to draft differential use cases for security expectation
vs. none [recorded in
[44]http://www.w3.org/2007/01/09-wsc-minutes.html#action04]
[NEW] ACTION: PHB to draft differential use cases for security expectation
vs. none [recorded in
[45]http://www.w3.org/2007/01/09-wsc-minutes.html#action05]
[NEW] ACTION: roessler to draft CA acceptance use case [recorded in
[46]http://www.w3.org/2007/01/09-wsc-minutes.html#action12]
[NEW] ACTION: roessler to draft follow-a-link / status bar use case
[recorded in [47]http://www.w3.org/2007/01/09-wsc-minutes.html#action14]
[NEW] ACTION: roessler to draft MITM use case [recorded in
[48]http://www.w3.org/2007/01/09-wsc-minutes.html#action11]
[NEW] ACTION: roessler to draft revisit security decisions use case
[recorded in [49]http://www.w3.org/2007/01/09-wsc-minutes.html#action13]
[NEW] ACTION: roessler to track RobFranco proposing use cases to deal with
scriptable areas [recorded in
[50]http://www.w3.org/2007/01/09-wsc-minutes.html#action10]
[NEW] ACTION: stephenF propose history related use-case [recorded in
[51]http://www.w3.org/2007/01/09-wsc-minutes.html#action08]
[NEW] ACTION: Stuart to propose generalization of email lure [recorded in
[52]http://www.w3.org/2007/01/09-wsc-minutes.html#action07]
[NEW] ACTION: tyler to formalize furnace self-signed use case [recorded in
[53]http://www.w3.org/2007/01/09-wsc-minutes.html#action03]
[NEW] ACTION: tyler to refine MultipleCertificateIdentity use case [recorded
in [54]http://www.w3.org/2007/01/09-wsc-minutes.html#action02]
[End of minutes]
_________________________________________________________________
Minutes formatted by David Booth's [55]scribe.perl version 1.127 ([56]CVS
log)
$Date: 2007-01-18$
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0074.html
3. http://www.w3.org/2007/01/09-wsc-irc
4. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#agenda
5. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item01
6. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item02
7. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item03
8. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item04
9. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item05
10. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item06
11. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item07
12. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item08
13. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item09
14. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#ActionSummary
15. http://www.w3.org/2007/01/02-wsc-minutes
16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0074.html
17. http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners
18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0022
19. http://www.w3.org/2006/WSC/wiki/NoteUseCases
20. http://www.w3.org/2006/WSC/wiki/PadlockIconMisuse
21. http://www.w3.org/2006/WSC/wiki/NoteIndex
22. http://www.w3.org/2006/WSC/wiki/SharedUserSystem
23. http://www.w3.org/2007/01/09-wsc-minutes.html#action01
24. http://www.w3.org/2006/WSC/wiki/MultipleCertificateIdentity
25. http://www.w3.org/2007/01/09-wsc-minutes.html#action02
26. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0077.html
27. http://www.w3.org/2007/01/09-wsc-minutes.html#action03
28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0076.html
29. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0067.html
30. http://www.w3.org/2006/WSC/wiki/NoteUseCases
31. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0078
32. http://www.w3.org/2007/01/09-wsc-minutes.html#action06
33. http://www.w3.org/2006/WSC/wiki/NoteUrlTypo
34. http://www.w3.org/2007/01/09-wsc-minutes.html#action07
35. http://www.w3.org/2007/01/09-wsc-minutes.html#action09
36. http://www.w3.org/2007/01/09-wsc-minutes.html#action10
37. http://www.w3.org/2007/01/09-wsc-minutes.html#action11
38. http://www.w3.org/2007/01/09-wsc-minutes.html#action12
39. http://www.w3.org/2007/01/09-wsc-minutes.html#action13
40. http://www.w3.org/2007/01/09-wsc-minutes.html#action14
41. http://www.w3.org/2007/01/09-wsc-minutes.html#action09
42. http://www.w3.org/2007/01/09-wsc-minutes.html#action01
43. http://www.w3.org/2007/01/09-wsc-minutes.html#action06
44. http://www.w3.org/2007/01/09-wsc-minutes.html#action04
45. http://www.w3.org/2007/01/09-wsc-minutes.html#action05
46. http://www.w3.org/2007/01/09-wsc-minutes.html#action12
47. http://www.w3.org/2007/01/09-wsc-minutes.html#action14
48. http://www.w3.org/2007/01/09-wsc-minutes.html#action11
49. http://www.w3.org/2007/01/09-wsc-minutes.html#action13
50. http://www.w3.org/2007/01/09-wsc-minutes.html#action10
51. http://www.w3.org/2007/01/09-wsc-minutes.html#action08
52. http://www.w3.org/2007/01/09-wsc-minutes.html#action07
53. http://www.w3.org/2007/01/09-wsc-minutes.html#action03
54. http://www.w3.org/2007/01/09-wsc-minutes.html#action02
55. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
56. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 18 January 2007 22:25:16 UTC