- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 18 Jan 2007 19:56:08 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 9 January have been approved; the are available online here: http://www.w3.org/2007/01/09-wsc-minutes A text/plain rendering is included below the .signature. Thanks to Stephen Farrell for minuting. Regards, -- Thomas Roessler, W3C <tlr@w3.org> WSC WG weekly 9 Jan 2007 [2]Agenda See also: [3]IRC log Attendees Present Thomas, Tyler, stephenF, Nadalin, beltzner, Maritza_Johnson, Brad_Porter, PHB, Hal, Stuart, Rob Franco Regrets MEZ Chair Thomas Scribe stephenF Contents * [4]Topics 1. [5]convene, pick scribe, approve minutes, close actions, announcements 2. [6]SharedUserSystem 3. [7]MultipleCertificateIdentity 4. [8]SelfSignedCertificates 5. [9]PossibleMalwareInstallation 6. [10]UserNotions 7. [11]Debugging 8. [12]UserExpectation 9. [13]missing use cases? * [14]Summary of Action Items _________________________________________________________________ convene, pick scribe, approve minutes, close actions, announcements <tlr> Scribe: stephenF <tlr> [15]http://www.w3.org/2007/01/02-wsc-minutes tlr: minutes approval - approved <tlr> RESOLVED: approved <tlr> [16]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0074.html tlr: go through action items tlr: bunch of them closed if nothing said... tlr: hal wanted 53,56 & 62 to be closed <tlr> Hal asked by ail to close ACTION-56, that was done last time tlr: 56 was done <tlr> ACTION-53, ACTION-62 closed <tlr> ACTION-65 closed <Tyler> Are we speaking in hexadecimal this morning? tlr: reminder about 0xf2f <tlr> [17]http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners tlr:reminder that usable security workshop CFP position papers are due by jan 12 <tlr> [18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0022 <tlr> [19]http://www.w3.org/2006/WSC/wiki/NoteUseCases <tlr> [20]http://www.w3.org/2006/WSC/wiki/PadlockIconMisuse tlr: summarises problem (see the wiki) <tlr> [21]http://www.w3.org/2006/WSC/wiki/NoteIndex tlr: proposes moving to elsewhere in Note since its less a use-case than something else ... maybe move to "problems with current stuff" section <tlr> silence; agreement Tyler: should I re-draft this as a use-case? tlr: suggests leaving in descriptive mode SharedUserSystem <tlr> [22]http://www.w3.org/2006/WSC/wiki/SharedUserSystem tlr: similar to last one ... once again, move to "stuff we deal with" section ... suggests tlr ... asks hal to suggest where to put this hal: now thinking this is a bit far-out, happy to rework ... if that's what's wanted <Tyler> +1 on calling shared computers out of scope tlr: maybe morph to use-case & say that its out of scope or ... else extend out-of-scope section <scribe> ACTION: hal to rework shared system use-case [recorded in [23]http://www.w3.org/2007/01/09-wsc-minutes.html#action01] <trackbot> Created ACTION-66 - Rework shared system use-case [on Hal Lockhart - due 2007-01-16]. MultipleCertificateIdentity Tyler: describes naming problem (e.g. re-directing etc) ... can guess, but nice if could standardise this go get ... rid of heursitc <tlr> [24]http://www.w3.org/2006/WSC/wiki/MultipleCertificateIdentity stephenF: bit worried about that Tyler: explains...talking about matching on DNs as not good enough ... take root etc. into account and maybe that works hal: practical difficulties big, CAs do different things ... might only get 30% solution, not 80% Tyler: got 80% already! PHB: worried also, not sure about ... ... naming vs. merges/splits etc. ... payflow? used to be vrsn now ebay Tyler: not that level, has bank a/c with name1 for login server ... then 50 servers for transactions each with own DNS name ... but otherwise DNs are the same ... his widget spots that PHB: not sure thats useful, his bank has no web server ... all outsurced (hopefully not to vrsn:-) ... distinction between trustworthy or not ... prefres EVS certs as a basis for ok'ing linkage ... between differnt PKI based credentials tlr: hearing debate, so in-scope, but maybe we'll hit a wall ... later Tyler: maybe I can demo <tlr> ACTION: tyler to refine MultipleCertificateIdentity use case [recorded in [25]http://www.w3.org/2007/01/09-wsc-minutes.html#action02] <trackbot> Created ACTION-67 - Refine MultipleCertificateIdentity use case [on Tyler Close - due 2007-01-16]. tlr: probably re-visit @ f2f SelfSignedCertificates tlr: recent note <tlr> [26]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0077.html <Tyler> Stephen uses a self-signed cert for a small web site with about 10 users <Tyler> Stephen would like some way of accurately presenting the security of this scenario Tyler: also had device use-case (furnance) ... furnace/DSL modem etc small device with https:// on the appliance ... is a good thing, but self-signed for cost and... ... not knowing name in advance tlr: says in-scope so to be looked at later <tlr> ACTION: tyler to formalize furnace self-signed use case [recorded in [27]http://www.w3.org/2007/01/09-wsc-minutes.html#action03] <trackbot> Created ACTION-68 - Formalize furnace self-signed use case [on Tyler Close - due 2007-01-16]. tlr: suggests keeping these use-cases separate Stuart: asking whether users will verify self-signed or whether ... users don't care about identity tlr: says most interest is that its the same as last time and ... so different from last time stuart: says this is like ssh leap of faith stephenF: yes it is PHB: case to be made for encrypting by default ... doesn't want to require authentication before ... allowing crypto ... prefers using crappy certs rather than nothing tlr: is that a new use-case? PHB: no new use case for now PossibleMalwareInstallation tlr: another fresh use-case [28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0076.html tlr: describes use-case ... suggests privileges/sandbox aspects out of scope. ... but where browser suggests to user an action that ...might violate TCB then that may be in-scope hal: thorny issue maybe, recent debates about ... plug-ins continue even after we agree what they ... do ... so what is malware? tlr: agree there's philosophy here <tlr> ... trying to frame malware as "it might subvert computing base" ... tlr: want to keep good/bad out of discussion ... user has to allow/disallow actions that change TCB ... browser knows that its changing TCB ... should that action/question from browser be in-scope ... or not Tyler: are we talking about standardising some GUI so that ... browser will present something to user in this case? tlr: trying to cover what interactions we deal with later, this is one Rob: important scenario for users ... aveage users strugggle about what to allow/not ... important for us to tackle hal: can anyone make that distinction? ... even up to code inspection Rob: in black-box, maybe there's an engine browser can load (e.g. anti-virus) hal: anti-phising toolbar and spyware externally visible ... behaviour indistinguishable tlr: what kind of informaiton is out there and how can it be ... presented usably ... hal's question is a level too deep hal: willing to go along to see what happens stephenF: +1 to hal's ok <tlr> PROPOSED: keep this use case in, as an interaction that we'll deal with Tyler: easy to notice that an mp3 doesn't affect tcb, whereas ... another one does tlr: that's what I was thinking about ... proposes keeing in scope <beltzner> I'm willing to discuss it more, but this sounds like it overlaps if what you're saying is: "help users understand where software is coming from?" but that seems to get into software signing silence; agreement or snoozing <tlr> silence <beltzner> can we add "make hotel internet not suck" to our InScope list? UserNotions [29]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0067.html but defer to later [30]http://www.w3.org/2006/WSC/wiki/NoteUseCases Debugging tlr: this is on mez, suggest deferring UserExpectation [31]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0078 PHB: difference between following link and typing URL ... if less-secure crypto in use then don't fool user ... into thinking it secure ... unless user has typed in e.g. https:// (maybe) tlr: asks is this a use case? silence aka ok-for-now <scribe> ACTION: Hallam-Baker to draft differential use cases for security expectation vs. none [recorded in [32]http://www.w3.org/2007/01/09-wsc-minutes.html#action06] <trackbot> Created ACTION-69 - Draft differential use cases for security expectation vs. none [on Phillip Hallam-Baker - due 2007-01-16]. [33]http://www.w3.org/2006/WSC/wiki/NoteUrlTypo tlr: other use-cases need discuission (some anyway) ... any missing use-cases? missing use cases? tlr: what interactions are we missing? silence; uncertainty <beltzner> do we think IM lure is sufficiently different from email lure? <beltzner> (I don't think it is, but in the interest of being complete ...) <beltzner> +1 to merging them as per stuart's suggestion Stuart: merge into out-of-band lure? tlr: will you make this more generic? Stuart: sure <tlr> ACTION: Stuart to propose generalization of email lure [recorded in [34]http://www.w3.org/2007/01/09-wsc-minutes.html#action07] <trackbot> Created ACTION-70 - Propose generalization of email lure [on Stuart Schechter - due 2007-01-16]. tlr: I have a list... ... MITM (or something like it) detected ... or, what to do if cert looks odd ...another: TLS server proposes a new CA ... client accepts cert, wants more info about that ... user wants to check were a link leads, via status bar ... but what happens involves scripting <scribe> ACTION: Farrell propose history related use-case [recorded in [35]http://www.w3.org/2007/01/09-wsc-minutes.html#action09] <trackbot> Created ACTION-71 - Propose history related use-case [on Stephen Farrell - due 2007-01-16]. Rob: scriptable areas in browser chrome can be used to deceive <tlr> ACTION: roessler to track RobFranco proposing use cases to deal with scriptable areas [recorded in [36]http://www.w3.org/2007/01/09-wsc-minutes.html#action10] <trackbot> Created ACTION-72 - Track RobFranco proposing use cases to deal with scriptable areas [on Thomas Roessler - due 2007-01-16]. users, tlr will propose action tlr: wrap-up, mez back next week, more use-case discussion then <Tyler> A reminder to everyone to get their text in by the 11th! tlr: hal the next scribe stuckee hal: I love doing that <tlr> next meeting: 16 January, Hal to scribe, MEZ to chair tlr: text for 11th Jan for 1st draft of note, do things today bye <tlr> ACTION: roessler to draft MITM use case [recorded in [37]http://www.w3.org/2007/01/09-wsc-minutes.html#action11] <trackbot> Created ACTION-73 - Draft MITM use case [on Thomas Roessler - due 2007-01-16]. <tlr> ACTION: roessler to draft CA acceptance use case [recorded in [38]http://www.w3.org/2007/01/09-wsc-minutes.html#action12] <trackbot> Created ACTION-74 - Draft CA acceptance use case [on Thomas Roessler - due 2007-01-16]. <tlr> ACTION: roessler to draft revisit security decisions use case [recorded in [39]http://www.w3.org/2007/01/09-wsc-minutes.html#action13] <trackbot> Created ACTION-75 - Draft revisit security decisions use case [on Thomas Roessler - due 2007-01-16]. <tlr> ACTION: roessler to draft follow-a-link / status bar use case [recorded in [40]http://www.w3.org/2007/01/09-wsc-minutes.html#action14] <trackbot> Created ACTION-76 - Draft follow-a-link / status bar use case [on Thomas Roessler - due 2007-01-16]. Summary of Action Items [NEW] ACTION: Farrell propose history related use-case [recorded in [41]http://www.w3.org/2007/01/09-wsc-minutes.html#action09] [NEW] ACTION: hal to rework shared system use-case [recorded in [42]http://www.w3.org/2007/01/09-wsc-minutes.html#action01] [NEW] ACTION: Hallam-Baker to draft differential use cases for security expectation vs. none [recorded in [43]http://www.w3.org/2007/01/09-wsc-minutes.html#action06] [NEW] ACTION: PHB to draft differential use cases for security expectation vs. none [recorded in [44]http://www.w3.org/2007/01/09-wsc-minutes.html#action04] [NEW] ACTION: PHB to draft differential use cases for security expectation vs. none [recorded in [45]http://www.w3.org/2007/01/09-wsc-minutes.html#action05] [NEW] ACTION: roessler to draft CA acceptance use case [recorded in [46]http://www.w3.org/2007/01/09-wsc-minutes.html#action12] [NEW] ACTION: roessler to draft follow-a-link / status bar use case [recorded in [47]http://www.w3.org/2007/01/09-wsc-minutes.html#action14] [NEW] ACTION: roessler to draft MITM use case [recorded in [48]http://www.w3.org/2007/01/09-wsc-minutes.html#action11] [NEW] ACTION: roessler to draft revisit security decisions use case [recorded in [49]http://www.w3.org/2007/01/09-wsc-minutes.html#action13] [NEW] ACTION: roessler to track RobFranco proposing use cases to deal with scriptable areas [recorded in [50]http://www.w3.org/2007/01/09-wsc-minutes.html#action10] [NEW] ACTION: stephenF propose history related use-case [recorded in [51]http://www.w3.org/2007/01/09-wsc-minutes.html#action08] [NEW] ACTION: Stuart to propose generalization of email lure [recorded in [52]http://www.w3.org/2007/01/09-wsc-minutes.html#action07] [NEW] ACTION: tyler to formalize furnace self-signed use case [recorded in [53]http://www.w3.org/2007/01/09-wsc-minutes.html#action03] [NEW] ACTION: tyler to refine MultipleCertificateIdentity use case [recorded in [54]http://www.w3.org/2007/01/09-wsc-minutes.html#action02] [End of minutes] _________________________________________________________________ Minutes formatted by David Booth's [55]scribe.perl version 1.127 ([56]CVS log) $Date: 2007-01-18$ References 1. http://www.w3.org/ 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0074.html 3. http://www.w3.org/2007/01/09-wsc-irc 4. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#agenda 5. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item01 6. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item02 7. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item03 8. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item04 9. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item05 10. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item06 11. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item07 12. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item08 13. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#item09 14. file://localhost/home/roessler/W3C/WWW/2007/01/09-wsc-minutes.html#ActionSummary 15. http://www.w3.org/2007/01/02-wsc-minutes 16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0074.html 17. http://www.w3.org/2006/WSC/wiki/MeetingTaxisAndDinners 18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0022 19. http://www.w3.org/2006/WSC/wiki/NoteUseCases 20. http://www.w3.org/2006/WSC/wiki/PadlockIconMisuse 21. http://www.w3.org/2006/WSC/wiki/NoteIndex 22. http://www.w3.org/2006/WSC/wiki/SharedUserSystem 23. http://www.w3.org/2007/01/09-wsc-minutes.html#action01 24. http://www.w3.org/2006/WSC/wiki/MultipleCertificateIdentity 25. http://www.w3.org/2007/01/09-wsc-minutes.html#action02 26. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0077.html 27. http://www.w3.org/2007/01/09-wsc-minutes.html#action03 28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0076.html 29. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0067.html 30. http://www.w3.org/2006/WSC/wiki/NoteUseCases 31. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jan/0078 32. http://www.w3.org/2007/01/09-wsc-minutes.html#action06 33. http://www.w3.org/2006/WSC/wiki/NoteUrlTypo 34. http://www.w3.org/2007/01/09-wsc-minutes.html#action07 35. http://www.w3.org/2007/01/09-wsc-minutes.html#action09 36. http://www.w3.org/2007/01/09-wsc-minutes.html#action10 37. http://www.w3.org/2007/01/09-wsc-minutes.html#action11 38. http://www.w3.org/2007/01/09-wsc-minutes.html#action12 39. http://www.w3.org/2007/01/09-wsc-minutes.html#action13 40. http://www.w3.org/2007/01/09-wsc-minutes.html#action14 41. http://www.w3.org/2007/01/09-wsc-minutes.html#action09 42. http://www.w3.org/2007/01/09-wsc-minutes.html#action01 43. http://www.w3.org/2007/01/09-wsc-minutes.html#action06 44. http://www.w3.org/2007/01/09-wsc-minutes.html#action04 45. http://www.w3.org/2007/01/09-wsc-minutes.html#action05 46. http://www.w3.org/2007/01/09-wsc-minutes.html#action12 47. http://www.w3.org/2007/01/09-wsc-minutes.html#action14 48. http://www.w3.org/2007/01/09-wsc-minutes.html#action11 49. http://www.w3.org/2007/01/09-wsc-minutes.html#action13 50. http://www.w3.org/2007/01/09-wsc-minutes.html#action10 51. http://www.w3.org/2007/01/09-wsc-minutes.html#action08 52. http://www.w3.org/2007/01/09-wsc-minutes.html#action07 53. http://www.w3.org/2007/01/09-wsc-minutes.html#action03 54. http://www.w3.org/2007/01/09-wsc-minutes.html#action02 55. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm 56. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 18 January 2007 22:25:16 UTC