- From: Thomas Roessler <tlr@w3.org>
- Date: Sun, 1 Jul 2007 07:23:48 -0700
- To: public-wsc-wg@w3.org
Minutes from our meeting on 20 June were approved and are publicly
visible:
http://www.w3.org/2007/06/20-wsc-minutes
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context WG Teleconference
20 Jun 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
MaryEllen_Zurko, Thomas, staikos, Tyler, anil, yngve,rachna,
luis, maritzaj, audian, PHB, Chuck, serge
Regrets
Tim_H, Bill_D, Bruno_vN, Shawn_D, Johnathan_N, Mike_B,
Jan_Vidar_K, Paul_H
Chair
Mez
Scribe
Anil
Contents
* [4]Topics
1. [5]Approval of minutes
2. [6]inactive action items
3. [7]Agenda bashing
4. [8]checking in on current state of document
5. [9]Recommendations sections discussion
* [10]Summary of Action Items
__________________________________________________________________
Approval of minutes
Approve meetings from last meeting
<tlr> [11]http://www.w3.org/2007/06/13-wsc-minutes
meeting minutes approved
<mezanyone has issues with the recently closed action intems
inactive action items
<tlr> MEZ: ACTION-191 probably moot
<tlr> MEZ: ACTION-216 probably taken care of, anything missing?
<mezI close some items as inactive due to no due date on them
<tlr> Tyler: ACTION-192 -- don't think I can take up another proposal
tlr: Tyler, can you tell me about the complexity of the proposal
<staikos> no
<staikos> yes
<Mez> hahahaha
anil:tlr, u r audible but can u please pen what you just asked as a
question to the group
<Mez> what was it you wre trying to say staikos?
<staikos> yes and no
<Mez> to one question or two????
tyler: can't handle the testing and ??? of two proposals
<staikos> two one :-P
<staikos> no?
tyler: would like to leave the action items for some more time and Mez
has issues with due dates not updated if the person has no time to deal
with it.
mez: action items that were inactive have been dealt with
Agenda bashing
checking in on current state of document
<Mez>
[12]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0157.html
<Mez>
[13]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals
<rachna> I do
Mez: it will be nice to know if people are planning to iterate on
proposals that are not templatized yet (not make to the 1st draft)
<tlr> RecRevisitingPastDecisions
yngve: will work on my proposal (secure page proposal) but had some
other stuff in the past 2-3 days
Mez: may send out a mail summarizing
... it is important to carry forward
... any proposals/comments for the 1st draft
Recommendations sections discussion
mez: tyler on PIIEditorBar
<Mez> [14]http://www.w3.org/2006/WSC/drafts/rec/#piieditor
<Zakim> Thomas, you wanted to ask whether shawn knows about this
tyler: abandoned the wiki version to aid Shaun and (??? and which
version are u going to use)
Mez: tyler, i would like u to lead us on the PIIEditor
<tlr> you type "+1"
tyler: anybody new to this? Can u raise hands
<Mez> I read the previous draft
<tlr> or sth like that
<tlr> I also read the previous one.
<Mez> and I was aorund for the lightening discussion
tyler: mez and tlr have read the previous drafts and others are new.
... i will walk thru. should I?
... (please fill in your details here plz)
anil: can I have the uri where tyler is discussing?
<tlr> [15]http://www.w3.org/2006/WSC/drafts/rec/#piieditor
tyler: when you come to a web site, you want to be sure about the
string that you are going to type into
<Mez> who do we have here that's pure usability? Audian, others? Any
comments on input field in the bottom of the browser chrome? (if I
understood Tyler rightly)
anil:tlr or tyler can you summarize what tyler is talking now later for
the final minutes
Mez: anybody here with UI experience?
<Mez> staikos, this is early discussion. it's the time to bring out
concerns, and what deployment experience we'd need
<tlr> tlr: strikes me as similar to some terminal-based applications;
3270 terminals in particular, but also other apps
<Mez> chat clients do have input at the bottom of the window
<staikos> safari has to statusbar
<tlr> tyler: most important part is no take data entry outside content
area
tyler: it is better to get the input area outside the content area
<Audian> safari has a cool way of 'folding down' a form field (from the
top of the page)
<Mez> I'm wondering if there are interesting interactions if you hang a
pull down onto the bottom of a window; just another thought
<staikos> that's a mac-general thing
<Mez> I recognize that thisis a nit
<staikos> for messageboxes
tyler: any Qs before I walk in thru various use cases
... 5.1.4.2 section: bootstrap scenario
<Zakim> Mez, you wanted to ask about attention keys, here and in safe
browsing and to ask about looks like searches, and to see what happens
when I put myself on queue twice
Mez: Q1: how will u motivate users to use the PII bar?
<rachna> attention sequences and safe browsing mode switches are
interesting things to test in a study. There are no studies on this.
tyler: I am trying to motivate the users to use it. They will be more
comfortable in using the PII bar to get to their bank over other
mechanisms.
<staikos> CTRL+ALT+DEL is my favorite :-P
<serge> actually, I think there have been studies on that,
<PHB2> There is testing experience, it is just not public
<serge> hang on, there's one I'm thinking of
<PHB2> And the critertia under test is not necessarily whether it
enhances security
<Mez> Phil, that's good to know, but not very helpful, unless we can
use it
<PHB2> Rather it might be whether it sells the product
tyler: I do not need an attention key such as ctrl-alt-del but rather a
key that the browser knows that the PII needs to be activated
<serge> ...looking for a URL
<staikos> I agree with PHB2
[16]http://www.w3.org/2006/WSC/drafts/rec/#piieditor
PHB2: MS has changed the attention seeking sequence (c-alt-del) in
Vista
<rachna> I am confused. Is it ok if a user types their CC# into a
spoofed PII bar (e.g., in the content of the website)?
tyler: in bootstrap mechanism, they have a choice of working with prior
set up relationships
<Mez> staikos, ctrl alt del takes me back to orange book vmm security,
so it's a bit of a nostalgia trip for me
tyler: CC# will not be entered into the PII bar but I am expecting the
PII bar to already know my CC#. A spoofed PII bar is not expected to
know my cc#
<rachna> I see. It will be interesting to test this type of safeguard.
<serge> This is what I was thinking of:
[17]http://www.courtneymoskowitz.com/chameleon.html they did some user
testing on switching between security modes
<Mez> nice; tx serge
anil:I wonder if an analogy can be drawn to cardspace
asaldhan: looks like PHB mentioned the same
<rachna> serge, can you add that ref to shared bookmarks?
<tlr> yep. I think PHB's problem can be solved elsewhere.
<staikos> tyler, it's called .Mac :-)
<Chuck> What about the problem that plagues all forms capture
tools--namely that your browser is storing lots of sensitive info along
with who you submit this info to, and this becomes a new vulnerability.
An attack on the browser (which is exposed by being the tool you use on
the Internet) can result in serious exposures of PII.
<serge> yeah, sure, I'm updating the shared bookmarks right now anyway
<PHB2> how do
tyler: Firefox and other browsers (possibly) are working on users
moving their bookmarks (and other custom information) across computers
<PHB2> how do I log into .mac without being spoofed?
<serge> I don't have the paper in front of me, so I can't really
summarize the results. The full thing is in the Usable Security book
<PHB2> If I can do that I caqn log into OpenID
<Mez> in telling us why it was interesting, you gave the summary that's
needed in sharedbookmarks
<Mez> that's all you need; the reference, and a line on why we care
<Mez> "user testing on switching between security modes" and that's an
aspect of several of our proposals
<serge> I think the book might be on my desk, I could add a bit more
<Mez> even better!
<serge> right, but the summary should probably mention the results
yngve: Do we know what type of data that is going into the pii bar?
<serge> e.g. "they found that users don't understand the different
modes"
<Mez> better to have it in with not enough data than not have it in at
all. since it can be added to later. But either way, whateve ryou can
do is good
tyler: for now, it is data strings
... most pii identifiers are recognizable by humans
<Mez> tlr, we should track those kinds of things. who we request
reviews from.
tyler: drop down of telephone number, email address etc
<serge> is there any conceivable order in the shared bookmarks? or
should I just add to the end of a relevant section?
<Mez> tlr, here is good to track things like that
<Mez> [18]http://www.w3.org/2006/WSC/wiki/RecProcess
<Mez> please add it there
<Mez> the review part, not the discussion/concern part
<rachna> serge, the shared bookmarks is getting long enough that we
should impose some order. it is hard to find what is there.
tyler: the good thing about the PII bar is that the user tells the
browser that it is ok to store this particular information
... no need for either the site or any popup to confirm
<Mez> I've had problems findng stuff in the sharedbookmarks, as you saw
in the f2f!
tyler: chuck wade 2 months ago did a study that users were using
password managers rather than typing in password on banks' websites
<rachna> is there a reference to the study that Tyler mentioned on
current use of password managers at bank websites?
tyler: it may be better to continue with Mike McCormick on this Topic
Chuck: Banks have considerable concern that they are dealing with not
humans but some robot (Pwd Manager) that has entered the password
<staikos> how do you ever solve that? Find NP-complete problems for the
user to solve in order to log in?
Chuck: There are reports of attacks at forms database in browsers.
tyler: first concern: banks want to know that password is obtained from
user action
<staikos> Even more, why attack the form database when the connection
is more weakly encrypted? At least it is in KDE.
tyler: Answer is that user chooses the information from the PII bar and
only then will that information gets into the text box on the site
<staikos> The connection is easier to capture and easier to break -> no
point in attacking the db
tyler: Concern: we are building a database of information.
... Valid concern. The DB exists on the computer but not in order. The
information will be on the browser cache.
<Mez> while I agree with a lot of what you say staikos, I've been
wondering about the "logic" of attacks lately
<staikos> If the information is in the browser cache, there are big
problems. However it definitely is in the VM somewhere
anil:(Tyler, could you please add some information on this concern
about the DB storing information)
<Mez> we've been hearing about federal concern about directed attacks
to add trap doors to products
Chuck: I just wanted to add this concern to the discussion.
<Mez> and I wonder why organized crime does that
<Zakim> Thomas, you wanted to note that there's a lot of work on forms
and that we'll have to consider the interaction
<Mez> instead of just pumping the vulnerabilities
<staikos> Mez: backdoors distribute better
<Mez> what does that mean?
tlr: have we considered relationship between this proposal and work on
xforms, xforms-transitional
<staikos> Mez, the manufacturer ships the software to all their
customers for you, and the binary isn't further modified. It can't get
any better
tlr: have we considered relationship between this proposal and work on
xforms,xforms-transitional/
<Mez> I see; longer lifetime, more even distribution
<staikos> yeah
<tlr> [19]http://www.w3.org/2007/03/XForms-Transitional/
anil:(yngve. can u please type in ur comment)
Mez: can u please get to the conformance section?
<Chuck> Actually, there are some authentication mechanisms that are
much better for "liveness" testing (in response to Yngve)
tyler: anyone having any doubts on the use cases, please post to the
list and I can answer. We need to build a consensus
<yngve> It may be impossible for the banks to find out if they are
talking to a flesh and blood human.
<Mez> Chuck, aren't those CAPTCHAs and the like?
<tlr> on captchas: [20]http://www.w3.org/TR/turingtest/
<yngve> Even CAPTCHAs are loosing ground
<tlr> Inaccessibility of CAPTCHA / Alternatives to Visual Turing Tests
on the Web / W3C Working Group Note 23 November 2005
<PHB2> CAPTCHAs are bogus:
[21]http://dotfuturemanifesto.blogspot.com/2007/06/end-of-captcha-hardl
y.html
<Chuck> Captchas are one technique, but OTP tokens are another. Also,
most biometric schemes have a strong liveness characteristic that can
be leveraged.
<serge> I have another meeting to get to. ta.
<staikos> mmmm token bundles. I'll be doing more banking at the teller
in the future I think :)
<Mez> tellers need job security too!
<staikos> Mez: they'll have to type in a captcha each day when they
arrive at work?
<staikos> or just carry a token?
<Mez> hey, they're paid to authenticate themselves :-)
<Mez> I carry my badge to work every day
<Chuck> Tyler, you may also want to include the use case where the site
owner changes, along with its name. This is not a fringe case, given
the M&A activity in the financial industy.
<tyler> Thanks Chuck I'll write that one up. The proposal does indeed
support this use case
<rachna> Tyler, I added a skeleton proposal on "Drop the URL bar"
proposal to the wiki, in case that makes it easier to fill out the
content.
<tlr> yngve, can you please put the URI into IRC?
<tyler> Rachna, it's mostly the testing and implementation work that's
scaring me off. Are you interested in that?
<yngve> phil might want to consider this in his discussion about ev
[22]http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all
-ev
<staikos> that's quite the title
<tlr> tyler, there's a reason why I said we shouldn't expect everybody
who brings up a proposal to be able to implement it.
<tlr> mez, are we expecting to meet on July 4?
<rachna> tyler, I agree with tlr.
<PHB2> I don't plan to attend on July 4
<tyler> I sure hope not
<staikos> yes they do
Summary of Action Items
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [23]scribe.perl version 1.128
([24]CVS log)
$Date: 2007/07/01 14:21:46 $
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0147.html
3. http://www.w3.org/2007/06/20-wsc-irc
4. http://www.w3.org/2007/06/20-wsc-minutes#agenda
5. http://www.w3.org/2007/06/20-wsc-minutes#item01
6. http://www.w3.org/2007/06/20-wsc-minutes#item02
7. http://www.w3.org/2007/06/20-wsc-minutes#item03
8. http://www.w3.org/2007/06/20-wsc-minutes#item04
9. http://www.w3.org/2007/06/20-wsc-minutes#item05
10. http://www.w3.org/2007/06/20-wsc-minutes#ActionSummary
11. http://www.w3.org/2007/06/13-wsc-minutes
12. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0157.html
13. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals
14. http://www.w3.org/2006/WSC/drafts/rec/#piieditor
15. http://www.w3.org/2006/WSC/drafts/rec/#piieditor
16. http://www.w3.org/2006/WSC/drafts/rec/#piieditor
17. http://www.courtneymoskowitz.com/chameleon.html
18. http://www.w3.org/2006/WSC/wiki/RecProcess
19. http://www.w3.org/2007/03/XForms-Transitional/
20. http://www.w3.org/TR/turingtest/
21. http://dotfuturemanifesto.blogspot.com/2007/06/end-of-captcha-hardly.html
22. http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev
23. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
24. http://dev.w3.org/cvsweb/2002/scribe/
Received on Sunday, 1 July 2007 14:23:52 UTC