Meeting record: WSC WG weekly 2007-05-23

The minutes from our meeting on 23 May were approved:
  http://www.w3.org/2007/05/23-wsc-minutes

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>



   [1]W3C

                                   WSC Weekly
                                  23 May 2007

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          MaryEllen_Zurko, jvkrey, Thomas, Chuck_Wade, rachna, Serge,
          Hal_Lockhart, staikos, +1.908.707.aabb, bill-d, johnath, luis,
          asaldhan, beltzner, tyler, PHB, yngve

   Regrets
          Shawn, Bruno, Rishikesh

   Chair
          MEZ

   Scribe
          jvkrey

Contents

     * [4]Topics
         1. [5]approving last meeting's minutes
         2. [6]action items
         3. [7]agenda bashing
         4. [8]lightening discussions
         5. [9]Secure Letterhead
         6. [10]robust security indicators
         7. [11]wsc-usecases update
         8. [12]f2f agenda review
     * [13]Summary of Action Items
     __________________________________________________________________

approving last meeting's minutes

   <tlr> [14]http://www.w3.org/2007/05/16-wsc-minutes

   Mez: last minutes approved

action items

   Mez: no objections?

agenda bashing

   Mez: anyone wants to change the agenda?

   <tlr> -nope-

   <PHB> trying to get here

   <tlr> [15]http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/handler

   <tlr> [16]http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/

   tlr: make sure your mac address of your wireless card is in the
   questionaire, otherwise you will not have internet access in Dublin

   <staikos> trinity is very strict about the mac address thing

   tlr: another f2f, between Dublin and November

   <tlr> [17]http://www.w3.org/2002/09/wbs/39814/f2f3sched/

   tlr: another questionaire about such a f2f, please answer it before you
   go to Dublin

   <rachna_> is Mike coming to Dublin or calling in?

lightening discussions

Secure Letterhead

   PHB: secure letterhead, means communicating the brand to the customer
   ... if we are going to put the brand infront of the customer, it has to
   be secure and trustworthy
   ... Using EV certificates
   ... combined, secure chrome, x509 logo type gives secure letter head
   ... There are 3 slots for logo; subject, community and issuer logos
   ... community logo allows space to extend accreditation criteria.

   bill-d: addessing many of the same issues as came up on EV

   bill-d: how to verify?

   <staikos> but no-one knows who the issuers are ;)

   PHB: Demos, don't display subject logo, unless there is a issuer logo.

   <johnath> staikos: we won't help that by continuing not to show them.
   :)

   <asaldhan> can someone give me the wiki link for PHB's secure letter
   head description

   <Mez> there is none; sorry

   <Mez> there will be one in the action item follow up :-)

   PHB: issuer's brand name will be linked to the subject logo

   <Mez> but for now, we need to listen (which can be hard, I agree,
   without any text)

   PHB: subject might not be honest, accountabiltiy for issuer

   johnath: what kind of UI is envisioned for this?

   PHB: see the secure letterhead "plugin"

   <hal> I suggest a couple of screen shots

   <Mez> +1 hal

   PHB: it is not ready for "prime time", yet
   ... if you look at IE7, to the right of the green address bar you will
   see the logo

   Chuck: what happens when you want multiple community logos ?

   <Chuck> There's the reverse situation, where the "community" would want
   to set policy for CA issuers

   <serge> So beyond spoofing chrome in picture in picture attacks, most
   users can't even tell between chrome and content

   <Zakim> johnath, you wanted to note that EV doesn't have rules for
   logotype

   johnath: logotype and EV are not specified

   <PHB2> The CABForum 1.0 guidelines do not make any statement on logos,
   it is silent

   <PHB2> It is entirely valid to issue an EV cert today

   rachna_: spoofing issues; chrome vs content

   <tlr> ACTION: Hallam-Baker to introduce Secure Letterhead item in the
   wiki - due 2007-05-30 [recorded in
   [18]http://www.w3.org/2007/05/23-wsc-minutes.html#action01]

   <trackbot> Created ACTION-220 - introduce Secure Letterhead item in the
   wiki [on Phillip Hallam-Baker - due 2007-05-30].

   <PHB2> an EV cert weith letterhead

robust security indicators

   <PHB2> There is already a major application product deployed that has
   logotype functionality built in, it is not yet enabled

   <tlr> [19]http://www.w3.org/2006/WSC/wiki/RobustSecurityIndicators

   Mez: Making security indicators robust from spoofing attacks

   <PHB2> So CABForum definitely needs to address this and it was in fact
   due for discussion at the last meeting (but was not discussed)

   <staikos> uh

   <staikos> ??

   <PHB2> WRT Rachna's issue, yes icons are a very very powerful tool,
   that is why I want to use them.

   <tlr> if you still hear us, all is well, and it's just zakim confused

   <staikos> I do not

   <tlr> in that case, retry

   <PHB2> I regard a good test of the user interface to be if it is
   dangerous in that fashion.

   Mez: three issues; 1) Make it hard to guess, 2) ??, 3) how to create
   such a chrome

   <serge> It seems there are two different issues here: making the
   indicators secure from spoofing, and conveying that to users

   bill-d: what is robustness?

   Mez: robustness is, something that can make something hard hard to
   spoof.
   ... techniques to not allow content to emulate security indicators

   <rachna_> I think robustness can be accomplished by 1) making
   indicators hard to predict by attackers (customization) 2) generated in
   a way only the user can generate (secure action sequence)

   <PHB2> I would like to do double-blind trials of the schemes, show a
   genuine site and a phishing site with and without the security
   indicators. The power of the indicator is determined by the extent to
   which it is relied on. If an indicator is strong it should cause people
   to trust the phishing site and the absence should cause people not to
   trust the genuine site.

   <tlr> that were the 5 min indeed

   serge: as long as the content looks good, the security indicators are
   ignored. How do we handle that?

   <rachna_> PHB: to add to your study, you also need to study the
   condition where there is an absence of indicators in the chrome and
   they are present in the webpage. This is a low cost attack that will be
   very effective.

   <PHB2> rachna: very true, in fact I would suggest that we need to
   rethink the whole issue of security usability testing. The Microsoft
   study illustrates an unfortunate fact that a study with three sample
   points seems to trump a deployment study with a few tens of millions of
   data points :-)

   rachna_: robustness and usability are separated on the f2f

   <tlr> ACTION: zurko to match RobustSecurityIndicators against other
   proposals; ensure nothing gets lost [recorded in
   [20]http://www.w3.org/2007/05/23-wsc-minutes.html#action02]

   <trackbot> Created ACTION-221 - Match RobustSecurityIndicators against
   other proposals; ensure nothing gets lost [on Mary Ellen Zurko - due
   2007-05-30].

   <tlr> ACTION-221 due June 8

wsc-usecases update

   Mez: that's it for the lightening discussions. If you want to hold one,
   please contact Mez.

   <tlr> not WS!

   tlr: we should get out an updated draft of the use case document around
   the time of the f2f

   <tlr>
   [21]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0114.html

   Mez: how do we incorporate deadlines for the drafts?

   tlr: that's why we have last call drafts

   <Zakim> rachna, you wanted to get back to f2f agenda... is there a
   reason that we are discussing robustness and usability testing
   separately at the meeting?

   Tyler: Will have to post the current snapshot of our document by
   tomorrow, to make it by June 2

   <tlr>
   [22]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0118.html

   Mez: can we get Thomas' changes into the document?

   Tyler: yes

   Mez: anyone has any issues with posting the current draft?

   <tlr> RESOLUTION: publish current state of wsc-usecases as public
   working draft

   <tlr> ACTION: thomas to work with Tyler to ensure publication of
   updated draft [recorded in
   [23]http://www.w3.org/2007/05/23-wsc-minutes.html#action03]

   <trackbot> Created ACTION-222 - Work with Tyler to ensure publication
   of updated draft [on Thomas Roessler - due 2007-05-30].

   <tlr> 61# mutes

   <tlr> 60# unmutes

   <tlr> Zakim seems sick

   <staikos> no

   <staikos> oh yes you are

   <staikos> I think so

   <tlr> it's a bit better

   <tlr> mez, keep talking

   <Chuck> The problem appears to be with the bridge, perhaps due to
   varying delay due to VoIP artifacts

   <johnath> you're clear at the moment

   <johnath> (@ Mez)

   Mez: any problems with putting out the first public working draft?

   tlr: start walking through the individual recommendations at the f2f,
   this might give us better understanding of the issues at hand.

   Tyler: it is important to have good conformance recommendations.

   <Mez> it's a good point; what is it we need from a fpwd? I too have
   been assuming it's enough to start prototyping and testing

   tlr: concern; some of the proposals might not be concrete enough

   <Mez> doesn't testing come before making sure what is tested can be
   conformed to?

   <tlr> [24]http://www.w3.org/TR/UAAG/

   hal: are there models from other w3c groups for specifications of user
   interfaces?

   tlr: might be worth to have a look at the usability and accessibilty
   guidelines

   <rachna_> another example are previous usability tests. Some studies
   test abstract ideas (e.g., a security warning on a toolbar) rather than
   a specific implementation (e.g., the NetCraft toolbar).

   PHB: must use high level language in the recommendations. Not too many
   details

   <PHB2> ??? did we just lose sound?

   <Mez> yes

   <Mez> I can hear you

   <Mez> but it's lousey

   <Tyler> I can hear TLR

   <Mez> yeah, it's ok

   <Mez> there's a bit of tinny reverb

   <PHB2> not getting anything

   <Mez> I hear him phil

   tlr: a section for techniques on how to implement a recommendation

   <Mez> prototype creator can be confident it reflects the
   recommendation, and it's good enough to design some tests

   <tlr> Editors draft of recommendations Deadline May 14, two weeks
   before next f2f

   <Mez> tlr, please type in which parts you think have slipped already

   <Mez> which item on the timeline?

   <Mez> I don't see "close enough"

   tlr: I think we might be slipping the editor's draft of the
   recommendation

   <tlr> Editors draft of recommendations Deadline May 14, two weeks
   before next f2f

   <Mez> ah, yes, that was May 14 and we did not make that; thanks

   <Mez> When is Shawn getting out the editor's draft?

   Tyler: this week

   <Mez> by the 25th

   Mez: how do we decide wether or not go to the first public working
   draft?

   tlr: we need to have som notion on what conformance is

   <tlr>
   [25]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0098.html

   <tlr> ACTION: thomas to propose prioritization of rec template elements
   [recorded in
   [26]http://www.w3.org/2007/05/23-wsc-minutes.html#action04]

   <trackbot> Created ACTION-223 - Propose prioritization of rec template
   elements [on Thomas Roessler - due 2007-05-30].

   Tyler: we need a cut off date for making recommendation proposals

   <tlr> ACTION: zurko to propose cut-off date for fitting rec proposals
   into template [recorded in
   [27]http://www.w3.org/2007/05/23-wsc-minutes.html#action05]

   <trackbot> Created ACTION-224 - Propose cut-off date for fitting rec
   proposals into template [on Mary Ellen Zurko - due 2007-05-30].

   <tlr>
   [28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0050.html

f2f agenda review

   <tlr> adjourned

Summary of Action Items

   [NEW] ACTION: Hallam-Baker to introduce Secure Letterhead item in the
   wiki - due 2007-05-30 [recorded in
   [29]http://www.w3.org/2007/05/23-wsc-minutes.html#action01]
   [NEW] ACTION: thomas to propose prioritization of rec template elements
   [recorded in
   [30]http://www.w3.org/2007/05/23-wsc-minutes.html#action04]
   [NEW] ACTION: thomas to work with Tyler to ensure publication of
   updated draft [recorded in
   [31]http://www.w3.org/2007/05/23-wsc-minutes.html#action03]
   [NEW] ACTION: zurko to match RobustSecurityIndicators against other
   proposals; ensure nothing gets lost [recorded in
   [32]http://www.w3.org/2007/05/23-wsc-minutes.html#action02]
   [NEW] ACTION: zurko to propose cut-off date for fitting rec proposals
   into template [recorded in
   [33]http://www.w3.org/2007/05/23-wsc-minutes.html#action05]

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [34]scribe.perl version 1.128
    ([35]CVS log)
    $Date: 2007/06/07 23:12:33 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0110.html
   3. http://www.w3.org/2007/05/23-wsc-irc
   4. http://www.w3.org/2007/05/23-wsc-minutes#agenda
   5. http://www.w3.org/2007/05/23-wsc-minutes#item01
   6. http://www.w3.org/2007/05/23-wsc-minutes#item03
   7. http://www.w3.org/2007/05/23-wsc-minutes#item04
   8. http://www.w3.org/2007/05/23-wsc-minutes#item05
   9. http://www.w3.org/2007/05/23-wsc-minutes#item06
  10. http://www.w3.org/2007/05/23-wsc-minutes#item07
  11. http://www.w3.org/2007/05/23-wsc-minutes#item08
  12. http://www.w3.org/2007/05/23-wsc-minutes#item09
  13. http://www.w3.org/2007/05/23-wsc-minutes#ActionSummary
  14. http://www.w3.org/2007/05/16-wsc-minutes
  15. http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/handler
  16. http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/
  17. http://www.w3.org/2002/09/wbs/39814/f2f3sched/
  18. http://www.w3.org/2007/05/23-wsc-minutes.html#action01
  19. http://www.w3.org/2006/WSC/wiki/RobustSecurityIndicators
  20. http://www.w3.org/2007/05/23-wsc-minutes.html#action02
  21. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0114.html
  22. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0118.html
  23. http://www.w3.org/2007/05/23-wsc-minutes.html#action03
  24. http://www.w3.org/TR/UAAG/
  25. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0098.html
  26. http://www.w3.org/2007/05/23-wsc-minutes.html#action04
  27. http://www.w3.org/2007/05/23-wsc-minutes.html#action05
  28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0050.html
  29. http://www.w3.org/2007/05/23-wsc-minutes.html#action01
  30. http://www.w3.org/2007/05/23-wsc-minutes.html#action04
  31. http://www.w3.org/2007/05/23-wsc-minutes.html#action03
  32. http://www.w3.org/2007/05/23-wsc-minutes.html#action02
  33. http://www.w3.org/2007/05/23-wsc-minutes.html#action05
  34. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  35. http://dev.w3.org/cvsweb/2002/scribe/

Received on Thursday, 7 June 2007 23:13:45 UTC