- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 8 Jun 2007 01:13:36 +0200
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 23 May were approved: http://www.w3.org/2007/05/23-wsc-minutes Regards, -- Thomas Roessler, W3C <tlr@w3.org> [1]W3C WSC Weekly 23 May 2007 [2]Agenda See also: [3]IRC log Attendees Present MaryEllen_Zurko, jvkrey, Thomas, Chuck_Wade, rachna, Serge, Hal_Lockhart, staikos, +1.908.707.aabb, bill-d, johnath, luis, asaldhan, beltzner, tyler, PHB, yngve Regrets Shawn, Bruno, Rishikesh Chair MEZ Scribe jvkrey Contents * [4]Topics 1. [5]approving last meeting's minutes 2. [6]action items 3. [7]agenda bashing 4. [8]lightening discussions 5. [9]Secure Letterhead 6. [10]robust security indicators 7. [11]wsc-usecases update 8. [12]f2f agenda review * [13]Summary of Action Items __________________________________________________________________ approving last meeting's minutes <tlr> [14]http://www.w3.org/2007/05/16-wsc-minutes Mez: last minutes approved action items Mez: no objections? agenda bashing Mez: anyone wants to change the agenda? <tlr> -nope- <PHB> trying to get here <tlr> [15]http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/handler <tlr> [16]http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/ tlr: make sure your mac address of your wireless card is in the questionaire, otherwise you will not have internet access in Dublin <staikos> trinity is very strict about the mac address thing tlr: another f2f, between Dublin and November <tlr> [17]http://www.w3.org/2002/09/wbs/39814/f2f3sched/ tlr: another questionaire about such a f2f, please answer it before you go to Dublin <rachna_> is Mike coming to Dublin or calling in? lightening discussions Secure Letterhead PHB: secure letterhead, means communicating the brand to the customer ... if we are going to put the brand infront of the customer, it has to be secure and trustworthy ... Using EV certificates ... combined, secure chrome, x509 logo type gives secure letter head ... There are 3 slots for logo; subject, community and issuer logos ... community logo allows space to extend accreditation criteria. bill-d: addessing many of the same issues as came up on EV bill-d: how to verify? <staikos> but no-one knows who the issuers are ;) PHB: Demos, don't display subject logo, unless there is a issuer logo. <johnath> staikos: we won't help that by continuing not to show them. :) <asaldhan> can someone give me the wiki link for PHB's secure letter head description <Mez> there is none; sorry <Mez> there will be one in the action item follow up :-) PHB: issuer's brand name will be linked to the subject logo <Mez> but for now, we need to listen (which can be hard, I agree, without any text) PHB: subject might not be honest, accountabiltiy for issuer johnath: what kind of UI is envisioned for this? PHB: see the secure letterhead "plugin" <hal> I suggest a couple of screen shots <Mez> +1 hal PHB: it is not ready for "prime time", yet ... if you look at IE7, to the right of the green address bar you will see the logo Chuck: what happens when you want multiple community logos ? <Chuck> There's the reverse situation, where the "community" would want to set policy for CA issuers <serge> So beyond spoofing chrome in picture in picture attacks, most users can't even tell between chrome and content <Zakim> johnath, you wanted to note that EV doesn't have rules for logotype johnath: logotype and EV are not specified <PHB2> The CABForum 1.0 guidelines do not make any statement on logos, it is silent <PHB2> It is entirely valid to issue an EV cert today rachna_: spoofing issues; chrome vs content <tlr> ACTION: Hallam-Baker to introduce Secure Letterhead item in the wiki - due 2007-05-30 [recorded in [18]http://www.w3.org/2007/05/23-wsc-minutes.html#action01] <trackbot> Created ACTION-220 - introduce Secure Letterhead item in the wiki [on Phillip Hallam-Baker - due 2007-05-30]. <PHB2> an EV cert weith letterhead robust security indicators <PHB2> There is already a major application product deployed that has logotype functionality built in, it is not yet enabled <tlr> [19]http://www.w3.org/2006/WSC/wiki/RobustSecurityIndicators Mez: Making security indicators robust from spoofing attacks <PHB2> So CABForum definitely needs to address this and it was in fact due for discussion at the last meeting (but was not discussed) <staikos> uh <staikos> ?? <PHB2> WRT Rachna's issue, yes icons are a very very powerful tool, that is why I want to use them. <tlr> if you still hear us, all is well, and it's just zakim confused <staikos> I do not <tlr> in that case, retry <PHB2> I regard a good test of the user interface to be if it is dangerous in that fashion. Mez: three issues; 1) Make it hard to guess, 2) ??, 3) how to create such a chrome <serge> It seems there are two different issues here: making the indicators secure from spoofing, and conveying that to users bill-d: what is robustness? Mez: robustness is, something that can make something hard hard to spoof. ... techniques to not allow content to emulate security indicators <rachna_> I think robustness can be accomplished by 1) making indicators hard to predict by attackers (customization) 2) generated in a way only the user can generate (secure action sequence) <PHB2> I would like to do double-blind trials of the schemes, show a genuine site and a phishing site with and without the security indicators. The power of the indicator is determined by the extent to which it is relied on. If an indicator is strong it should cause people to trust the phishing site and the absence should cause people not to trust the genuine site. <tlr> that were the 5 min indeed serge: as long as the content looks good, the security indicators are ignored. How do we handle that? <rachna_> PHB: to add to your study, you also need to study the condition where there is an absence of indicators in the chrome and they are present in the webpage. This is a low cost attack that will be very effective. <PHB2> rachna: very true, in fact I would suggest that we need to rethink the whole issue of security usability testing. The Microsoft study illustrates an unfortunate fact that a study with three sample points seems to trump a deployment study with a few tens of millions of data points :-) rachna_: robustness and usability are separated on the f2f <tlr> ACTION: zurko to match RobustSecurityIndicators against other proposals; ensure nothing gets lost [recorded in [20]http://www.w3.org/2007/05/23-wsc-minutes.html#action02] <trackbot> Created ACTION-221 - Match RobustSecurityIndicators against other proposals; ensure nothing gets lost [on Mary Ellen Zurko - due 2007-05-30]. <tlr> ACTION-221 due June 8 wsc-usecases update Mez: that's it for the lightening discussions. If you want to hold one, please contact Mez. <tlr> not WS! tlr: we should get out an updated draft of the use case document around the time of the f2f <tlr> [21]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0114.html Mez: how do we incorporate deadlines for the drafts? tlr: that's why we have last call drafts <Zakim> rachna, you wanted to get back to f2f agenda... is there a reason that we are discussing robustness and usability testing separately at the meeting? Tyler: Will have to post the current snapshot of our document by tomorrow, to make it by June 2 <tlr> [22]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0118.html Mez: can we get Thomas' changes into the document? Tyler: yes Mez: anyone has any issues with posting the current draft? <tlr> RESOLUTION: publish current state of wsc-usecases as public working draft <tlr> ACTION: thomas to work with Tyler to ensure publication of updated draft [recorded in [23]http://www.w3.org/2007/05/23-wsc-minutes.html#action03] <trackbot> Created ACTION-222 - Work with Tyler to ensure publication of updated draft [on Thomas Roessler - due 2007-05-30]. <tlr> 61# mutes <tlr> 60# unmutes <tlr> Zakim seems sick <staikos> no <staikos> oh yes you are <staikos> I think so <tlr> it's a bit better <tlr> mez, keep talking <Chuck> The problem appears to be with the bridge, perhaps due to varying delay due to VoIP artifacts <johnath> you're clear at the moment <johnath> (@ Mez) Mez: any problems with putting out the first public working draft? tlr: start walking through the individual recommendations at the f2f, this might give us better understanding of the issues at hand. Tyler: it is important to have good conformance recommendations. <Mez> it's a good point; what is it we need from a fpwd? I too have been assuming it's enough to start prototyping and testing tlr: concern; some of the proposals might not be concrete enough <Mez> doesn't testing come before making sure what is tested can be conformed to? <tlr> [24]http://www.w3.org/TR/UAAG/ hal: are there models from other w3c groups for specifications of user interfaces? tlr: might be worth to have a look at the usability and accessibilty guidelines <rachna_> another example are previous usability tests. Some studies test abstract ideas (e.g., a security warning on a toolbar) rather than a specific implementation (e.g., the NetCraft toolbar). PHB: must use high level language in the recommendations. Not too many details <PHB2> ??? did we just lose sound? <Mez> yes <Mez> I can hear you <Mez> but it's lousey <Tyler> I can hear TLR <Mez> yeah, it's ok <Mez> there's a bit of tinny reverb <PHB2> not getting anything <Mez> I hear him phil tlr: a section for techniques on how to implement a recommendation <Mez> prototype creator can be confident it reflects the recommendation, and it's good enough to design some tests <tlr> Editors draft of recommendations Deadline May 14, two weeks before next f2f <Mez> tlr, please type in which parts you think have slipped already <Mez> which item on the timeline? <Mez> I don't see "close enough" tlr: I think we might be slipping the editor's draft of the recommendation <tlr> Editors draft of recommendations Deadline May 14, two weeks before next f2f <Mez> ah, yes, that was May 14 and we did not make that; thanks <Mez> When is Shawn getting out the editor's draft? Tyler: this week <Mez> by the 25th Mez: how do we decide wether or not go to the first public working draft? tlr: we need to have som notion on what conformance is <tlr> [25]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0098.html <tlr> ACTION: thomas to propose prioritization of rec template elements [recorded in [26]http://www.w3.org/2007/05/23-wsc-minutes.html#action04] <trackbot> Created ACTION-223 - Propose prioritization of rec template elements [on Thomas Roessler - due 2007-05-30]. Tyler: we need a cut off date for making recommendation proposals <tlr> ACTION: zurko to propose cut-off date for fitting rec proposals into template [recorded in [27]http://www.w3.org/2007/05/23-wsc-minutes.html#action05] <trackbot> Created ACTION-224 - Propose cut-off date for fitting rec proposals into template [on Mary Ellen Zurko - due 2007-05-30]. <tlr> [28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0050.html f2f agenda review <tlr> adjourned Summary of Action Items [NEW] ACTION: Hallam-Baker to introduce Secure Letterhead item in the wiki - due 2007-05-30 [recorded in [29]http://www.w3.org/2007/05/23-wsc-minutes.html#action01] [NEW] ACTION: thomas to propose prioritization of rec template elements [recorded in [30]http://www.w3.org/2007/05/23-wsc-minutes.html#action04] [NEW] ACTION: thomas to work with Tyler to ensure publication of updated draft [recorded in [31]http://www.w3.org/2007/05/23-wsc-minutes.html#action03] [NEW] ACTION: zurko to match RobustSecurityIndicators against other proposals; ensure nothing gets lost [recorded in [32]http://www.w3.org/2007/05/23-wsc-minutes.html#action02] [NEW] ACTION: zurko to propose cut-off date for fitting rec proposals into template [recorded in [33]http://www.w3.org/2007/05/23-wsc-minutes.html#action05] [End of minutes] __________________________________________________________________ Minutes formatted by David Booth's [34]scribe.perl version 1.128 ([35]CVS log) $Date: 2007/06/07 23:12:33 $ References 1. http://www.w3.org/ 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0110.html 3. http://www.w3.org/2007/05/23-wsc-irc 4. http://www.w3.org/2007/05/23-wsc-minutes#agenda 5. http://www.w3.org/2007/05/23-wsc-minutes#item01 6. http://www.w3.org/2007/05/23-wsc-minutes#item03 7. http://www.w3.org/2007/05/23-wsc-minutes#item04 8. http://www.w3.org/2007/05/23-wsc-minutes#item05 9. http://www.w3.org/2007/05/23-wsc-minutes#item06 10. http://www.w3.org/2007/05/23-wsc-minutes#item07 11. http://www.w3.org/2007/05/23-wsc-minutes#item08 12. http://www.w3.org/2007/05/23-wsc-minutes#item09 13. http://www.w3.org/2007/05/23-wsc-minutes#ActionSummary 14. http://www.w3.org/2007/05/16-wsc-minutes 15. http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/handler 16. http://www.w3.org/2002/09/wbs/39814/wscf2fdub0705/ 17. http://www.w3.org/2002/09/wbs/39814/f2f3sched/ 18. http://www.w3.org/2007/05/23-wsc-minutes.html#action01 19. http://www.w3.org/2006/WSC/wiki/RobustSecurityIndicators 20. http://www.w3.org/2007/05/23-wsc-minutes.html#action02 21. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0114.html 22. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0118.html 23. http://www.w3.org/2007/05/23-wsc-minutes.html#action03 24. http://www.w3.org/TR/UAAG/ 25. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0098.html 26. http://www.w3.org/2007/05/23-wsc-minutes.html#action04 27. http://www.w3.org/2007/05/23-wsc-minutes.html#action05 28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007May/0050.html 29. http://www.w3.org/2007/05/23-wsc-minutes.html#action01 30. http://www.w3.org/2007/05/23-wsc-minutes.html#action04 31. http://www.w3.org/2007/05/23-wsc-minutes.html#action03 32. http://www.w3.org/2007/05/23-wsc-minutes.html#action02 33. http://www.w3.org/2007/05/23-wsc-minutes.html#action05 34. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm 35. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 7 June 2007 23:13:45 UTC