- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 22 Jun 2007 20:35:48 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes were approved and are public: http://www.w3.org/2007/06/13-wsc-minutes Regards, -- Thomas Roessler, W3C <tlr@w3.org> [1]W3C WSC WG weekly 13 Jun 2007 [2]Agenda See also: [3]IRC log Attendees Present MaryEllen_Zurko, Thomas, jvkrey, rachna, luis, Bill_Doyle, shawn, stephenF, Chuck_Wade, dan.schutzer, johnath, PHB, audian, maritzaj, tyler, serge, Hal_Lockhart, yngve, anil Regrets beltzner Chair MEZ Scribe luis, tlr Contents * [4]Topics 1. [5]approving minutes 2. [6]Last Meeting's minutes 3. [7]newly completed action items 4. [8]agenda bashing 5. [9]status update on EV certificates 6. [10]conformance and rec drafting * [11]Summary of Action Items __________________________________________________________________ Last Meeting's minutes mez: minutes approved <tlr> [12]http://www.w3.org/2007/05/30-wsc-minutes <tlr> [13]http://www.w3.org/2007/05/31-wsc-minutes mez: action items <tlr> [14]http://www.w3.org/2007/06/06-wsc-minutes newly completed action items mez: refering to closed actions items due to inactivity <asaldhan> that was Anil from JBoss/RedHat tlr: Action 199 - possible recommendation material <Mez> slow down thomas <Mez> as did I <Mez> miss what you said <tlr> ACTION-199 <Mez> go slow; your phone connection is fuzzy <Mez> consider irc backup :-) tlr: Chuck Wade had the action ... extracting recommendations on authentication dan: giving some contributions <tlr> ACTION: schutzer to revisit section 3 of BMA study results [recorded in [15]http://www.w3.org/2007/06/13-wsc-minutes.html#action01] <trackbot> Created ACTION-261 - Revisit section 3 of BMA study results [on Daniel Schutzer - due 2007-06-20]. dan: he has the appendix and will send it out <Chuck> I have not "violent" disagreement. Thanks, Dan. tlr: aksing about conformance section agenda bashing tlr: potential for demonstrations. Audian? audian: i have the infrastructure but have to consider payment ... I need to make an estimation and then come back mez: moving discssion to email space ... on agenda recommendations, security protocols ... update on EV certs ... Thomas wonders abouts the URLs he put out tlr: Two parts are there. we are lagging behind mez: we are still on agenda bashing ... conformance discussion are also needed status update on EV certificates <Mez> [16]http://www.w3.org/2006/WSC/wiki/EV johnath: EV certs. <tlr> it is <tlr> he sounds better than you <johnath> [17]http://www.w3.org/2006/WSC/wiki/EV johnath: rehashing history ... 1st question. why EV? ... old system didn't work. CA creating different degrees of validation ... too much vendor favoritism. CA couldn't explain charging high prices ... some roots were misbehaving ... root stores started with Netscape ... Netscape was (?) affected by liability ... Some CA had more rigoruous practices ... many browser vendors are supporting EV guidelines ... including major ones ... guidelines for considering business entities ... EV doesn't address identity issues ... EV creates a higher bar <PHB2> not necessarily! johnath: EV is real and is here. Support will be given to those endorsing EV <PHB2> The EV experience means that people will know that its a VeriSign certificate, so they may recognize services we offer over and above the minimum requirements of EV johnath: EV will be suported by major UA browsers <PHB2> What EV means is that there should not be any null CAs issuing EV certs with no effective accountability checks whatsoever <serge> And how many users know exactly what Verisign does? johnath: many will be tempting to see the EV buzz as panacea, but it's not and there are issues to work on <PHB2> How much will we invest in telling them? mez: any comments? chuck: EV is useful. Does EV cleans up other cert-related standards ... other cert standards have also come along. <stephenF> s/cleaning standards/complying to standards/ ? johnath: yes EV does gathering previous cert proposals ... guidelines refer to OCSP, CRL ... on logotypes - it says nothing on validation ... which is next thing to tackle PHB: nothing affects logotype. ... wants to see the follow-up ... user interaction with the browser ... need to authentication for better co-signing mez: let's avoid discussing here cabforum's future work PHB: who is the trust provider? <Mez> just want to keep us on topics of immediate interest and utilty to wg PHB: issuing suspicious certs damage the brand ... accountability for cert issuers serge: on logotypes ... previous CAs ... most users don't deal with these companies ... don't recognize the logos ... users trust logos that look like previously seen ones ... but don't understand what they actually mean mez: let's not fall deep into logotype discussions <serge> [18]http://portal.acm.org/citation.cfm?id=953510 <tlr> ACTION: serge to share study on effectiveness of trust seals in SharedBookmarks [recorded in [19]http://www.w3.org/2007/06/13-wsc-minutes.html#action02] <trackbot> Created ACTION-262 - Share study on effectiveness of trust seals in SharedBookmarks [on Serge Egelman - due 2007-06-20]. <Zakim> johnath, you wanted to reply to PHB about who verifies an identity mez: ACM link above requires subscription .-( <Mez> we'll have full ev and logotype discussions around the actual proposals at some near future meeting <Mez> ack dan.schutzer johnath: refer to identity recommendations he put dan: who is entitled to the logotype? johnath: move the discussion to cabforum chuck: following up dan's comment. the logotype should be displayed in the security part ... there is some relevance to this group conformance and rec drafting tlr: updated template on proposals. <Chuck> The important point is that the "community" logotype needs to be displayed in a secure manner (whatever that means) tlr: an example is available too <Mez> the template is at <Mez> [20]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Reco Templ tlr: Question? conformance can be done on secure page, e.g. ... Is there something more we need to do? ... by the end of this week <johnath> tlr is cutting out for me for a couple seconds at a time ... (some words are dropped on the line) <sduffy> me too ... requesting feedback <Audian> I was able to hear thomas just fine ... proposals needed for conformance sections mez: clarifying thomas request <Audian> but i wasn't listening <tlr> audian, tsk trl: great if all can work on the wiki ... check in realtime and speak up <Mez> [21]http://www.w3.org/2006/WSC/drafts/rec/#certerr mez: next item is: SecurityPprotocol Error Presentation ... can any one walk through the proposal? <mez: Michael McCormick couldn't make it for this meeting stephenF: can we make recommendation without seeing prototype suggestions? <Audian> i'm leaving irz, but will attempt to stay on the call (elvis is kinda leaving the building) stephenF: .... it can be too early mez: can yiu clarify? stephenF: we need to see proofs of concept before recommendations ... doubt that they are all possible mez: all dialogs have more than one buttons ... do you want an example? stephenF: recommendations need to be backed up by experimentations tlr: rephrasing ... johnath: supporting stephenF ... we should have a notion on how these recommendations could be implemented ... difficult to qualify implemenation based on recommendations ... they are too broad <yngve> I have discussed some aspects of this in my article [22]http://my.opera.com/yngve/blog/show.dml/461932 <Zakim> stephenF, you wanted to say that its not just conformance, but existence proof mez: the conformance draft may be public before reaching internal consensus stephenF: concern is that dissagreeing on recommendations that can't be done on practice ... for example PKI. There are thousands of risks that mean nothing to the user ... we are missing abstractions that can make sense to the user. But it's not obvious chuck: I use many browsers and find many SSL/certs problems ... and every browser handles problems in its own way, own jargon, own UI... ... some cleanup, rational option, are needed <stephenF> +1 to cleanup (if it means develop an abstraction users might get) ... this group can be effective in getting this across yngve: how to explain to the user? ... <Chuck> Apologies, I've just had to "step out" to help a client with a critical problem. yngve: e.g. unknown certs... like in real life when someone makes a strong statement that is difficult to verify ... a client can't just shutdown a connection.Tthe question is what criteria the browser can use <tlr> that ties in with Stephen Farrell's action to look at the SSL behavior yngve: but the user can't make that criteria either ... cases when user knows where he wants to go but no one can help her PHB: there is no need to display all those errors ... e.g. instead be silent and take the user to the site but with no security indicators <Mez> an affordance to "correct the problem" if it's something the user can deal with, such as accepting a new cert, is the only hole I see in phil's point <stephenF> The abstraction that means something to the user need not be the same as the abstraction of the protocol errors tlr: I hear two proposals and bunch of ideas ... one proposal is on certification ... becomes a non-normative chapter in the recommendations ... the other proposal is on interaction for non-trusted sites ... what conditions should trigger errors and what not ... collecting what has been said and consolidate ... what's been said by yngve, stephenF, PHB ... i suggest all three draft a proposal <stephenF> me stephenF: seems reasonable. but someone from the user side is needed <tlr> ScribeNick: tlr stephen: sounds reasonable to do protocol stuff first <luis> (got to leave now - bye) stephen: think action item is due in two weeks .. MEZ: Stephen, please verify in tracker yngve: replying to phil about what browsers should do ... opera not showing padlock on mixed security ... <Mez> [23]http://www.w3.org/2006/WSC/Group/track/users can be used by everyone to see their open action items yngve: do not show padlock if there's OCSP trouble ... <stephenF> action 240 on me is due 20070626 mez: looking forward to seeing Yngve's proposal in conformance language tlr: think it is in conformance language, or close to yngve: ?! mez: robust discussion around bullet items ... fading away ... ... seem to have a lot of pieces we have together ... ... any other comments on 3.4 proposals ... <stephenF> I don't understand the last one mez: "do not refer to destination URL for assistance" ... that's the "contact the site administrator" type of advice <stephenF> ok with that - admins never help anyway:-) tlr: (a) abstract: don't ask people to override security decision to make that very decision. ... (b) concrete: don't suggest contacting the site that you are trying to contact right now yngve: suggest something like "please contact webmaster by e-mail at ......" ... not sure how broadly used that one is ... mandating webmaster might be good idea ... tlr: postmaster@ has been tried, it has failed ... ... also, out-of-band contact is pretty much the same as (b) above ... yngve: any other method we can mandate for such communication? mez: new protocol stuff? yngve: probably mez: CHI and whoever in SharedBookmarks <stephenF> gotta go now folks, (might be travelling next week btw) bye <yngve> perhaps [24]http://server/contactform ? mez: broadness of use cases? tlr: reflect level of abstraction that is here ... think this supports putting these things into general, non-normative part of document ... mez: on 3.7 ... <Mez> [25]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Reco Templ tyler: bothered that template doesn't star any of the material that we worked on in the note ... would kind of like to go back to old template ... ... current template seems not focused on enabling testing ... ... seems to be driving toward language that we can put into our final recommendations ... ... isn't that jumping the gun on the process ... ... if you agree that the purpose of the first document is to have something to build consensus about ... tlr: point of template is precisely to take first stab at core idea -- what is it that should be done universally? tyler: umh, lost the thread mez: would like to hear from others as well ... one thing is that nobody who knows about usability testing had any comments about 3.7 ... ... personal opinion: all parts of the template will be necessary to actually understand any particular part of the proposal ... ... since we don't care about time line ... ... seems like right thing is to make all the sections required ... ... at least take a stab at them ... ... but don't require people to put in things that are meaningless / stupid ... ... would be happy to rip off asterisks ... <Mez> it's a pause <Mez> while we see if anyone else has an opinion schutzer: use new template, take stab at everything, but use judgment? mez: would be hard to see how something that goes toward a standard could not have conformance language. <Mez> [26]http://www.w3.org/2006/WSC/drafts/rec/#certerr tyler: which one had the use case section irrelevant? mez: we were going through the cert error part ... I think I challenged Michael in e-mail ... ... there are some use cases going at SSL-specific error cases ... ... there is a flaw in either the use cases or the recommendation proposal ... tyler: it's an error somewhere <Mez> I don't think the note has to have all the use cases <Mez> tyler seems to disagree with that <Mez> it seems reasonable to me that a proposal could "add" use cases at the proposal scope tlr: there are categories like "universally useful, but not a specific recommendation" mez: how to wrap up? tlr: think we should keep the asterisks. These are priorities. These are what the recommendations actually mean mez: will take this up in e-mail <rachna> Mez, I'll respond to your usability question about the certerr template in email. <Mez> tx rachna <Mez> I really want the template to be useful, so it's critical that any sections we claim are important actually are Summary of Action Items [NEW] ACTION: schutzer to revisit section 3 of BMA study results [recorded in [27]http://www.w3.org/2007/06/13-wsc-minutes.html#action01] [NEW] ACTION: serge to share study on effectiveness of trust seals in SharedBookmarks [recorded in [28]http://www.w3.org/2007/06/13-wsc-minutes.html#action02] [End of minutes] __________________________________________________________________ Minutes formatted by David Booth's [29]scribe.perl version 1.128 ([30]CVS log) $Date: 2007/06/22 16:29:33 $ __________________________________________________________________ References 1. http://www.w3.org/ 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0083.html 3. http://www.w3.org/2007/06/13-wsc-irc 4. http://www.w3.org/2007/06/13-wsc-minutes#agenda 5. http://www.w3.org/2007/06/13-wsc-minutes#item01 6. http://www.w3.org/2007/06/13-wsc-minutes#item02 7. http://www.w3.org/2007/06/13-wsc-minutes#item03 8. http://www.w3.org/2007/06/13-wsc-minutes#item04 9. http://www.w3.org/2007/06/13-wsc-minutes#item05 10. http://www.w3.org/2007/06/13-wsc-minutes#item06 11. http://www.w3.org/2007/06/13-wsc-minutes#ActionSummary 12. http://www.w3.org/2007/05/30-wsc-minutes 13. http://www.w3.org/2007/05/31-wsc-minutes 14. http://www.w3.org/2007/06/06-wsc-minutes 15. http://www.w3.org/2007/06/13-wsc-minutes.html#action01 16. http://www.w3.org/2006/WSC/wiki/EV 17. http://www.w3.org/2006/WSC/wiki/EV 18. http://portal.acm.org/citation.cfm?id=953510 19. http://www.w3.org/2007/06/13-wsc-minutes.html#action02 20. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl 21. http://www.w3.org/2006/WSC/drafts/rec/#certerr 22. http://my.opera.com/yngve/blog/show.dml/461932 23. http://www.w3.org/2006/WSC/Group/track/users 24. http://server/contactform 25. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl 26. http://www.w3.org/2006/WSC/drafts/rec/#certerr 27. http://www.w3.org/2007/06/13-wsc-minutes.html#action01 28. http://www.w3.org/2007/06/13-wsc-minutes.html#action02 29. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm 30. http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 22 June 2007 18:36:04 UTC