Meeting record: WSC WG weekly 2007-06-13

Minutes were approved and are public:

  http://www.w3.org/2007/06/13-wsc-minutes

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>




   [1]W3C

                                 WSC WG weekly

13 Jun 2007

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          MaryEllen_Zurko, Thomas, jvkrey, rachna, luis, Bill_Doyle,
          shawn, stephenF, Chuck_Wade, dan.schutzer, johnath, PHB, audian,
          maritzaj, tyler, serge, Hal_Lockhart, yngve, anil

   Regrets
          beltzner

   Chair
          MEZ

   Scribe
          luis, tlr

Contents

     * [4]Topics
         1. [5]approving minutes
         2. [6]Last Meeting's minutes
         3. [7]newly completed action items
         4. [8]agenda bashing
         5. [9]status update on EV certificates
         6. [10]conformance and rec drafting
     * [11]Summary of Action Items
     __________________________________________________________________

Last Meeting's minutes

   mez: minutes approved

   <tlr> [12]http://www.w3.org/2007/05/30-wsc-minutes

   <tlr> [13]http://www.w3.org/2007/05/31-wsc-minutes

   mez: action items

   <tlr> [14]http://www.w3.org/2007/06/06-wsc-minutes

newly completed action items

   mez: refering to closed actions items due to inactivity

   <asaldhan> that was Anil from JBoss/RedHat

   tlr: Action 199 - possible recommendation material

   <Mez> slow down thomas

   <Mez> as did I

   <Mez> miss what you said

   <tlr> ACTION-199

   <Mez> go slow; your phone connection is fuzzy

   <Mez> consider irc backup :-)

   tlr: Chuck Wade had the action
   ... extracting recommendations on authentication

   dan: giving some contributions

   <tlr> ACTION: schutzer to revisit section 3 of BMA study results
   [recorded in
   [15]http://www.w3.org/2007/06/13-wsc-minutes.html#action01]

   <trackbot> Created ACTION-261 - Revisit section 3 of BMA study results
   [on Daniel Schutzer - due 2007-06-20].

   dan: he has the appendix and will send it out

   <Chuck> I have not "violent" disagreement. Thanks, Dan.

   tlr: aksing about conformance section

agenda bashing

   tlr: potential for demonstrations. Audian?

   audian: i have the infrastructure but have to consider payment

   ... I need to make an estimation and then come back

   mez: moving discssion to email space
   ... on agenda recommendations, security protocols
   ... update on EV certs
   ... Thomas wonders abouts the URLs he put out

   tlr: Two parts are there. we are lagging behind

   mez: we are still on agenda bashing
   ... conformance discussion are also needed

status update on EV certificates

   <Mez> [16]http://www.w3.org/2006/WSC/wiki/EV

   johnath: EV certs.

   <tlr> it is

   <tlr> he sounds better than you

   <johnath> [17]http://www.w3.org/2006/WSC/wiki/EV

   johnath: rehashing history
   ... 1st question. why EV?
   ... old system didn't work. CA creating different degrees of validation
   ... too much vendor favoritism. CA couldn't explain charging high
   prices
   ... some roots were misbehaving
   ... root stores started with Netscape
   ... Netscape was (?) affected by liability
   ... Some CA had more rigoruous practices
   ... many browser vendors are supporting EV guidelines
   ... including major ones
   ... guidelines for considering business entities
   ... EV doesn't address identity issues
   ... EV creates a higher bar

   <PHB2> not necessarily!

   johnath: EV is real and is here. Support will be given to those
   endorsing EV

   <PHB2> The EV experience means that people will know that its a
   VeriSign certificate, so they may recognize services we offer over and
   above the minimum requirements of EV

   johnath: EV will be suported by major UA browsers

   <PHB2> What EV means is that there should not be any null CAs issuing
   EV certs with no effective accountability checks whatsoever

   <serge> And how many users know exactly what Verisign does?

   johnath: many will be tempting to see the EV buzz as panacea, but it's
   not and there are issues to work on

   <PHB2> How much will we invest in telling them?

   mez: any comments?

   chuck: EV is useful. Does EV cleans up other cert-related standards
   ... other cert standards have also come along.

   <stephenF> s/cleaning standards/complying to standards/ ?

   johnath: yes EV does gathering previous cert proposals
   ... guidelines refer to OCSP, CRL
   ... on logotypes - it says nothing on validation
   ... which is next thing to tackle

   PHB: nothing affects logotype.
   ... wants to see the follow-up
   ... user interaction with the browser
   ... need to authentication for better co-signing

   mez: let's avoid discussing here cabforum's future work

   PHB: who is the trust provider?

   <Mez> just want to keep us on topics of immediate interest and utilty
   to wg

   PHB: issuing suspicious certs damage the brand
   ... accountability for cert issuers

   serge: on logotypes
   ... previous CAs ... most users don't deal with these companies
   ... don't recognize the logos
   ... users trust logos that look like previously seen ones
   ... but don't understand what they actually mean

   mez: let's not fall deep into logotype discussions

   <serge> [18]http://portal.acm.org/citation.cfm?id=953510

   <tlr> ACTION: serge to share study on effectiveness of trust seals in
   SharedBookmarks [recorded in
   [19]http://www.w3.org/2007/06/13-wsc-minutes.html#action02]

   <trackbot> Created ACTION-262 - Share study on effectiveness of trust
   seals in SharedBookmarks [on Serge Egelman - due 2007-06-20].

   <Zakim> johnath, you wanted to reply to PHB about who verifies an
   identity

   mez: ACM link above requires subscription .-(

   <Mez> we'll have full ev and logotype discussions around the actual
   proposals at some near future meeting

   <Mez> ack dan.schutzer

   johnath: refer to identity recommendations he put

   dan: who is entitled to the logotype?

   johnath: move the discussion to cabforum

   chuck: following up dan's comment. the logotype should be displayed in
   the security part
   ... there is some relevance to this group

conformance and rec drafting

   tlr: updated template on proposals.

   <Chuck> The important point is that the "community" logotype needs to
   be displayed in a secure manner (whatever that means)

   tlr: an example is available too

   <Mez> the template is at

   <Mez>
   [20]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Reco
   Templ

   tlr: Question? conformance can be done on secure page, e.g.
   ... Is there something more we need to do?
   ... by the end of this week

   <johnath> tlr is cutting out for me for a couple seconds at a time

   ... (some words are dropped on the line)

   <sduffy> me too

   ... requesting feedback

   <Audian> I was able to hear thomas just fine

   ... proposals needed for conformance sections

   mez: clarifying thomas request

   <Audian> but i wasn't listening

   <tlr> audian, tsk

   trl: great if all can work on the wiki
   ... check in realtime and speak up

   <Mez> [21]http://www.w3.org/2006/WSC/drafts/rec/#certerr

   mez: next item is: SecurityPprotocol Error Presentation
   ... can any one walk through the proposal?

   <mez: Michael McCormick couldn't make it for this meeting

   stephenF: can we make recommendation without seeing prototype
   suggestions?

   <Audian> i'm leaving irz, but will attempt to stay on the call (elvis
   is kinda leaving the building)

   stephenF: .... it can be too early

   mez: can yiu clarify?

   stephenF: we need to see proofs of concept before recommendations
   ... doubt that they are all possible

   mez: all dialogs have more than one buttons
   ... do you want an example?

   stephenF: recommendations need to be backed up by experimentations

   tlr: rephrasing ...

   johnath: supporting stephenF
   ... we should have a notion on how these recommendations could be
   implemented
   ... difficult to qualify implemenation based on recommendations
   ... they are too broad

   <yngve> I have discussed some aspects of this in my article
   [22]http://my.opera.com/yngve/blog/show.dml/461932

   <Zakim> stephenF, you wanted to say that its not just conformance, but
   existence proof

   mez: the conformance draft may be public before reaching internal
   consensus

   stephenF: concern is that dissagreeing on recommendations that can't be
   done on practice
   ... for example PKI. There are thousands of risks that mean nothing to
   the user
   ... we are missing abstractions that can make sense to the user. But
   it's not obvious

   chuck: I use many browsers and find many SSL/certs problems
   ... and every browser handles problems in its own way, own jargon, own
   UI...
   ... some cleanup, rational option, are needed

   <stephenF> +1 to cleanup (if it means develop an abstraction users
   might get)

   ... this group can be effective in getting this across

   yngve: how to explain to the user? ...

   <Chuck> Apologies, I've just had to "step out" to help a client with a
   critical problem.

   yngve: e.g. unknown certs... like in real life when someone makes a
   strong statement that is difficult to verify
   ... a client can't just shutdown a connection.Tthe question is what
   criteria the browser can use

   <tlr> that ties in with Stephen Farrell's action to look at the SSL
   behavior

   yngve: but the user can't make that criteria either
   ... cases when user knows where he wants to go but no one can help her

   PHB: there is no need to display all those errors
   ... e.g. instead be silent and take the user to the site but with no
   security indicators

   <Mez> an affordance to "correct the problem" if it's something the user
   can deal with, such as accepting a new cert, is the only hole I see in
   phil's point

   <stephenF> The abstraction that means something to the user need not be
   the same as the abstraction of the protocol errors

   tlr: I hear two proposals and bunch of ideas
   ... one proposal is on certification
   ... becomes a non-normative chapter in the recommendations
   ... the other proposal is on interaction for non-trusted sites
   ... what conditions should trigger errors and what not
   ... collecting what has been said and consolidate
   ... what's been said by yngve, stephenF, PHB
   ... i suggest all three draft a proposal

   <stephenF> me

   stephenF: seems reasonable. but someone from the user side is needed

   <tlr> ScribeNick: tlr

   stephen: sounds reasonable to do protocol stuff first

   <luis> (got to leave now - bye)

   stephen: think action item is due in two weeks ..

   MEZ: Stephen, please verify in tracker

   yngve: replying to phil about what browsers should do
   ... opera not showing padlock on mixed security ...

   <Mez> [23]http://www.w3.org/2006/WSC/Group/track/users can be used by
   everyone to see their open action items

   yngve: do not show padlock if there's OCSP trouble ...

   <stephenF> action 240 on me is due 20070626

   mez: looking forward to seeing Yngve's proposal in conformance language

   tlr: think it is in conformance language, or close to

   yngve: ?!

   mez: robust discussion around bullet items
   ... fading away ...
   ... seem to have a lot of pieces we have together ...
   ... any other comments on 3.4 proposals ...

   <stephenF> I don't understand the last one

   mez: "do not refer to destination URL for assistance"
   ... that's the "contact the site administrator" type of advice

   <stephenF> ok with that - admins never help anyway:-)

   tlr: (a) abstract: don't ask people to override security decision to
   make that very decision.
   ... (b) concrete: don't suggest contacting the site that you are trying
   to contact right now

   yngve: suggest something like "please contact webmaster by e-mail at
   ......"
   ... not sure how broadly used that one is
   ... mandating webmaster might be good idea ...

   tlr: postmaster@ has been tried, it has failed ...
   ... also, out-of-band contact is pretty much the same as (b) above ...

   yngve: any other method we can mandate for such communication?

   mez: new protocol stuff?

   yngve: probably

   mez: CHI and whoever in SharedBookmarks

   <stephenF> gotta go now folks, (might be travelling next week btw) bye

   <yngve> perhaps [24]http://server/contactform ?

   mez: broadness of use cases?

   tlr: reflect level of abstraction that is here
   ... think this supports putting these things into general,
   non-normative part of document ...

   mez: on 3.7 ...

   <Mez>
   [25]http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Reco
   Templ

   tyler: bothered that template doesn't star any of the material that we
   worked on in the note
   ... would kind of like to go back to old template ...
   ... current template seems not focused on enabling testing ...
   ... seems to be driving toward language that we can put into our final
   recommendations ...
   ... isn't that jumping the gun on the process ...
   ... if you agree that the purpose of the first document is to have
   something to build consensus about ...

   tlr: point of template is precisely to take first stab at core idea --
   what is it that should be done universally?

   tyler: umh, lost the thread

   mez: would like to hear from others as well
   ... one thing is that nobody who knows about usability testing had any
   comments about 3.7 ...
   ... personal opinion: all parts of the template will be necessary to
   actually understand any particular part of the proposal ...
   ... since we don't care about time line ...
   ... seems like right thing is to make all the sections required ...
   ... at least take a stab at them ...
   ... but don't require people to put in things that are meaningless /
   stupid ...
   ... would be happy to rip off asterisks ...

   <Mez> it's a pause

   <Mez> while we see if anyone else has an opinion

   schutzer: use new template, take stab at everything, but use judgment?

   mez: would be hard to see how something that goes toward a standard
   could not have conformance language.

   <Mez> [26]http://www.w3.org/2006/WSC/drafts/rec/#certerr

   tyler: which one had the use case section irrelevant?

   mez: we were going through the cert error part
   ... I think I challenged Michael in e-mail ...
   ... there are some use cases going at SSL-specific error cases ...
   ... there is a flaw in either the use cases or the recommendation
   proposal ...

   tyler: it's an error somewhere

   <Mez> I don't think the note has to have all the use cases

   <Mez> tyler seems to disagree with that

   <Mez> it seems reasonable to me that a proposal could "add" use cases
   at the proposal scope

   tlr: there are categories like "universally useful, but not a specific
   recommendation"

   mez: how to wrap up?

   tlr: think we should keep the asterisks. These are priorities. These
   are what the recommendations actually mean

   mez: will take this up in e-mail

   <rachna> Mez, I'll respond to your usability question about the certerr
   template in email.

   <Mez> tx rachna

   <Mez> I really want the template to be useful, so it's critical that
   any sections we claim are important actually are

Summary of Action Items

   [NEW] ACTION: schutzer to revisit section 3 of BMA study results
   [recorded in
   [27]http://www.w3.org/2007/06/13-wsc-minutes.html#action01]
   [NEW] ACTION: serge to share study on effectiveness of trust seals in
   SharedBookmarks [recorded in
   [28]http://www.w3.org/2007/06/13-wsc-minutes.html#action02]

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [29]scribe.perl version 1.128
    ([30]CVS log)
    $Date: 2007/06/22 16:29:33 $
     __________________________________________________________________

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0083.html
   3. http://www.w3.org/2007/06/13-wsc-irc
   4. http://www.w3.org/2007/06/13-wsc-minutes#agenda
   5. http://www.w3.org/2007/06/13-wsc-minutes#item01
   6. http://www.w3.org/2007/06/13-wsc-minutes#item02
   7. http://www.w3.org/2007/06/13-wsc-minutes#item03
   8. http://www.w3.org/2007/06/13-wsc-minutes#item04
   9. http://www.w3.org/2007/06/13-wsc-minutes#item05
  10. http://www.w3.org/2007/06/13-wsc-minutes#item06
  11. http://www.w3.org/2007/06/13-wsc-minutes#ActionSummary
  12. http://www.w3.org/2007/05/30-wsc-minutes
  13. http://www.w3.org/2007/05/31-wsc-minutes
  14. http://www.w3.org/2007/06/06-wsc-minutes
  15. http://www.w3.org/2007/06/13-wsc-minutes.html#action01
  16. http://www.w3.org/2006/WSC/wiki/EV
  17. http://www.w3.org/2006/WSC/wiki/EV
  18. http://portal.acm.org/citation.cfm?id=953510
  19. http://www.w3.org/2007/06/13-wsc-minutes.html#action02
  20. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl
  21. http://www.w3.org/2006/WSC/drafts/rec/#certerr
  22. http://my.opera.com/yngve/blog/show.dml/461932
  23. http://www.w3.org/2006/WSC/Group/track/users
  24. http://server/contactform
  25. http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/RecoTempl
  26. http://www.w3.org/2006/WSC/drafts/rec/#certerr
  27. http://www.w3.org/2007/06/13-wsc-minutes.html#action01
  28. http://www.w3.org/2007/06/13-wsc-minutes.html#action02
  29. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
  30. http://dev.w3.org/cvsweb/2002/scribe/

Received on Friday, 22 June 2007 18:36:04 UTC