Minutes: WSC WG weekly 2007-02-20

The minutes from our meeting on 20 February have been approved. They
are online here:

  http://www.w3.org/2007/02/20-wsc-minutes

A text/plain version is included below the .signature.

-- 
Thomas Roessler, W3C  <tlr@w3.org>





   [1]W3C 

                       WSC Working Group Teleconference

20 Feb 2007

   See also: [2]IRC log

Attendees

   Present
          Mike Belzner
          Chuck Wade
          Hal Lockhart
          Jonath
          Maritza Johnson
          Mary Ellen Zurko
          Tony Nadalin
          Phill Hallam-Baker
          Paul Hill
          Rob Franco
          Thomas Roessler
          bill-d
          Rachna
          (Rob Franco)

   Regrets
   Chair
          Mary Ellen Zurko

   Scribe
          Phill Hallam-Baker

Contents

     * [3]Topics
         1. [4]Minutes approval
         2. [5]Action item review
         3. [6]Note draft
     * [7]Summary of Action Items
     _________________________________________________________________

Minutes approval

   Approving minutes from last meeting

   <tlr> [8]http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html

   Minutes approved nem con

Action Item review

   Next topic: Newly closed action items

   No issues raised.

Note Draft

   tlr [9]http://www.w3.org/2006/WSC/drafts/note/

   MEZ: Issue is getting our note to First Public Working Draft (FPWD). Have
   people actually read the draft?

   <Nadalin> yes

   MEZ: Reading the draft is 'trivial parallelism': we can all read it at once.
   Are there substantive issues we need to address before FPWD?

   TLR: One would be to move material from overview to the abstract

   MEZ: OK but this is not a blocking issue, you can do it this week while you
   are editor.

   tlr ACTION: thomas to expand abstract of note by moving in material from
   overview [recorded in
   [10]http://www.w3.org/2007/02/20-wsc-minutes.html#action02]

   Recorded as ACTION-145.

   Chuck Wade: we need to address the fact that there are many specialized
   browsers for paticular content, specialized actions etc, W3C can provide
   forward references. This? was not comming out in note

   Bill-d: We should address the topics of forward evolving models, forward
   security models, isolated sandbox modes, newer O/S models, treat security
   possibly in completely different mechanisms

   Chuck: Part of what maybe needs to be brought to the forefront is the way
   that browsers deal with the platform, using common infrastructure of the
   platform rather than bringing it all themselves. The platform is a better
   place to put security to be used by many browsers, applications as common
   interfaces, this is not jusyt about how security should be presented to
   users  using  a  browser but by users using the Web, many more diverse
   platforms, many more uses than in the past,

   tlr: did a bit of rewriting last week on the way in which the note deals
   with what is in and out of scope. Rephrased from relatively product centric
   view to talking about web interactions, httop, https at the center of that

   Chuck I agree with you, Thomas, that some of the recent changes do improve
   the document.

   tlr: Are the changes made last week sufficient to take this into account in
   your view, is this something that has to happen now?

   chuck: can happen later, should be more visible, some of the recent changes
   heading in the right direction

   mez: charter is very general, say web user agent

   Chuck I'm merely arguing that at some of these key concepts need to be more
   "front and center."

   mez: use cases were browser centric last time I looked at them

   Chuck We need to be "Web" centric, and not "browser" centric in terms of
   user security context

   mez: we briefly discussed widgets on the list a while ago we discussed voice
   browsers a while ago , in general we were trying to motivate the stuff we
   are doing with use cases, it could be that there are some use cases that are
   missing. one that is missing is a list of user agents we are going to cover,
   one of the reasons I would have liked the list is for just this reason,
   trying to keep in mind, do it centraly as sort of a goal thing.

   Chuck How about the "iTunes" use case? This is somewhat "tongue in cheek"
   remark, but this is an example of what will likely emerge as a much more
   common approach.

   mez: How do people get security context from iTunes? Not the way they get it
   from a browser? Are these use cases rather than user agents?

   Chuck: Use cases rather than user agents, stock transactions, things like
   that, what about the AJAX applications? Web will be redefined in many way,
   New sociual engineering opportunities

   Beltzner +1 to MEZ

   MEZ we are not about changing anything under the covers, you are begining to
   wander there

   TLR: I am going to be the beuraucrat: there are a ?lot of important points,
   are these on the critical path for the first draft of this note? To what
   extent  does  it affect classes of implementations for which we define
   conformance? State that the note is in currently is ok for first public
   draft, may want to contribute further use cases, first draft is soliciting
   comment for the first time, not closure

   ChuckI am not suggesting that we hold off sharing our work with a wider
   audience, but that we consider evolving our Note to address some of the
   forward references

   MEZ: Chuck willing to take an action to lead conversation on list

   Chuck: yes

   tlr ACTION: chuck to start conversation on conformance for non-browser user
   agents     and     forward-looking     web     use     [recorded    in
   [11]http://www.w3.org/2007/02/20-wsc-minutes.html#action03]

   Recorded as ACTION-146.

   MEZ: Everyone is happy, any more comments on FPWD? ... NO

   TLR: Thing to do is for the group to agree to go to FPWD if folk are happy
   with me to fix the abstract

   MEZ: will ask you to send out a copy of or a link to when it changes ...
   that ok thomas?

   TLR:  need  to  be  clear, we are doing the first PWD for the note not
   substantive proposals. I rephrase, if nobody objects then we publish that
   would work for me, does that make sense?

   MEZ i think it sounds good

   MEZ: should we talk through any mechanics need to do at group level

   TLR at group level we need a decision

   MEZ we are making the decision now

   TLR: sorry for spoiling the party: title and short name for the thing?

   MEZ: do you remember what they were

   MEZ takes a minute to find it

   MEZ will have the dreaded phrase web security context

   MEZ any other proposals, put them forward

   tlr PROPOSED: Web Security Context Use Cases and Requirements

   tlr shortname: wsc-reqs

   Chuck How about: "Trusting the Web--Not!"

   PHB: we need something bettwr than security context

   HAL: user interface?

   Mez "Web Security Context: Requirements and Use Cases"

   PHB User Experience is better

   MEZ agrees

   Chuck How about "Security EXperience"? The Acronym ought to be catchy

   Mez "Usable and Robust Dispay of Web Security Context: Requirements and Use
   Cases"

   Beltzner: don't like user interface, tends to create ire amongst browser
   providers

   Mez "Are You Experienced"

   Beltzner: idicators is good, indicators

   Nadalin Secure Web User Experence: Requirements and Use Cases

   Mez "Web Security Experience and Indicators: Use Cases and Requirements"

   MEZ: security experience and indicators?

   Chuck Security Experience and Indicators

   hal just web security indicators

   TLR: ??

   Mez WEB Security Experience ...

   TLR: secure browsing? tagline from PR

   MEZ Are we overpromising?

   bill-d web IA

   TLR does this map to what we provide?

   hal I like just plain web security indicators - drop experience

   johnath Web Security Information and Indicators?

   Mez "Web Security Indicators: Use Cases and Requirements"

   Chuck How about Web Trust Indicators

   PHB likes experience

   Chuck Trust is the real problem,

   MEZ trust makes her nervous

   Chuck  Ultimately,  what matters is whether the person can trust their
   experience on the WEb

   Mez "Trusting Web Trust" - gets both usability and robustness

   Nadalin  I think that we need to include "experience" since we are not
   talking about all of security its just the visual experience

   rfranco  I think the document is more about recomendations rather than
   requirements,  needs,  you  wanted to be more than just experience and
   indicaters - needs to use context to provide IA

   beltzner rfranco++

   Mez  "Making  Assurance  Double Sure: Directions in Web Experience and
   Indicators"

   bill-d: information assurance... want trust.. secure experience.. don't want
   to say provide secure environment

   Chuck How important is it for the user to be able to trust the content
   they're presented with?

   PHB: We can make an empirical statement about the state of Web security
   experience... albeit a negative one

   beltzner Mez_: "security" seems to have some consensus

   beltzner :)

   Mez "Web Security Experience, Indicators, and Trust"

   MEZ: consensus????

   johnath Mez_++

   beltzner yeah, that last one was good

   Mez  "Trusting  Web  Security Experiance and Indicators: Use Cases and
   Directions"

   beltzner plus it starts with WS, which makes johnath and I happy

   Chuck There's trust of the session you have with a Web site or sites, and
   then there is the question of whether or not you can trust what you get back
   from the Web site. The tendency to have so many actors throwing up content
   on a page that the user thinks is associated with a single site is a real
   part of the problem.

   johnath mez - Liked your previous one more than this last

   HAL: term security maps to what people expect..

   Chuck "Trust" as a term is a perfectly good English word that has been
   corrupted by the various security snake oil purveyors

   Mez "Web Security Experience, Indicators and Trust: Requirements and Use
   Cases"

   johnath yes - sorry, assumed the suffix there. Mez++ again

   TLJ: must not appear to be recommendations as it isn't

   Mez "Web Security Experience, Indicators and Trust: Scope and Use Cases"

   Belzner: note is not putting forward requirements

   beltzner sounds like a barn burner

   TLR use cases but probably not specific enough for requirements

   MEZ: now taking concrete sugggestioons or alternatives

   MEZ: ok we have a title

   tlr title: Web Security Experience, Indicators and Trust: Scope and Use
   Cases

   Mez wseit-scope

   Mez wsc-scope

   Mez wsc-use-cases

   tlr wsc-usecases

   HAL: hard enough without name of doc being different to WG

   mez: any objections, alternatives

   tlr RESOLVED: Web Security Experience, Indicators and Trust: Scope and Use
   Cases

   tlr RESOLVED: wsc-usecases

   MEZ: ok we have a title, short title

   Chuck Yes

   rfranco what is the date?

   tlr RESOLVED: To move editor's draft to FPWD after no-objection period for
   abstract

   TLR: purely editorial changes ... publication now mechanical apart from the
   abstract

   TLR abstract by noon eastern tommorrow

   TLR 2,3,4 March for publication???

   TLR any changes after now into future version

   franco: going live with news immediately prior to the next f2f?

   Mez [12]http://www.w3.org/2006/WSC/

   MEZ: any other things needed at the team level

   MEZ alright great....

   MEZ: don't think we have time for any other discussion items today... will
   send notes on chrome to list

   MEZ will also be putting out reply on reputation service

   TLR: metz q on how to proceed
   ... note will not be published by next meeting, how do we move on to the
   recommendations side of the doc?
   ... probably quite ready to move on to the technical side of the discussion,
   Take up threat trees

   tlr meeting adjourned

Summary of Action Items

   [NEW] ACTION: chuck to start conversation on conformance for non-browser
   user    agents    and    forward-looking    web   use   [recorded   in
   [13]http://www.w3.org/2007/02/20-wsc-minutes.html#action03]
   [NEW] ACTION: thomas to expand abstract of note by moving in material from
   overview [recorded in
   [14]http://www.w3.org/2007/02/20-wsc-minutes.html#action02]
   [End of minutes]
     _________________________________________________________________


    Minutes formatted by David Booth's [15]scribe.perl version 1.127 ([16]CVS
    log)
    $Date: 2007/03/09 16:15:20 $
     _________________________________________________________________

   ?

References

   1. http://www.w3.org/
   2. http://www.w3.org/2007/02/20-wsc-irc
   3. http://www.w3.org/2007/02/20-wsc-minutes.html#agenda
   4. http://www.w3.org/2007/02/20-wsc-minutes.html#item01
   5. http://www.w3.org/2007/02/20-wsc-minutes.html#item02
   6. http://www.w3.org/2007/02/20-wsc-minutes.html#item03
   7. http://www.w3.org/2007/02/20-wsc-minutes.html#ActionSummary
   8. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html
   9. http://www.w3.org/2006/WSC/drafts/note/
  10. http://www.w3.org/2007/02/20-wsc-minutes.html#action02
  11. http://www.w3.org/2007/02/20-wsc-minutes.html#action03
  12. http://www.w3.org/2006/WSC/
  13. http://www.w3.org/2007/02/20-wsc-minutes.html#action03
  14. http://www.w3.org/2007/02/20-wsc-minutes.html#action02
  15. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  16. http://dev.w3.org/cvsweb/2002/scribe/

Received on Friday, 9 March 2007 16:22:20 UTC