- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 9 Mar 2007 17:20:42 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from our meeting on 20 February have been approved. They are online here: http://www.w3.org/2007/02/20-wsc-minutes A text/plain version is included below the .signature. -- Thomas Roessler, W3C <tlr@w3.org> [1]W3C WSC Working Group Teleconference 20 Feb 2007 See also: [2]IRC log Attendees Present Mike Belzner Chuck Wade Hal Lockhart Jonath Maritza Johnson Mary Ellen Zurko Tony Nadalin Phill Hallam-Baker Paul Hill Rob Franco Thomas Roessler bill-d Rachna (Rob Franco) Regrets Chair Mary Ellen Zurko Scribe Phill Hallam-Baker Contents * [3]Topics 1. [4]Minutes approval 2. [5]Action item review 3. [6]Note draft * [7]Summary of Action Items _________________________________________________________________ Minutes approval Approving minutes from last meeting <tlr> [8]http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html Minutes approved nem con Action Item review Next topic: Newly closed action items No issues raised. Note Draft tlr [9]http://www.w3.org/2006/WSC/drafts/note/ MEZ: Issue is getting our note to First Public Working Draft (FPWD). Have people actually read the draft? <Nadalin> yes MEZ: Reading the draft is 'trivial parallelism': we can all read it at once. Are there substantive issues we need to address before FPWD? TLR: One would be to move material from overview to the abstract MEZ: OK but this is not a blocking issue, you can do it this week while you are editor. tlr ACTION: thomas to expand abstract of note by moving in material from overview [recorded in [10]http://www.w3.org/2007/02/20-wsc-minutes.html#action02] Recorded as ACTION-145. Chuck Wade: we need to address the fact that there are many specialized browsers for paticular content, specialized actions etc, W3C can provide forward references. This? was not comming out in note Bill-d: We should address the topics of forward evolving models, forward security models, isolated sandbox modes, newer O/S models, treat security possibly in completely different mechanisms Chuck: Part of what maybe needs to be brought to the forefront is the way that browsers deal with the platform, using common infrastructure of the platform rather than bringing it all themselves. The platform is a better place to put security to be used by many browsers, applications as common interfaces, this is not jusyt about how security should be presented to users using a browser but by users using the Web, many more diverse platforms, many more uses than in the past, tlr: did a bit of rewriting last week on the way in which the note deals with what is in and out of scope. Rephrased from relatively product centric view to talking about web interactions, httop, https at the center of that Chuck I agree with you, Thomas, that some of the recent changes do improve the document. tlr: Are the changes made last week sufficient to take this into account in your view, is this something that has to happen now? chuck: can happen later, should be more visible, some of the recent changes heading in the right direction mez: charter is very general, say web user agent Chuck I'm merely arguing that at some of these key concepts need to be more "front and center." mez: use cases were browser centric last time I looked at them Chuck We need to be "Web" centric, and not "browser" centric in terms of user security context mez: we briefly discussed widgets on the list a while ago we discussed voice browsers a while ago , in general we were trying to motivate the stuff we are doing with use cases, it could be that there are some use cases that are missing. one that is missing is a list of user agents we are going to cover, one of the reasons I would have liked the list is for just this reason, trying to keep in mind, do it centraly as sort of a goal thing. Chuck How about the "iTunes" use case? This is somewhat "tongue in cheek" remark, but this is an example of what will likely emerge as a much more common approach. mez: How do people get security context from iTunes? Not the way they get it from a browser? Are these use cases rather than user agents? Chuck: Use cases rather than user agents, stock transactions, things like that, what about the AJAX applications? Web will be redefined in many way, New sociual engineering opportunities Beltzner +1 to MEZ MEZ we are not about changing anything under the covers, you are begining to wander there TLR: I am going to be the beuraucrat: there are a ?lot of important points, are these on the critical path for the first draft of this note? To what extent does it affect classes of implementations for which we define conformance? State that the note is in currently is ok for first public draft, may want to contribute further use cases, first draft is soliciting comment for the first time, not closure ChuckI am not suggesting that we hold off sharing our work with a wider audience, but that we consider evolving our Note to address some of the forward references MEZ: Chuck willing to take an action to lead conversation on list Chuck: yes tlr ACTION: chuck to start conversation on conformance for non-browser user agents and forward-looking web use [recorded in [11]http://www.w3.org/2007/02/20-wsc-minutes.html#action03] Recorded as ACTION-146. MEZ: Everyone is happy, any more comments on FPWD? ... NO TLR: Thing to do is for the group to agree to go to FPWD if folk are happy with me to fix the abstract MEZ: will ask you to send out a copy of or a link to when it changes ... that ok thomas? TLR: need to be clear, we are doing the first PWD for the note not substantive proposals. I rephrase, if nobody objects then we publish that would work for me, does that make sense? MEZ i think it sounds good MEZ: should we talk through any mechanics need to do at group level TLR at group level we need a decision MEZ we are making the decision now TLR: sorry for spoiling the party: title and short name for the thing? MEZ: do you remember what they were MEZ takes a minute to find it MEZ will have the dreaded phrase web security context MEZ any other proposals, put them forward tlr PROPOSED: Web Security Context Use Cases and Requirements tlr shortname: wsc-reqs Chuck How about: "Trusting the Web--Not!" PHB: we need something bettwr than security context HAL: user interface? Mez "Web Security Context: Requirements and Use Cases" PHB User Experience is better MEZ agrees Chuck How about "Security EXperience"? The Acronym ought to be catchy Mez "Usable and Robust Dispay of Web Security Context: Requirements and Use Cases" Beltzner: don't like user interface, tends to create ire amongst browser providers Mez "Are You Experienced" Beltzner: idicators is good, indicators Nadalin Secure Web User Experence: Requirements and Use Cases Mez "Web Security Experience and Indicators: Use Cases and Requirements" MEZ: security experience and indicators? Chuck Security Experience and Indicators hal just web security indicators TLR: ?? Mez WEB Security Experience ... TLR: secure browsing? tagline from PR MEZ Are we overpromising? bill-d web IA TLR does this map to what we provide? hal I like just plain web security indicators - drop experience johnath Web Security Information and Indicators? Mez "Web Security Indicators: Use Cases and Requirements" Chuck How about Web Trust Indicators PHB likes experience Chuck Trust is the real problem, MEZ trust makes her nervous Chuck Ultimately, what matters is whether the person can trust their experience on the WEb Mez "Trusting Web Trust" - gets both usability and robustness Nadalin I think that we need to include "experience" since we are not talking about all of security its just the visual experience rfranco I think the document is more about recomendations rather than requirements, needs, you wanted to be more than just experience and indicaters - needs to use context to provide IA beltzner rfranco++ Mez "Making Assurance Double Sure: Directions in Web Experience and Indicators" bill-d: information assurance... want trust.. secure experience.. don't want to say provide secure environment Chuck How important is it for the user to be able to trust the content they're presented with? PHB: We can make an empirical statement about the state of Web security experience... albeit a negative one beltzner Mez_: "security" seems to have some consensus beltzner :) Mez "Web Security Experience, Indicators, and Trust" MEZ: consensus???? johnath Mez_++ beltzner yeah, that last one was good Mez "Trusting Web Security Experiance and Indicators: Use Cases and Directions" beltzner plus it starts with WS, which makes johnath and I happy Chuck There's trust of the session you have with a Web site or sites, and then there is the question of whether or not you can trust what you get back from the Web site. The tendency to have so many actors throwing up content on a page that the user thinks is associated with a single site is a real part of the problem. johnath mez - Liked your previous one more than this last HAL: term security maps to what people expect.. Chuck "Trust" as a term is a perfectly good English word that has been corrupted by the various security snake oil purveyors Mez "Web Security Experience, Indicators and Trust: Requirements and Use Cases" johnath yes - sorry, assumed the suffix there. Mez++ again TLJ: must not appear to be recommendations as it isn't Mez "Web Security Experience, Indicators and Trust: Scope and Use Cases" Belzner: note is not putting forward requirements beltzner sounds like a barn burner TLR use cases but probably not specific enough for requirements MEZ: now taking concrete sugggestioons or alternatives MEZ: ok we have a title tlr title: Web Security Experience, Indicators and Trust: Scope and Use Cases Mez wseit-scope Mez wsc-scope Mez wsc-use-cases tlr wsc-usecases HAL: hard enough without name of doc being different to WG mez: any objections, alternatives tlr RESOLVED: Web Security Experience, Indicators and Trust: Scope and Use Cases tlr RESOLVED: wsc-usecases MEZ: ok we have a title, short title Chuck Yes rfranco what is the date? tlr RESOLVED: To move editor's draft to FPWD after no-objection period for abstract TLR: purely editorial changes ... publication now mechanical apart from the abstract TLR abstract by noon eastern tommorrow TLR 2,3,4 March for publication??? TLR any changes after now into future version franco: going live with news immediately prior to the next f2f? Mez [12]http://www.w3.org/2006/WSC/ MEZ: any other things needed at the team level MEZ alright great.... MEZ: don't think we have time for any other discussion items today... will send notes on chrome to list MEZ will also be putting out reply on reputation service TLR: metz q on how to proceed ... note will not be published by next meeting, how do we move on to the recommendations side of the doc? ... probably quite ready to move on to the technical side of the discussion, Take up threat trees tlr meeting adjourned Summary of Action Items [NEW] ACTION: chuck to start conversation on conformance for non-browser user agents and forward-looking web use [recorded in [13]http://www.w3.org/2007/02/20-wsc-minutes.html#action03] [NEW] ACTION: thomas to expand abstract of note by moving in material from overview [recorded in [14]http://www.w3.org/2007/02/20-wsc-minutes.html#action02] [End of minutes] _________________________________________________________________ Minutes formatted by David Booth's [15]scribe.perl version 1.127 ([16]CVS log) $Date: 2007/03/09 16:15:20 $ _________________________________________________________________ ? References 1. http://www.w3.org/ 2. http://www.w3.org/2007/02/20-wsc-irc 3. http://www.w3.org/2007/02/20-wsc-minutes.html#agenda 4. http://www.w3.org/2007/02/20-wsc-minutes.html#item01 5. http://www.w3.org/2007/02/20-wsc-minutes.html#item02 6. http://www.w3.org/2007/02/20-wsc-minutes.html#item03 7. http://www.w3.org/2007/02/20-wsc-minutes.html#ActionSummary 8. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Feb/0010.html 9. http://www.w3.org/2006/WSC/drafts/note/ 10. http://www.w3.org/2007/02/20-wsc-minutes.html#action02 11. http://www.w3.org/2007/02/20-wsc-minutes.html#action03 12. http://www.w3.org/2006/WSC/ 13. http://www.w3.org/2007/02/20-wsc-minutes.html#action03 14. http://www.w3.org/2007/02/20-wsc-minutes.html#action02 15. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm 16. http://dev.w3.org/cvsweb/2002/scribe/
Received on Friday, 9 March 2007 16:22:20 UTC