Meeting record: WSC WG weekly 2007-03-13

The minutes from last week's meeting were accepted:

  http://www.w3.org/2007/03/13-wsc-minutes

A text/plain version is included below.

-- 
Thomas Roessler, W3C  <tlr@w3.org>




   [1]W3C 

                                  WSC weekly
                                  13 Mar 2007

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          Tyler Close
          Mary Ellen Zurko
          Jan Vidar Krey
          Thomas Roessler
          Chuck Wade
          Bill Doyle
          Phillip Hallam-Baker
          George Staikos
          Stuart E. Schechter
          Pascal Manzano
          Praveen Alavilli
          Paul Hill
          Shawn Duffy

   Regrets
          Maritza Johnson
          Mike Beltzner
          Tim Hahn
          Johnathan Nightingale
          Yakov Sverdlov
          Hal Lockhart

   Chair
          Mez

   Scribe
          Tyler

Contents

     * [4]Topics
         1. [5]action items
         2. [6]brief update re Note
         3. [7]documenting the status quo
     * [8]Summary of Action Items
     _________________________________________________________________

   <Mez> [9]http://www.w3.org/2007/03/06-wsc-minutes

   <tlr> minutes approved

action items

   Mez: closing action items, no objections

   <Zakim> thomas, you wanted to ask about path forward for glossary

   tlr: inquiring about status of glossary action

   Mez: nobody has the action now
   ... we could use the wiki to develop a glossary

   <tlr>
   [10]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0072.html

   <tlr> ACTION: schechter to put Tim Hahn's outline into Wiki, fill in some,
   [recorded in [11]http://www.w3.org/2007/03/13-wsc-minutes.html#action01]

   <trackbot> Created ACTION-152 - Put Tim Hahn\'s outline into Wiki, fill in
   some, [on Stuart Schechter - due 2007-03-20].

   Mez: wants to talk about the status of the Note

brief update re Note

   Mez: Who has reviewed the Note in detail

   praveen: I have reviewed it, will open an email thread

   <Chuck> Yes, I have reviewed Notes, with perspective on how to address my
   Action 150

   Shawn: I have also reviewed it

   <ses> i've only glanced at it.

   <ses> (very briefly)

   billd:  I have also reviewed the Note and have a list of comments I am
   working on

   <jvkrey> Only briefly here aswell

   Mez: Please log with the group once you've reviewed the Note so that we can
   track the review process

   <Chuck>  When  you  refer to the "Note," you do mean the "Web Security
   Experience, Indicators and Trust: Scope and Use Cases" document we just
   released???

   Mez: Looking to set a deadline for review of the Note

   <Chuck> ydx

   <Chuck> err, yes

   <ses> Depends what you want us looking for in terms of response to review

   <Zakim> thomas, you wanted to suggest that we schedule a note review call in
   4 weeks or so

   Mez: Does a week sound plausible for review w/o comments of the Note?

   <ses> <--Has put list of terms Tim generated for Glossary into the wiki.
   This does not mean that I agree that these are the important terms or that I
   even understand what's requested by them.

   <Mez> many thanks ses

   <ses> <[12]http://www.w3.org/2006/WSC/wiki/GlossaryFile>

   tlr: explains parts of the process for creating new version's of the Public
   Working Draft

   <tlr>  ACTION: thomas to tell tyler about how to do diffs for specprod
   documents [recorded in
   [13]http://www.w3.org/2007/03/13-wsc-minutes.html#action02]

   <trackbot>  Created  ACTION-153 - Tell tyler about how to do diffs for
   specprod documents [on Thomas Roessler - due 2007-03-20].

   Mez: look at the outstanding ISSUES list to determine needed edits to the
   Note

documenting the status quo

   <Mez> [14]http://www.w3.org/2006/WSC/drafts/note/#status-quo

   <Mez>
   [15]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html

   <tlr>
   [16]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0055.html

   Mez: Continuing the conversation on the "Document the status quo" section of
   the Note

   bill-d: We're missing something on multi-factor authentication

   bill-d: For example, scenarios involving smart cards
   ... Am also working on the "Available security information" section.

   <Chuck> When considering authentication, it is also worth paying attention
   to which entity is being authenticated: e.g., the user (a person), their
   computer, their browser, a smart card, a token

   <ses> I was reading what supposedly? Where?

   <Mez> [17]http://www.w3.org/2006/WSC/drafts/note/#status-quo

   <ses> OIC

   <Mez>
   [18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html

   Mez: summarizes the above linked email

   [19]http://www.w3.org/2006/WSC/drafts/note/Overview.html#available

   Mez: Switching topics to "Available security information"

   bill-d: Have a number of additions I would like to make to the Note

   Mez:  Anyone have additional information about current presentation of
   security information?

   <Chuck> What about indicators of cookies, javascripts, flash objects, images
   from third party sites

   <ses> Firefox has some nice add-ons that let you see what cookies are stored
   for a given page.

   <Chuck> All of these indicators are shown by one or more browsers and/or
   plugins

   bill-d: "Provided by HTTP" section should also include response codes and
   more HTTP Auth modes.

   <ses> This may be brain dead, but isn't the source code of the page contents
   useful security information? It's the only way I know to know where a form
   will be submitted.

   <tlr> ACTION: doyle to track HTTP Auth related extensions [recorded in
   [20]http://www.w3.org/2007/03/13-wsc-minutes.html#action03]

   <trackbot> Created ACTION-154 - Track HTTP Auth related extensions [on Bill
   Doyle - due 2007-03-20].

   praveen: Notes some additional cookie information could be presented

   <tlr> ACTION: praveen to track P3P header related indicators [recorded in
   [21]http://www.w3.org/2007/03/13-wsc-minutes.html#action04]

   <trackbot> Created ACTION-155 - Track P3P header related indicators [on
   Praveen Alavilli - due 2007-03-20].

   <ses> zakin, mute ses so that he can sneeze

   Chuck: A number of plugins are presenting additional information

   Mez: Will you take an ACTION to start a list?

   Chuck: OK, but want help

   <tlr> proposed ACTION: chuck to circulate his list of privacy and security
   indicators

   <tlr> ACTION: chuck to circulate his list of privacy and security indicators
   [recorded in [22]http://www.w3.org/2007/03/13-wsc-minutes.html#action05]

   <trackbot> Created ACTION-156 - Circulate his list of privacy and security
   indicators [on Chuck Wade - due 2007-03-20].

   <Chuck> Agreed

   ses:  We  also  need  the HTML source to show up in available security
   information

   <Chuck> Excellent point, both an important issue (forms receiver) and an
   example of a terrible user interface/indicator

   Mez: suggests "Provided by HTML" for this topic

   ses: Don't understand the meaning of "Provided by HTML"

   <jvkrey> document?

   ses: Javascript content isn't covered in the current list

   <staikos> sorry, I have to go :( however I wanted to update that my browser
   app is almost ready for testing now

   <staikos> just a few things left

   bill-d:  I  might  have some suggestions for changing the structure of
   "Available security information"

   <tlr> just say "proposed action" or some such, and I'll make sure the bot
   swallows it

   <Mez> proposed action - ask Tyler to update description of 7.2 to encompass
   the page source, not just URL spec

   <Mez> may be superceded by bill's suggestions later

   <tlr> ACTION: tyler to update 7.2 to encompass page source [recorded in
   [23]http://www.w3.org/2007/03/13-wsc-minutes.html#action06]

   <trackbot> Created ACTION-157 - Update 7.2 to encompass page source [on
   Tyler Close - due 2007-03-20].

   Mez: Interested in "Has the page completed loading?" Noticed a problem with
   the display of this status in Safari

   <Chuck> When the little wheel stops spinning (for Safari)

   <Mez> aahhhhh

   <Mez> I didn't see the wheel

   bill-d: Who really provides the information that the page has completed
   loading?
   ... Doesn't the user agent really determine when the page has completed
   loading?

   Mez: Need more information in the section about why it is structured the way
   it is

   <Chuck> Dare we open up the question of CSS, and CSS overrides??

   Mez: Is the redirection list displayed anywhere

   Tyler: The back button drop down list presents some of this information.
   Will send an email to the list.

   <Mez> proposed action - the line tyler just put in

   Chuck: The user agent often does not display which CSS styling has been
   applied to the page

   <jvkrey> css content replace?

   <ses> I think this is the issue that if we're enumerating section 7 by
   standards, we're missing a bunch (scripting languages, CSS, etc.)

   Chuck:  The page could look very different if the intended CSS was not
   applied to the page

   <jvkrey> I think this touches the "has the page completed loading?" again

   ses: If the attacker can change the page content, the user's decisions may
   be changed

   <ses> Tyler -- the salient point there is that the attacker could do this
   only using CSS

   Chuck: Need an indicator of whether the page is being displayed based on
   full information from the web site, or whether the browser only got partial
   information and "filled in the rest", possibly causing a material change to
   the information perceived by the user

   <Chuck> I think so

   PHB: For example, I've seen a case where the site intended to display white
   text on a colored background, but the browser did not fetch the CSS and so
   displayed white text on a white background.

   <PHB> There is no way at present to know if a contract offer is pure HTML,
   HTML + CSS or script.

   <Mez> mute thomas

   <PHB> Fixing this requires major issues to change HTML

   TLR: This discussion seems to be running up against part of the design of
   the web, in particular ability to render content incrementally, as it is
   fetched.

   <Chuck> The issue we probably want to address here is how to communicate to
   a  user  that the form they are viewing is complete as intended by the
   authoritative source.

   <Chuck> This is important to indicated before a user fills in data into the
   form.

   <bill-d>  Chuck, agree - I will incorporate and will send out text for
   comment

   Mez: Let's keep working on this on the mailing list, in particular, we need
   more information about user interpretations of this information from user
   studies.

   TLR:  Perhaps  we  should  also  note  the "robustness" of the current
   presentation as we enumerate it.
   ... For example as part of completing the goal "Reliable presentation of
   security information"

   <tlr> ACTION: roessler to add documentation of known systemic flaws to
   "Document the status quo" goal [recorded in
   [24]http://www.w3.org/2007/03/13-wsc-minutes.html#action07]

   <trackbot> Created ACTION-158 - Add documentation of known systemic flaws to
   \"Document the status quo\" goal [on Thomas Roessler - due 2007-03-20].

   Mez: Any closing comments on this goal?
   ... Will look at threat trees next week.
   ... goodbye

Summary of Action Items

   [NEW] ACTION: chuck to circulate his list of privacy and security indicators
   [recorded in [25]http://www.w3.org/2007/03/13-wsc-minutes.html#action05]
   [NEW] ACTION: doyle to track HTTP Auth related extensions [recorded in
   [26]http://www.w3.org/2007/03/13-wsc-minutes.html#action03]
   [NEW] ACTION: praveen to track P3P header related indicators [recorded in
   [27]http://www.w3.org/2007/03/13-wsc-minutes.html#action04]
   [NEW] ACTION: roessler to add documentation of known systemic flaws to
   "Document the status quo" goal [recorded in
   [28]http://www.w3.org/2007/03/13-wsc-minutes.html#action07]
   [NEW] ACTION: schechter to put Tim Hahn's outline into Wiki, fill in some,
   [recorded in [29]http://www.w3.org/2007/03/13-wsc-minutes.html#action01]
   [NEW]  ACTION: thomas to tell tyler about how to do diffs for specprod
   documents [recorded in
   [30]http://www.w3.org/2007/03/13-wsc-minutes.html#action02]
   [NEW] ACTION: tyler to update 7.2 to encompass page source [recorded in
   [31]http://www.w3.org/2007/03/13-wsc-minutes.html#action06]

   [End of minutes]
     _________________________________________________________________


    Minutes formatted by David Booth's [32]scribe.perl version 1.128 ([33]CVS
    log)
    $Date: 2007/03/20 22:07:01 $
     _________________________________________________________________

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0066.html
   3. http://www.w3.org/2007/03/13-wsc-irc
   4. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#agenda
   5. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item01
   6. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item02
   7. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item03
   8. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#ActionSummary
   9. http://www.w3.org/2007/03/06-wsc-minutes
  10. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0072.html
  11. http://www.w3.org/2007/03/13-wsc-minutes.html#action01
  12. http://www.w3.org/2006/WSC/wiki/GlossaryFile%3E
  13. http://www.w3.org/2007/03/13-wsc-minutes.html#action02
  14. http://www.w3.org/2006/WSC/drafts/note/#status-quo
  15. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
  16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0055.html
  17. http://www.w3.org/2006/WSC/drafts/note/#status-quo
  18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
  19. http://www.w3.org/2006/WSC/drafts/note/Overview.html#available
  20. http://www.w3.org/2007/03/13-wsc-minutes.html#action03
  21. http://www.w3.org/2007/03/13-wsc-minutes.html#action04
  22. http://www.w3.org/2007/03/13-wsc-minutes.html#action05
  23. http://www.w3.org/2007/03/13-wsc-minutes.html#action06
  24. http://www.w3.org/2007/03/13-wsc-minutes.html#action07
  25. http://www.w3.org/2007/03/13-wsc-minutes.html#action05
  26. http://www.w3.org/2007/03/13-wsc-minutes.html#action03
  27. http://www.w3.org/2007/03/13-wsc-minutes.html#action04
  28. http://www.w3.org/2007/03/13-wsc-minutes.html#action07
  29. http://www.w3.org/2007/03/13-wsc-minutes.html#action01
  30. http://www.w3.org/2007/03/13-wsc-minutes.html#action02
  31. http://www.w3.org/2007/03/13-wsc-minutes.html#action06
  32. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
  33. http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 20 March 2007 22:29:28 UTC