- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 20 Mar 2007 23:29:25 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from last week's meeting were accepted:
http://www.w3.org/2007/03/13-wsc-minutes
A text/plain version is included below.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC weekly
13 Mar 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
Tyler Close
Mary Ellen Zurko
Jan Vidar Krey
Thomas Roessler
Chuck Wade
Bill Doyle
Phillip Hallam-Baker
George Staikos
Stuart E. Schechter
Pascal Manzano
Praveen Alavilli
Paul Hill
Shawn Duffy
Regrets
Maritza Johnson
Mike Beltzner
Tim Hahn
Johnathan Nightingale
Yakov Sverdlov
Hal Lockhart
Chair
Mez
Scribe
Tyler
Contents
* [4]Topics
1. [5]action items
2. [6]brief update re Note
3. [7]documenting the status quo
* [8]Summary of Action Items
_________________________________________________________________
<Mez> [9]http://www.w3.org/2007/03/06-wsc-minutes
<tlr> minutes approved
action items
Mez: closing action items, no objections
<Zakim> thomas, you wanted to ask about path forward for glossary
tlr: inquiring about status of glossary action
Mez: nobody has the action now
... we could use the wiki to develop a glossary
<tlr>
[10]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0072.html
<tlr> ACTION: schechter to put Tim Hahn's outline into Wiki, fill in some,
[recorded in [11]http://www.w3.org/2007/03/13-wsc-minutes.html#action01]
<trackbot> Created ACTION-152 - Put Tim Hahn\'s outline into Wiki, fill in
some, [on Stuart Schechter - due 2007-03-20].
Mez: wants to talk about the status of the Note
brief update re Note
Mez: Who has reviewed the Note in detail
praveen: I have reviewed it, will open an email thread
<Chuck> Yes, I have reviewed Notes, with perspective on how to address my
Action 150
Shawn: I have also reviewed it
<ses> i've only glanced at it.
<ses> (very briefly)
billd: I have also reviewed the Note and have a list of comments I am
working on
<jvkrey> Only briefly here aswell
Mez: Please log with the group once you've reviewed the Note so that we can
track the review process
<Chuck> When you refer to the "Note," you do mean the "Web Security
Experience, Indicators and Trust: Scope and Use Cases" document we just
released???
Mez: Looking to set a deadline for review of the Note
<Chuck> ydx
<Chuck> err, yes
<ses> Depends what you want us looking for in terms of response to review
<Zakim> thomas, you wanted to suggest that we schedule a note review call in
4 weeks or so
Mez: Does a week sound plausible for review w/o comments of the Note?
<ses> <--Has put list of terms Tim generated for Glossary into the wiki.
This does not mean that I agree that these are the important terms or that I
even understand what's requested by them.
<Mez> many thanks ses
<ses> <[12]http://www.w3.org/2006/WSC/wiki/GlossaryFile>
tlr: explains parts of the process for creating new version's of the Public
Working Draft
<tlr> ACTION: thomas to tell tyler about how to do diffs for specprod
documents [recorded in
[13]http://www.w3.org/2007/03/13-wsc-minutes.html#action02]
<trackbot> Created ACTION-153 - Tell tyler about how to do diffs for
specprod documents [on Thomas Roessler - due 2007-03-20].
Mez: look at the outstanding ISSUES list to determine needed edits to the
Note
documenting the status quo
<Mez> [14]http://www.w3.org/2006/WSC/drafts/note/#status-quo
<Mez>
[15]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
<tlr>
[16]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0055.html
Mez: Continuing the conversation on the "Document the status quo" section of
the Note
bill-d: We're missing something on multi-factor authentication
bill-d: For example, scenarios involving smart cards
... Am also working on the "Available security information" section.
<Chuck> When considering authentication, it is also worth paying attention
to which entity is being authenticated: e.g., the user (a person), their
computer, their browser, a smart card, a token
<ses> I was reading what supposedly? Where?
<Mez> [17]http://www.w3.org/2006/WSC/drafts/note/#status-quo
<ses> OIC
<Mez>
[18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
Mez: summarizes the above linked email
[19]http://www.w3.org/2006/WSC/drafts/note/Overview.html#available
Mez: Switching topics to "Available security information"
bill-d: Have a number of additions I would like to make to the Note
Mez: Anyone have additional information about current presentation of
security information?
<Chuck> What about indicators of cookies, javascripts, flash objects, images
from third party sites
<ses> Firefox has some nice add-ons that let you see what cookies are stored
for a given page.
<Chuck> All of these indicators are shown by one or more browsers and/or
plugins
bill-d: "Provided by HTTP" section should also include response codes and
more HTTP Auth modes.
<ses> This may be brain dead, but isn't the source code of the page contents
useful security information? It's the only way I know to know where a form
will be submitted.
<tlr> ACTION: doyle to track HTTP Auth related extensions [recorded in
[20]http://www.w3.org/2007/03/13-wsc-minutes.html#action03]
<trackbot> Created ACTION-154 - Track HTTP Auth related extensions [on Bill
Doyle - due 2007-03-20].
praveen: Notes some additional cookie information could be presented
<tlr> ACTION: praveen to track P3P header related indicators [recorded in
[21]http://www.w3.org/2007/03/13-wsc-minutes.html#action04]
<trackbot> Created ACTION-155 - Track P3P header related indicators [on
Praveen Alavilli - due 2007-03-20].
<ses> zakin, mute ses so that he can sneeze
Chuck: A number of plugins are presenting additional information
Mez: Will you take an ACTION to start a list?
Chuck: OK, but want help
<tlr> proposed ACTION: chuck to circulate his list of privacy and security
indicators
<tlr> ACTION: chuck to circulate his list of privacy and security indicators
[recorded in [22]http://www.w3.org/2007/03/13-wsc-minutes.html#action05]
<trackbot> Created ACTION-156 - Circulate his list of privacy and security
indicators [on Chuck Wade - due 2007-03-20].
<Chuck> Agreed
ses: We also need the HTML source to show up in available security
information
<Chuck> Excellent point, both an important issue (forms receiver) and an
example of a terrible user interface/indicator
Mez: suggests "Provided by HTML" for this topic
ses: Don't understand the meaning of "Provided by HTML"
<jvkrey> document?
ses: Javascript content isn't covered in the current list
<staikos> sorry, I have to go :( however I wanted to update that my browser
app is almost ready for testing now
<staikos> just a few things left
bill-d: I might have some suggestions for changing the structure of
"Available security information"
<tlr> just say "proposed action" or some such, and I'll make sure the bot
swallows it
<Mez> proposed action - ask Tyler to update description of 7.2 to encompass
the page source, not just URL spec
<Mez> may be superceded by bill's suggestions later
<tlr> ACTION: tyler to update 7.2 to encompass page source [recorded in
[23]http://www.w3.org/2007/03/13-wsc-minutes.html#action06]
<trackbot> Created ACTION-157 - Update 7.2 to encompass page source [on
Tyler Close - due 2007-03-20].
Mez: Interested in "Has the page completed loading?" Noticed a problem with
the display of this status in Safari
<Chuck> When the little wheel stops spinning (for Safari)
<Mez> aahhhhh
<Mez> I didn't see the wheel
bill-d: Who really provides the information that the page has completed
loading?
... Doesn't the user agent really determine when the page has completed
loading?
Mez: Need more information in the section about why it is structured the way
it is
<Chuck> Dare we open up the question of CSS, and CSS overrides??
Mez: Is the redirection list displayed anywhere
Tyler: The back button drop down list presents some of this information.
Will send an email to the list.
<Mez> proposed action - the line tyler just put in
Chuck: The user agent often does not display which CSS styling has been
applied to the page
<jvkrey> css content replace?
<ses> I think this is the issue that if we're enumerating section 7 by
standards, we're missing a bunch (scripting languages, CSS, etc.)
Chuck: The page could look very different if the intended CSS was not
applied to the page
<jvkrey> I think this touches the "has the page completed loading?" again
ses: If the attacker can change the page content, the user's decisions may
be changed
<ses> Tyler -- the salient point there is that the attacker could do this
only using CSS
Chuck: Need an indicator of whether the page is being displayed based on
full information from the web site, or whether the browser only got partial
information and "filled in the rest", possibly causing a material change to
the information perceived by the user
<Chuck> I think so
PHB: For example, I've seen a case where the site intended to display white
text on a colored background, but the browser did not fetch the CSS and so
displayed white text on a white background.
<PHB> There is no way at present to know if a contract offer is pure HTML,
HTML + CSS or script.
<Mez> mute thomas
<PHB> Fixing this requires major issues to change HTML
TLR: This discussion seems to be running up against part of the design of
the web, in particular ability to render content incrementally, as it is
fetched.
<Chuck> The issue we probably want to address here is how to communicate to
a user that the form they are viewing is complete as intended by the
authoritative source.
<Chuck> This is important to indicated before a user fills in data into the
form.
<bill-d> Chuck, agree - I will incorporate and will send out text for
comment
Mez: Let's keep working on this on the mailing list, in particular, we need
more information about user interpretations of this information from user
studies.
TLR: Perhaps we should also note the "robustness" of the current
presentation as we enumerate it.
... For example as part of completing the goal "Reliable presentation of
security information"
<tlr> ACTION: roessler to add documentation of known systemic flaws to
"Document the status quo" goal [recorded in
[24]http://www.w3.org/2007/03/13-wsc-minutes.html#action07]
<trackbot> Created ACTION-158 - Add documentation of known systemic flaws to
\"Document the status quo\" goal [on Thomas Roessler - due 2007-03-20].
Mez: Any closing comments on this goal?
... Will look at threat trees next week.
... goodbye
Summary of Action Items
[NEW] ACTION: chuck to circulate his list of privacy and security indicators
[recorded in [25]http://www.w3.org/2007/03/13-wsc-minutes.html#action05]
[NEW] ACTION: doyle to track HTTP Auth related extensions [recorded in
[26]http://www.w3.org/2007/03/13-wsc-minutes.html#action03]
[NEW] ACTION: praveen to track P3P header related indicators [recorded in
[27]http://www.w3.org/2007/03/13-wsc-minutes.html#action04]
[NEW] ACTION: roessler to add documentation of known systemic flaws to
"Document the status quo" goal [recorded in
[28]http://www.w3.org/2007/03/13-wsc-minutes.html#action07]
[NEW] ACTION: schechter to put Tim Hahn's outline into Wiki, fill in some,
[recorded in [29]http://www.w3.org/2007/03/13-wsc-minutes.html#action01]
[NEW] ACTION: thomas to tell tyler about how to do diffs for specprod
documents [recorded in
[30]http://www.w3.org/2007/03/13-wsc-minutes.html#action02]
[NEW] ACTION: tyler to update 7.2 to encompass page source [recorded in
[31]http://www.w3.org/2007/03/13-wsc-minutes.html#action06]
[End of minutes]
_________________________________________________________________
Minutes formatted by David Booth's [32]scribe.perl version 1.128 ([33]CVS
log)
$Date: 2007/03/20 22:07:01 $
_________________________________________________________________
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0066.html
3. http://www.w3.org/2007/03/13-wsc-irc
4. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#agenda
5. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item01
6. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item02
7. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item03
8. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#ActionSummary
9. http://www.w3.org/2007/03/06-wsc-minutes
10. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0072.html
11. http://www.w3.org/2007/03/13-wsc-minutes.html#action01
12. http://www.w3.org/2006/WSC/wiki/GlossaryFile%3E
13. http://www.w3.org/2007/03/13-wsc-minutes.html#action02
14. http://www.w3.org/2006/WSC/drafts/note/#status-quo
15. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0055.html
17. http://www.w3.org/2006/WSC/drafts/note/#status-quo
18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
19. http://www.w3.org/2006/WSC/drafts/note/Overview.html#available
20. http://www.w3.org/2007/03/13-wsc-minutes.html#action03
21. http://www.w3.org/2007/03/13-wsc-minutes.html#action04
22. http://www.w3.org/2007/03/13-wsc-minutes.html#action05
23. http://www.w3.org/2007/03/13-wsc-minutes.html#action06
24. http://www.w3.org/2007/03/13-wsc-minutes.html#action07
25. http://www.w3.org/2007/03/13-wsc-minutes.html#action05
26. http://www.w3.org/2007/03/13-wsc-minutes.html#action03
27. http://www.w3.org/2007/03/13-wsc-minutes.html#action04
28. http://www.w3.org/2007/03/13-wsc-minutes.html#action07
29. http://www.w3.org/2007/03/13-wsc-minutes.html#action01
30. http://www.w3.org/2007/03/13-wsc-minutes.html#action02
31. http://www.w3.org/2007/03/13-wsc-minutes.html#action06
32. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
33. http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 20 March 2007 22:29:28 UTC