- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 20 Mar 2007 23:29:25 +0100
- To: WSC WG <public-wsc-wg@w3.org>
The minutes from last week's meeting were accepted: http://www.w3.org/2007/03/13-wsc-minutes A text/plain version is included below. -- Thomas Roessler, W3C <tlr@w3.org> [1]W3C WSC weekly 13 Mar 2007 [2]Agenda See also: [3]IRC log Attendees Present Tyler Close Mary Ellen Zurko Jan Vidar Krey Thomas Roessler Chuck Wade Bill Doyle Phillip Hallam-Baker George Staikos Stuart E. Schechter Pascal Manzano Praveen Alavilli Paul Hill Shawn Duffy Regrets Maritza Johnson Mike Beltzner Tim Hahn Johnathan Nightingale Yakov Sverdlov Hal Lockhart Chair Mez Scribe Tyler Contents * [4]Topics 1. [5]action items 2. [6]brief update re Note 3. [7]documenting the status quo * [8]Summary of Action Items _________________________________________________________________ <Mez> [9]http://www.w3.org/2007/03/06-wsc-minutes <tlr> minutes approved action items Mez: closing action items, no objections <Zakim> thomas, you wanted to ask about path forward for glossary tlr: inquiring about status of glossary action Mez: nobody has the action now ... we could use the wiki to develop a glossary <tlr> [10]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0072.html <tlr> ACTION: schechter to put Tim Hahn's outline into Wiki, fill in some, [recorded in [11]http://www.w3.org/2007/03/13-wsc-minutes.html#action01] <trackbot> Created ACTION-152 - Put Tim Hahn\'s outline into Wiki, fill in some, [on Stuart Schechter - due 2007-03-20]. Mez: wants to talk about the status of the Note brief update re Note Mez: Who has reviewed the Note in detail praveen: I have reviewed it, will open an email thread <Chuck> Yes, I have reviewed Notes, with perspective on how to address my Action 150 Shawn: I have also reviewed it <ses> i've only glanced at it. <ses> (very briefly) billd: I have also reviewed the Note and have a list of comments I am working on <jvkrey> Only briefly here aswell Mez: Please log with the group once you've reviewed the Note so that we can track the review process <Chuck> When you refer to the "Note," you do mean the "Web Security Experience, Indicators and Trust: Scope and Use Cases" document we just released??? Mez: Looking to set a deadline for review of the Note <Chuck> ydx <Chuck> err, yes <ses> Depends what you want us looking for in terms of response to review <Zakim> thomas, you wanted to suggest that we schedule a note review call in 4 weeks or so Mez: Does a week sound plausible for review w/o comments of the Note? <ses> <--Has put list of terms Tim generated for Glossary into the wiki. This does not mean that I agree that these are the important terms or that I even understand what's requested by them. <Mez> many thanks ses <ses> <[12]http://www.w3.org/2006/WSC/wiki/GlossaryFile> tlr: explains parts of the process for creating new version's of the Public Working Draft <tlr> ACTION: thomas to tell tyler about how to do diffs for specprod documents [recorded in [13]http://www.w3.org/2007/03/13-wsc-minutes.html#action02] <trackbot> Created ACTION-153 - Tell tyler about how to do diffs for specprod documents [on Thomas Roessler - due 2007-03-20]. Mez: look at the outstanding ISSUES list to determine needed edits to the Note documenting the status quo <Mez> [14]http://www.w3.org/2006/WSC/drafts/note/#status-quo <Mez> [15]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html <tlr> [16]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0055.html Mez: Continuing the conversation on the "Document the status quo" section of the Note bill-d: We're missing something on multi-factor authentication bill-d: For example, scenarios involving smart cards ... Am also working on the "Available security information" section. <Chuck> When considering authentication, it is also worth paying attention to which entity is being authenticated: e.g., the user (a person), their computer, their browser, a smart card, a token <ses> I was reading what supposedly? Where? <Mez> [17]http://www.w3.org/2006/WSC/drafts/note/#status-quo <ses> OIC <Mez> [18]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html Mez: summarizes the above linked email [19]http://www.w3.org/2006/WSC/drafts/note/Overview.html#available Mez: Switching topics to "Available security information" bill-d: Have a number of additions I would like to make to the Note Mez: Anyone have additional information about current presentation of security information? <Chuck> What about indicators of cookies, javascripts, flash objects, images from third party sites <ses> Firefox has some nice add-ons that let you see what cookies are stored for a given page. <Chuck> All of these indicators are shown by one or more browsers and/or plugins bill-d: "Provided by HTTP" section should also include response codes and more HTTP Auth modes. <ses> This may be brain dead, but isn't the source code of the page contents useful security information? It's the only way I know to know where a form will be submitted. <tlr> ACTION: doyle to track HTTP Auth related extensions [recorded in [20]http://www.w3.org/2007/03/13-wsc-minutes.html#action03] <trackbot> Created ACTION-154 - Track HTTP Auth related extensions [on Bill Doyle - due 2007-03-20]. praveen: Notes some additional cookie information could be presented <tlr> ACTION: praveen to track P3P header related indicators [recorded in [21]http://www.w3.org/2007/03/13-wsc-minutes.html#action04] <trackbot> Created ACTION-155 - Track P3P header related indicators [on Praveen Alavilli - due 2007-03-20]. <ses> zakin, mute ses so that he can sneeze Chuck: A number of plugins are presenting additional information Mez: Will you take an ACTION to start a list? Chuck: OK, but want help <tlr> proposed ACTION: chuck to circulate his list of privacy and security indicators <tlr> ACTION: chuck to circulate his list of privacy and security indicators [recorded in [22]http://www.w3.org/2007/03/13-wsc-minutes.html#action05] <trackbot> Created ACTION-156 - Circulate his list of privacy and security indicators [on Chuck Wade - due 2007-03-20]. <Chuck> Agreed ses: We also need the HTML source to show up in available security information <Chuck> Excellent point, both an important issue (forms receiver) and an example of a terrible user interface/indicator Mez: suggests "Provided by HTML" for this topic ses: Don't understand the meaning of "Provided by HTML" <jvkrey> document? ses: Javascript content isn't covered in the current list <staikos> sorry, I have to go :( however I wanted to update that my browser app is almost ready for testing now <staikos> just a few things left bill-d: I might have some suggestions for changing the structure of "Available security information" <tlr> just say "proposed action" or some such, and I'll make sure the bot swallows it <Mez> proposed action - ask Tyler to update description of 7.2 to encompass the page source, not just URL spec <Mez> may be superceded by bill's suggestions later <tlr> ACTION: tyler to update 7.2 to encompass page source [recorded in [23]http://www.w3.org/2007/03/13-wsc-minutes.html#action06] <trackbot> Created ACTION-157 - Update 7.2 to encompass page source [on Tyler Close - due 2007-03-20]. Mez: Interested in "Has the page completed loading?" Noticed a problem with the display of this status in Safari <Chuck> When the little wheel stops spinning (for Safari) <Mez> aahhhhh <Mez> I didn't see the wheel bill-d: Who really provides the information that the page has completed loading? ... Doesn't the user agent really determine when the page has completed loading? Mez: Need more information in the section about why it is structured the way it is <Chuck> Dare we open up the question of CSS, and CSS overrides?? Mez: Is the redirection list displayed anywhere Tyler: The back button drop down list presents some of this information. Will send an email to the list. <Mez> proposed action - the line tyler just put in Chuck: The user agent often does not display which CSS styling has been applied to the page <jvkrey> css content replace? <ses> I think this is the issue that if we're enumerating section 7 by standards, we're missing a bunch (scripting languages, CSS, etc.) Chuck: The page could look very different if the intended CSS was not applied to the page <jvkrey> I think this touches the "has the page completed loading?" again ses: If the attacker can change the page content, the user's decisions may be changed <ses> Tyler -- the salient point there is that the attacker could do this only using CSS Chuck: Need an indicator of whether the page is being displayed based on full information from the web site, or whether the browser only got partial information and "filled in the rest", possibly causing a material change to the information perceived by the user <Chuck> I think so PHB: For example, I've seen a case where the site intended to display white text on a colored background, but the browser did not fetch the CSS and so displayed white text on a white background. <PHB> There is no way at present to know if a contract offer is pure HTML, HTML + CSS or script. <Mez> mute thomas <PHB> Fixing this requires major issues to change HTML TLR: This discussion seems to be running up against part of the design of the web, in particular ability to render content incrementally, as it is fetched. <Chuck> The issue we probably want to address here is how to communicate to a user that the form they are viewing is complete as intended by the authoritative source. <Chuck> This is important to indicated before a user fills in data into the form. <bill-d> Chuck, agree - I will incorporate and will send out text for comment Mez: Let's keep working on this on the mailing list, in particular, we need more information about user interpretations of this information from user studies. TLR: Perhaps we should also note the "robustness" of the current presentation as we enumerate it. ... For example as part of completing the goal "Reliable presentation of security information" <tlr> ACTION: roessler to add documentation of known systemic flaws to "Document the status quo" goal [recorded in [24]http://www.w3.org/2007/03/13-wsc-minutes.html#action07] <trackbot> Created ACTION-158 - Add documentation of known systemic flaws to \"Document the status quo\" goal [on Thomas Roessler - due 2007-03-20]. Mez: Any closing comments on this goal? ... Will look at threat trees next week. ... goodbye Summary of Action Items [NEW] ACTION: chuck to circulate his list of privacy and security indicators [recorded in [25]http://www.w3.org/2007/03/13-wsc-minutes.html#action05] [NEW] ACTION: doyle to track HTTP Auth related extensions [recorded in [26]http://www.w3.org/2007/03/13-wsc-minutes.html#action03] [NEW] ACTION: praveen to track P3P header related indicators [recorded in [27]http://www.w3.org/2007/03/13-wsc-minutes.html#action04] [NEW] ACTION: roessler to add documentation of known systemic flaws to "Document the status quo" goal [recorded in [28]http://www.w3.org/2007/03/13-wsc-minutes.html#action07] [NEW] ACTION: schechter to put Tim Hahn's outline into Wiki, fill in some, [recorded in [29]http://www.w3.org/2007/03/13-wsc-minutes.html#action01] [NEW] ACTION: thomas to tell tyler about how to do diffs for specprod documents [recorded in [30]http://www.w3.org/2007/03/13-wsc-minutes.html#action02] [NEW] ACTION: tyler to update 7.2 to encompass page source [recorded in [31]http://www.w3.org/2007/03/13-wsc-minutes.html#action06] [End of minutes] _________________________________________________________________ Minutes formatted by David Booth's [32]scribe.perl version 1.128 ([33]CVS log) $Date: 2007/03/20 22:07:01 $ _________________________________________________________________ References 1. http://www.w3.org/ 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0066.html 3. http://www.w3.org/2007/03/13-wsc-irc 4. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#agenda 5. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item01 6. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item02 7. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#item03 8. file://localhost/home/roessler/W3C/WWW/2007/03/13-wsc-minutes.html#ActionSummary 9. http://www.w3.org/2007/03/06-wsc-minutes 10. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0072.html 11. http://www.w3.org/2007/03/13-wsc-minutes.html#action01 12. http://www.w3.org/2006/WSC/wiki/GlossaryFile%3E 13. http://www.w3.org/2007/03/13-wsc-minutes.html#action02 14. http://www.w3.org/2006/WSC/drafts/note/#status-quo 15. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html 16. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0055.html 17. http://www.w3.org/2006/WSC/drafts/note/#status-quo 18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html 19. http://www.w3.org/2006/WSC/drafts/note/Overview.html#available 20. http://www.w3.org/2007/03/13-wsc-minutes.html#action03 21. http://www.w3.org/2007/03/13-wsc-minutes.html#action04 22. http://www.w3.org/2007/03/13-wsc-minutes.html#action05 23. http://www.w3.org/2007/03/13-wsc-minutes.html#action06 24. http://www.w3.org/2007/03/13-wsc-minutes.html#action07 25. http://www.w3.org/2007/03/13-wsc-minutes.html#action05 26. http://www.w3.org/2007/03/13-wsc-minutes.html#action03 27. http://www.w3.org/2007/03/13-wsc-minutes.html#action04 28. http://www.w3.org/2007/03/13-wsc-minutes.html#action07 29. http://www.w3.org/2007/03/13-wsc-minutes.html#action01 30. http://www.w3.org/2007/03/13-wsc-minutes.html#action02 31. http://www.w3.org/2007/03/13-wsc-minutes.html#action06 32. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm 33. http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 20 March 2007 22:29:28 UTC