- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 3 May 2007 18:12:33 -0400
- To: WSC WG <public-wsc-wg@w3.org>
The minutes of our meeting on 25 April have been approved and are
available:
http://www.w3.org/2007/04/25-wsc-minutes
A text/plain version is included below the .signature.
Regards,
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
WSC WG weekly
25 Apr 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
MaryEllen_Zurko, Thomas, yngve, ses, +1.510.579.aaaa, rachna,
Maritza_Johnson, jvkrey, beltzner, Rishikesh_A_Pande, johnath,
bobpinheiro, Luis, Hal, Bill_Doyle, +1.917.330.aabb, DanSchutzer,
[HP], PHB
Regrets
George_S, Bruno, Chuck_W, Tim_H, Rob_Y, Paul_H, Shawn, D
Chair
Mez
Scribe
luis
Contents
* [4]Topics
1. [5]Approve minutes from last meeting
2. [6]newly closed action items
3. [7]Dan - Safe Web Browsing
4. [8]Mozilla Robustness practices
5. [9]PageInfoSummary
* [10]Summary of Action Items
_________________________________________________________________
<Mez_> whew
<Mez_> was trying to find that old cheat sheet you sent me ages ago; hadn't
found it :-)
<tlr> Praveen, all set up?
<Mez_> I don't see an identity that looks like Praveen's here
<Mez_> the mail you sent says Shawn is on this week; Praveen on next
<Mez_> scribe wise
<tlr> that explains it all
<Mez_> PHB, have you been able to make progress on your overdue actions?
<Mez_> And are they redundant; should they be condensed to 1?
<ses> It was I.
<johnath> Mozilla has johnath
<johnath> better?
<johnath> beltzner's here too, fyi
<tlr> ScribeNick: luis
Approve minutes from last meeting
<tlr> [11]http://www.w3.org/2007/04/18-wsc-minutes
<tlr> approved
newly closed action items
<tlr> see agenda:
[12]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0275.html
<beltzner> yngve, write the notes here as <name>: text
Dan - Safe Web Browsing
Safe web browsing started
<beltzner> yngve, use "..." and "..." if you want to break/continue across
entries
<Mez_> [13]http://www.w3.org/2006/WSC/wiki/SafeWebBrowsing
<beltzner> yngve, then an agent will compile HTML notes out of the IRC
transcript
<tlr> [14]http://www.w3.org/2006/WSC/wiki/SafeWebBrowsing
<beltzner> yngve, ie: beltzner: toot toot ... (then start the next line with
...)
<tlr> beltzner, luis has agreed to scribe; Yngve will be blackmailed some
time soon ;)
<beltzner> Luis, see all my comments above to yngve :)
DanSchutzer:User shall be concious entering a secure web site
... minimizing chancing for spoofing
... several components available by browser makers
... Microsoft has been in the discussions
... an education program is needed for customers
... EV cert solutions , info space
johnath:if recomendation accepted ...
.... more information where the list of web sites comes from
... it's a big piece of infrastructure to maintain
DanSchutzer: financial industry will create
... a certification process
... a list financial institutions who have passed certification
... communities will be confident in this way
johnath: a forum is trying to develop EV guidelines. 2 layers available
... worry of proliferation of white lists and its organization
danSchutzer: coordination needed.
... A community needed
... a technical infrastructure is also needed
<johnath> k - I've said my piece and gotten a reply, I'm off queue. :)
... community of financial institutions is needed
Hal: IS7 has safe browsing mode
... how is that related to safe browsing mentioned here
DanSchutzer: was not aware of the same term being used
.... more investigation needed
... A common defintion needed
<Mez_> hal, you mean protected mode? (I"m searching around)
<hal> maybe protected mode is it
Yngve: difference with padlock used today when accessing secure sites?
<Mez_> ie protected mode url
<Mez_>
[15]http://www.microsoft.com/windows/products/windowsvista/features/details/
IE7protectedmode.mspx
danSchutzer:it will require education
<Mez_> ie protected mode seems to be more for untrustted sites, and not
trusted sites
danSchutzer: agree. more consious users.
... educational program will be needed
... incentives are also possible
<Mez_> stronger OS sandboxing, and more stuff on what's going on
Yngve: example on phishing from "my bank"
danSchutzer: it's matter of education.
Thomas: how the user can tell the browser about entering a site ...
... the user selecting different categories of sites
DanSchutzer: if it is possible to select classes or levels of security
(discussion not ended)
<Mez_> :-)
Luis: (a note will summarize the discussion)
<tlr> ACTION: schutzer to update "safe browsing mode proposal" to
incorporate comments [recorded in
[16]http://www.w3.org/2007/04/25-wsc-minutes.html#action01]
<trackbot> Created ACTION-204 - Update \"safe browsing mode proposal\" to
incorporate comments [on Daniel Schutzer - due 2007-05-02].
Luis: those who have comments, send them
<Mez_>
[17]http://www.microsoft.com/windows/products/windowsvista/features/details/
IE7protectedmode.mspx
Mozilla Robustness practices
<tlr> [18]http://www.w3.org/2006/WSC/wiki/NoteMozillaCurrentPractice
<Mez_> [19]http://www.w3.org/2006/WSC/wiki/NoteMozillaCurrentPractice
<Mez_> hahahaha
johnathan:... summarizing recommendations
... on how to make it harder to spoof
... two categories: robustness by having multiple indicators
... Padlock for SSL and colored address bar
... Redundancy is needed to make attention
... recommendation available to prevent scriptable actions
... recommendations on pop-up windows
... next recommendation for difficulting spoofed URL
... prevent spoofing into the chrome
... people looking for more information can find it
... provided in a meaningfull way
<Zakim> Thomas, you wanted to ask about multiple cues
Thomas: risk with ...
<beltzner> tlr, speak up, please!
<beltzner> tlr, you're very very quiet
Thomas: replicating padlocks ...
<tlr> ... won't people get confused and also take a padlock in the content
as an indicator? ...
johnath: padlocks in many web sites may not be secure
... more indicators needed
Thomas: .. (too much echo)
<Tyler> pot kettle
<johnath> :)
<Mez_> I know I was reverbing too. Some interaction with johnath's phone I
fear
Thomas: what is the concrete step for a certain environment
johnath: are you recommending the principle?
Thomas: example. Coloring is suitable for some environment
<johnath> tlr - agree, will do.
johnath: agree.
Mez: strict cross spcripting policies
<tlr> ... charter and scope? ...
<Mez_> how is the "strict cross scripting" line you put in related to our
charter and scope and goals?
johnath: connecting to other sites is known to the UA
... I struggle with that myself
Thomas: in which case to display the padlock?
<Mez_> which sites connected to might be a good input to security context
information
<Mez_> though it might be secondary
<Mez_> hard to say; need the concrete proposals
johnath: recommendations are on what is communicated to the user, not on
what java engines do
Thomas: more detail on restrictions on scriptability of browser chrome
... the content itself might be
... scripting access to browser chrome
... more ellaboration needed
<johnath> having a lot of network lag here but got most of that
<beltzner> our network lag issues seem to be local
<johnath> mez is fine now - but we think we might be having network issues
locally
<johnath> hey Mez - you didn't give me an action yet.
Mez: two more discussions.
... johnath taking an action
... Not next week. Meeting week after is cancelled
<tlr> ACTION: johnath to refine MozillaCurrentPractice into rec material -
due 2007-05-09 [recorded in
[20]http://www.w3.org/2007/04/25-wsc-minutes.html#action02]
<trackbot> Sorry, couldn't find user - johnath
<johnath> understood
Mez: asking for enlightning discussion on new stuff
... Yngve secure page and Johnath on page info.
<johnath> I would be willing to, except for our network suckage
johnath: offer to start
<johnath> page info
scribe: on identity signal or page info summary
<johnath> [21]http://www.w3.org/2006/WSC/wiki/PageInfoSummary
PageInfoSummary
johnath: this recommendation is easy to reveice
... UA should make available to the user security/privacy details
<ses> <--signing off
johnath: security page has sparse information
<scribe> ... new picture page reorganized in better way
<Mez_> I love the page visit count
<Mez_> and indicating the saved passwords nice
johnath: comments requested
<johnath> muted now
<johnath> :)
Mez: what would show "saved password"?
johnath: mozilla browser already shows that
... i.e. saved passwords once you provide the master password
<tlr> luis: today browsers protect all passwords with one master password...
<tlr> ... maybe have two different master passwords ...
<tlr> ... high-level secure sites like banking ...
<tlr> ... maybe something different ...
<tlr> ... any such practice known?
<tlr> johnath: don't know of any ...
<tlr> ... probably out of scope ...
<tlr> ... for this recommendation ...
<tlr> ... this is not about changing password interaction ...
johnath: haven't seen the practice. Sounds good. But not related here.
<tlr> ... but about making summary more user-consumable ...
Mez: showing technical details is ... ?
<tlr> ... intrigued by info about crypto algorithms ...
johnath: some users do care about those details.
... they do want to know about page encryption, key lengths, certs
beltzner: consider this is a first step on what can be shown
... information can be structured with a "tell me more button"
Mez: some crypto experts have suggested showing
... such crypto information details in an enterteining way
... ...that's one direction to go in
Thomas: try to abstract from concrete interface
<tlr> ACTION: johnathan to revise PageInfoSummary by 9 May 2007 [recorded in
[22]http://www.w3.org/2007/04/25-wsc-minutes.html#action03]
<trackbot> Created ACTION-205 - Revise PageInfoSummary by 9 May 2007 [on
Johnathan Nightingale - due 2007-05-02].
<tlr> ACTION-205 due 2007-05-09
<johnath> I trust him too
(sorry ... lost that one)
<johnath> tlr: did trackbot just say it was due a week before it was really
due?
<johnath> oh - you fixed
<johnath> n/m
Mez: one more item.
<Mez_> [23]http://www.w3.org/2006/WSC/wiki/ContextPresentation
Mez: do we need to call out anything else from table that needs to be
tracked?
<Mez_> please restate
<Mez_> logo type information,
PHB: recommendations on displaying logo type information
... agree to take action
<tlr> ACTION: hallam-baker to flesh out logotype recommendation [recorded in
[24]http://www.w3.org/2007/04/25-wsc-minutes.html#action04]
<trackbot> Created ACTION-206 - Flesh out logotype recommendation [on
Phillip Hallam-Baker - due 2007-05-02].
PHB: Next week. May 2nd.
<johnath> Mez_/tlr: fyi - reviewing this is what kicked me in the ass to
write the identity & page info reco's, so I am glad we revisited. :)
yngve: from last meeting: https and http.
... see at the bottom of the table
... phones posting http content within https
... encourage all to check examples posted
<rishikesh> i have a noon meeting - sorry i got to jump off
yngve: some clients indicate using padlock
... it can be disabled on some browsers
... hasn't posted anything on wiki. account needed Thomas
Thomas: asking yngve if new account needed
Mez: All - if account needed ask Thomas
<PHB> Could we get the open ID plug in enabled???
<PHB> Or CardSpace!
Thomas: I have any other business.
<johnath> Mez_: zing!
Thomas: Who is contact for European banking ...?
<johnath> tim always answers my questions, anyhow. :)
<Mez_> [25]http://www.w3.org/2007/02/dmdwa-ws/
Mez: informs about coming W3C workshop
... declarative web models for distr. apps in Dublin
... those who want can stay after our workshop
<johnath> mez - fair warning, I can't lightning discuss identity next week
because I'm not here, as mentioned in other contexts, where you might not
have made the connection :)
Mez: informing about recommendations being drafted to be available at f2f
meeting
<Mez_> johnath; got it, good point
<tlr> luis, please stay on the phone for a sec
<Mez_> hadn't put it together - that was the London thing?
<Mez_> have a great one
<johnath> so by next week we shouldn't need softphone - the feedback was
from my speakers being so close to my mic, insofar as they are both
somewhere in the nether-regions of the macbook :)
Summary of Action Items
[NEW] ACTION: hallam-baker to flesh out logotype recommendation [recorded in
[26]http://www.w3.org/2007/04/25-wsc-minutes.html#action04]
[NEW] ACTION: johnath to refine MozillaCurrentPractice into rec material -
due 2007-05-09 [recorded in
[27]http://www.w3.org/2007/04/25-wsc-minutes.html#action02]
[NEW] ACTION: johnathan to revise PageInfoSummary by 9 May 2007 [recorded in
[28]http://www.w3.org/2007/04/25-wsc-minutes.html#action03]
[NEW] ACTION: schutzer to update "safe browsing mode proposal" to
incorporate comments [recorded in
[29]http://www.w3.org/2007/04/25-wsc-minutes.html#action01]
_________________________________________________________________
Minutes formatted by David Booth's [30]scribe.perl version 1.128 ([31]CVS
log)
$Date: 2007/05/03 22:09:29 $
_________________________________________________________________
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0275.html
3. http://www.w3.org/2007/04/25-wsc-irc
4. file://localhost/home/roessler/W3C/WWW/2007/04/25-wsc-minutes.html#agenda
5. file://localhost/home/roessler/W3C/WWW/2007/04/25-wsc-minutes.html#item01
6. file://localhost/home/roessler/W3C/WWW/2007/04/25-wsc-minutes.html#item02
7. file://localhost/home/roessler/W3C/WWW/2007/04/25-wsc-minutes.html#item03
8. file://localhost/home/roessler/W3C/WWW/2007/04/25-wsc-minutes.html#item04
9. file://localhost/home/roessler/W3C/WWW/2007/04/25-wsc-minutes.html#item05
10. file://localhost/home/roessler/W3C/WWW/2007/04/25-wsc-minutes.html#ActionSummary
11. http://www.w3.org/2007/04/18-wsc-minutes
12. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0275.html
13. http://www.w3.org/2006/WSC/wiki/SafeWebBrowsing
14. http://www.w3.org/2006/WSC/wiki/SafeWebBrowsing
15. http://www.microsoft.com/windows/products/windowsvista/features/details/IE7protectedmode.mspx
16. http://www.w3.org/2007/04/25-wsc-minutes.html#action01
17. http://www.microsoft.com/windows/products/windowsvista/features/details/IE7protectedmode.mspx
18. http://www.w3.org/2006/WSC/wiki/NoteMozillaCurrentPractice
19. http://www.w3.org/2006/WSC/wiki/NoteMozillaCurrentPractice
20. http://www.w3.org/2007/04/25-wsc-minutes.html#action02
21. http://www.w3.org/2006/WSC/wiki/PageInfoSummary
22. http://www.w3.org/2007/04/25-wsc-minutes.html#action03
23. http://www.w3.org/2006/WSC/wiki/ContextPresentation
24. http://www.w3.org/2007/04/25-wsc-minutes.html#action04
25. http://www.w3.org/2007/02/dmdwa-ws/
26. http://www.w3.org/2007/04/25-wsc-minutes.html#action04
27. http://www.w3.org/2007/04/25-wsc-minutes.html#action02
28. http://www.w3.org/2007/04/25-wsc-minutes.html#action03
29. http://www.w3.org/2007/04/25-wsc-minutes.html#action01
30. http://dev.w3.org/cvsweb/%7Echeckout%7E/2002/scribe/scribedoc.htm
31. http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 3 May 2007 22:12:40 UTC