- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 7 Sep 2007 11:33:22 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2007-08-29 were approved and are available online here: http://www.w3.org/2007/08/29-wsc-minutes.html A text version is included below the .signature. -- Thomas Roessler, W3C <tlr@w3.org> [1]W3C Web Security Context Working Group Teleconference 29 Aug 2007 [2]Agenda See also: [3]IRC log Attendees Present ifette, Thomas, johnath, jvkrey, PHB, +3531896aaaa, Audian, asaldhana, stephenF, rachna, serge, +47.24.16.aabb, yngve, Maritza_Johnson, Tyler, Tim_Hahn Regrets mez, hal Chair tlr Scribe jvkrey Contents * [4]Topics 1. [5]Convene and stuff 2. [6]action item review 3. [7]upcoming meetings 4. [8]state of note 5. [9]loose ends for 5.3 6. [10]section 4, tls for the web * [11]Summary of Action Items __________________________________________________________________ <trackbot-ng> Date: 29 August 2007 Convene and stuff <tlr> tlr: shawn MIA, can jvkrey scribe? <tlr> jvkrey: yes, I wanted to do that anyway <ifette> Is PIIbar on the agenda today? <tlr> ScribeNick: jvkrey <tlr> [12]http://www.w3.org/2007/08/22-wsc-minutes.html tlr: any problems with the last minutes? <tlr> ifette: please fix chair name <tlr> RESOLVED: to approve minutes provided thomas fixes the chair entry action item review <tlr> ACTION-281: closed <tlr> ACTION-248: bump due date upcoming meetings <asaldha1> ifette, additionally clean up is needed for the phone numbers <tlr> [13]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0151.html <tlr> [14]http://www.w3.org/2002/09/wbs/39814/codesprint/results <ifette> ? I didn't say anything... tlr: suggested code sprint on the next f2f <ifette> @asaldha1, I didn't draft the minutes... did you mean to address that to someone else? tlr: propose code sprint will not happen this year, but perhaps sometime next year <asaldha1> ifette, yes. I have adding additional info to ur comment. <ifette> Aaah ok thanks ;-) I thought you meant I had something to do. johnath: sounds fine. Tyler might need help implementing PII, but that does not have to be anything formal <johnath> fine by me <tlr> RESOLUTION: no code sprint this year; continue to evaluate possibility for 08 tlr: please go to the questionaire <tlr> [15]http://www.w3.org/2002/09/wbs/39814/wscaustin/ <Zakim> johnath, you wanted to ask about the two remaining meetings tlr: the Austin f2f is coming up in little more than four weeks, so please sign up soon, so all the practicalities can be made johnath: Background on the w3c plenary? <tlr> [16]http://www.w3.org/2002/09/wbs/35125/TPAC2007/ tlr: the tech planary is a week where people for all working groups meet, talks, discussions, etc ... We will need face time since we are behind schedule, so please come to the plenary also <Audian> TLR has heavy accent today ;-) tyler: are all days of the tech plenary equally important? <ifette> @Audian, echt? tlr: the most important days are monday and tuesday. <tlr> [17]http://www.w3.org/2002/09/wbs/39814/meet2008/ tlr: recommend the other days also for seeing what's going on in other groups also ... Please have a look at the questionaire for f2f availability in 1st half of 2008 <asaldha1> Australia? <stephenF> tech plenary registration form lists wsc meeting as member confid, maybe an error state of note tlr: use cases was last updated May 25, should be updated last week. We should get this note done or almost done by the next meeting. ... I'd like to review what action items are still open tyler: I did a few changes for Issue 6. Looked on the list from Luis and Jan Vidar. <tlr> Conclusion: We believe that ISSUE-6 is done tlr: need cross checking with Luis <tlr> [18]http://www.w3.org/2006/WSC/track/issues/92 tlr: Where are we on issue-92, p3p? <tlr> [19]http://www.w3.org/mid/20070812120610.GX14409%2540raktajino.does-not -exist.org tyler: do we have consensus on this? <ifette> There was a conclusion in meeting to add 101 in <tlr> [20]http://www.w3.org/2006/WSC/track/issues/101 tlr: Issue 101, visiting known sites. We should just add that to the document. <stephenF> me too <serge> the blacklisting is out of scope, no? who cares how the backend works, we're interested in the display. tyler: It worries me that this working group should recommend a black listing technique ifette: the usecase isn't promoting a black list directly. tyler: I think this is dancing around the question johnath: If we include this recommendation, do we need to recommend a malware UI? tlr: It's one of the things we should be looking at. ifette: this is something browsers already are looking into. So it is a not a bad idea for us to look at this PHB2: I agree. We actually have a toolbar that does black listing. tlr: Should malware detection UI, etc be on the agenda? <ifette> Yes <tlr> tlr: in favor <tyler> The Note is *not* the agenda for what rec proposals will be considered! johnath: I can live with it, but I'd like to see the text. <tyler> The Rec proposal list is the agenda <stephenF> yes <asaldhan> yes jvkrey: I can live with it, but no strong opinion PHB2: yes rachna: yes, maybe we can make it more general serge: ambivalent <tlr> Should we include the use case included in ISSUE-101 in order to keep UIs for blacklists, reputation, etc, on the overall agenda of the group? <ifette> I think the intent is "The browser believes the site is now distributing malware" not anything regarding blacklists specifically... yngve: I can live with it maritzaj_: yes tyler: object. The question is misleading. ... I think we should do this as a recommendation proposal <tjh> Tim Hahn joined tlr: this means two things. 1 - we have dissent. 2 - it will take longer to get to a last call. <ifette> Use case 19 is Vicki is interested in finding out more about art auctions in the greater Boston area. She engages a search engine and tries to follow a link there. Her web browser consults a reputation service which has recorded that the link target will attempt to subvert the browser and install malicious software. It already "presuppsoes this" tlr: Tyler, I suggest you adopt the other issues. And we will have another mailing list discussion on issue 101. <ifette> ok loose ends for 5.3 <tyler> Ian, I agree that use case is faulty in the same way as the proposed one <ifette> I wasn't saying 19 was faulty, I was using 19 to justify mine. <rachna> Tyler, in your email, it would be useful to know why you think this should be a recommendation proposal versus a use case. That might be interesting to discuss. tlr: Serge, you had an action item to contribute references to 5.3, any progress? <tyler> Ok, I agree they share the same characteristic we are talking about <tlr> ACTION-283 continued serge: yes, finishing up today <asaldhan> tlr: already pinged serge. he knows about it <tyler> Rachna, will do tlr: Section 5.3.2 should include some kind of disclaimer <yngve> RFC 2817/RFC 2818 <tyler> The Vicki use-case is: <[21]http://www.w3.org/2006/WSC/drafts/note/#any-iui-2> stephenF: 5.3.2 presupposes URL/cert matching <tlr> [22]http://www.w3.org/2006/WSC/track/issues/new section 4, tls for the web <yngve> RFCs for checking cert for TLS <tyler> URL? stephenF: In general I think this section has a few terminiology issues. ... having some pseudo code that explains the whole section better would be nice <tlr> ACTION: stephen to suggest fine-tuning of terminology in section 4 - due 2007-09-12 [recorded in [23]http://www.w3.org/2007/08/29-wsc-minutes.html#action01] <trackbot-ng> Created ACTION-284 - suggest fine-tuning of terminology in section 4 [on Stephen Farrell - due 2007-09-12]. yngve: I mentioned a few things earlier. The line about trusted certificates matches dereferenced URI should be cleared up a bit. ... When it comes to weaknesses, key sizes used in certificates should be counted <serge> I need to get to another meeting. <tlr> [24]http://www.w3.org/2006/WSC/track/issues/new <Zakim> stephenF, you wanted to ask about weakness stephenF: Is it wise to nail down cipher suites and key lengths? <johnath> stephenF++ <ifette> +1 stephenF stephenF: I think it is difficult to come up with a exhaustive list of weak ciphers ... Should we leave it up to the implementers to decide what is weak and what is not? <ifette> Is Camellia included in any of the things we're referencing? cause that's big news in Japan right now and I would hate to leave it out... PHB2: I think there are other places that can give that information. <johnath> we should be referencing, not decreeing. I feel like evaluating cryptographic strength isn't even in scope tlr: I don't think we should give detailed information about individual algorithms <tlr> ACTION: yngve to propose list of references on strong/weak algorithms; intent to *reference*, not *import* - due 2007-09-12 [recorded in [25]http://www.w3.org/2007/08/29-wsc-minutes.html#action02] <trackbot-ng> Created ACTION-285 - propose list of references on strong/weak algorithms; intent to *reference*, not *import* [on Yngve Pettersen - due 2007-09-12]. <stephenF> I'd not mention camellia at all <stephenF> I was asking whether we should keep the idea of the no-user-interaction cert given <stephenF> that pkix isn't planning to work on it <stephenF> (I disagree with phb there) <johnath> tlr: I'm going to drop off - phone issues abound, it seems <tlr> johnath, would prefer to keep you on ;) <johnath> I'd prefer that too! PHB2: would like to issue a certificate that works now, and that doesn't give a pad lock or bother the user with accept dialogs in the future. stephenF: why no padlock? tlr: better phrased. The server can say; You don't have to trust me. PHB2: the issue here is really about the implementation. <tlr> [26]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2300585 tlr: One point that bothers me in 4.5.4 of the current editor's draft. Typing in a https address is a bad thing, but clicking on a link is a good thing. Strikes me as confusing. PHB2: typing in "https" creates an expectation about security. <PHB2> 'may create' - I am not certain it does create an expectation but some might think it does tlr: I'd like to make the "typing of https url" more generic. <tlr> ACTION: tlr to change 4.5.4 into generic "if https typed, then expectation of strong security" text [recorded in [27]http://www.w3.org/2007/08/29-wsc-minutes.html#action03] <trackbot-ng> Created ACTION-286 - Change 4.5.4 into generic \"if https typed, then expectation of strong security\" text [on Thomas Roessler - due 2007-09-05]. <PHB2> low assurance, ~zero assurance PHB2: we now have 3 buckets of certificates. Bad ones, normal ones and EV. <tlr> 4.2 is a way to avoid validity period errors if OCSP isn't checked at all. <Zakim> stephenF, you wanted to ask if that hard error for OCSP is wise tlr: If no OCSP or CRL checking is done. then do not do validation checks PHB2: Public wifi will redirect your webstart. This leads to problems with SSL since OCSP will be blocked, since access isn't granted on the access point yet. <ifette> FYI re the use cases, consensus was already declared on that use case, so it would be *really* nice if people actually paid attention to their emails :( [28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0149.html <stephenF> ldap/ssl can have the same issue as wifi, but its way less important tlr: I suggest everyone to have a close look at section 4.5 (change of security level). We will briefly come back to the question on dealing with verification error. yngve: I'm not sure if I understand 4.2. Clarifications are needed Summary of Action Items [NEW] ACTION: stephen to suggest fine-tuning of terminology in section 4 - due 2007-09-12 [recorded in [29]http://www.w3.org/2007/08/29-wsc-minutes.html#action01] [NEW] ACTION: tlr to change 4.5.4 into generic "if https typed, then expectation of strong security" text [recorded in [30]http://www.w3.org/2007/08/29-wsc-minutes.html#action03] [NEW] ACTION: yngve to propose list of references on strong/weak algorithms; intent to *reference*, not *import* - due 2007-09-12 [recorded in [31]http://www.w3.org/2007/08/29-wsc-minutes.html#action02] [End of minutes] __________________________________________________________________ Minutes formatted by David Booth's [32]scribe.perl version 1.128 ([33]CVS log) $Date: 2007/09/01 12:39:23 $ References 1. http://www.w3.org/ 2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0157.html 3. http://www.w3.org/2007/08/29-wsc-irc 4. http://www.w3.org/2007/08/29-wsc-minutes.html#agenda 5. http://www.w3.org/2007/08/29-wsc-minutes.html#item01 6. http://www.w3.org/2007/08/29-wsc-minutes.html#item02 7. http://www.w3.org/2007/08/29-wsc-minutes.html#item03 8. http://www.w3.org/2007/08/29-wsc-minutes.html#item04 9. http://www.w3.org/2007/08/29-wsc-minutes.html#item05 10. http://www.w3.org/2007/08/29-wsc-minutes.html#item06 11. http://www.w3.org/2007/08/29-wsc-minutes.html#ActionSummary 12. http://www.w3.org/2007/08/22-wsc-minutes.html 13. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0151.html 14. http://www.w3.org/2002/09/wbs/39814/codesprint/results 15. http://www.w3.org/2002/09/wbs/39814/wscaustin/ 16. http://www.w3.org/2002/09/wbs/35125/TPAC2007/ 17. http://www.w3.org/2002/09/wbs/39814/meet2008/ 18. http://www.w3.org/2006/WSC/track/issues/92 19. http://www.w3.org/mid/20070812120610.GX14409%2540raktajino.does-not-exist.org 20. http://www.w3.org/2006/WSC/track/issues/101 21. http://www.w3.org/2006/WSC/drafts/note/#any-iui-2%3E 22. http://www.w3.org/2006/WSC/track/issues/new 23. http://www.w3.org/2007/08/29-wsc-minutes.html#action01 24. http://www.w3.org/2006/WSC/track/issues/new 25. http://www.w3.org/2007/08/29-wsc-minutes.html#action02 26. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2300585 27. http://www.w3.org/2007/08/29-wsc-minutes.html#action03 28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0149.html 29. http://www.w3.org/2007/08/29-wsc-minutes.html#action01 30. http://www.w3.org/2007/08/29-wsc-minutes.html#action03 31. http://www.w3.org/2007/08/29-wsc-minutes.html#action02 32. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm 33. http://dev.w3.org/cvsweb/2002/scribe/ -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 7 September 2007 09:33:31 UTC