- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 7 Sep 2007 11:33:22 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2007-08-29 were approved and are
available online here:
http://www.w3.org/2007/08/29-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
29 Aug 2007
[2]Agenda
See also: [3]IRC log
Attendees
Present
ifette, Thomas, johnath, jvkrey, PHB, +3531896aaaa, Audian,
asaldhana, stephenF, rachna, serge, +47.24.16.aabb, yngve,
Maritza_Johnson, Tyler, Tim_Hahn
Regrets
mez, hal
Chair
tlr
Scribe
jvkrey
Contents
* [4]Topics
1. [5]Convene and stuff
2. [6]action item review
3. [7]upcoming meetings
4. [8]state of note
5. [9]loose ends for 5.3
6. [10]section 4, tls for the web
* [11]Summary of Action Items
__________________________________________________________________
<trackbot-ng> Date: 29 August 2007
Convene and stuff
<tlr> tlr: shawn MIA, can jvkrey scribe?
<tlr> jvkrey: yes, I wanted to do that anyway
<ifette> Is PIIbar on the agenda today?
<tlr> ScribeNick: jvkrey
<tlr> [12]http://www.w3.org/2007/08/22-wsc-minutes.html
tlr: any problems with the last minutes?
<tlr> ifette: please fix chair name
<tlr> RESOLVED: to approve minutes provided thomas fixes the chair
entry
action item review
<tlr> ACTION-281: closed
<tlr> ACTION-248: bump due date
upcoming meetings
<asaldha1> ifette, additionally clean up is needed for the phone
numbers
<tlr>
[13]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0151.html
<tlr> [14]http://www.w3.org/2002/09/wbs/39814/codesprint/results
<ifette> ? I didn't say anything...
tlr: suggested code sprint on the next f2f
<ifette> @asaldha1, I didn't draft the minutes... did you mean to
address that to someone else?
tlr: propose code sprint will not happen this year, but perhaps
sometime next year
<asaldha1> ifette, yes. I have adding additional info to ur comment.
<ifette> Aaah ok thanks ;-) I thought you meant I had something to do.
johnath: sounds fine. Tyler might need help implementing PII, but that
does not have to be anything formal
<johnath> fine by me
<tlr> RESOLUTION: no code sprint this year; continue to evaluate
possibility for 08
tlr: please go to the questionaire
<tlr> [15]http://www.w3.org/2002/09/wbs/39814/wscaustin/
<Zakim> johnath, you wanted to ask about the two remaining meetings
tlr: the Austin f2f is coming up in little more than four weeks, so
please sign up soon, so all the practicalities can be made
johnath: Background on the w3c plenary?
<tlr> [16]http://www.w3.org/2002/09/wbs/35125/TPAC2007/
tlr: the tech planary is a week where people for all working groups
meet, talks, discussions, etc
... We will need face time since we are behind schedule, so please come
to the plenary also
<Audian> TLR has heavy accent today ;-)
tyler: are all days of the tech plenary equally important?
<ifette> @Audian, echt?
tlr: the most important days are monday and tuesday.
<tlr> [17]http://www.w3.org/2002/09/wbs/39814/meet2008/
tlr: recommend the other days also for seeing what's going on in other
groups also
... Please have a look at the questionaire for f2f availability in 1st
half of 2008
<asaldha1> Australia?
<stephenF> tech plenary registration form lists wsc meeting as member
confid, maybe an error
state of note
tlr: use cases was last updated May 25, should be updated last week. We
should get this note done or almost done by the next meeting.
... I'd like to review what action items are still open
tyler: I did a few changes for Issue 6. Looked on the list from Luis
and Jan Vidar.
<tlr> Conclusion: We believe that ISSUE-6 is done
tlr: need cross checking with Luis
<tlr> [18]http://www.w3.org/2006/WSC/track/issues/92
tlr: Where are we on issue-92, p3p?
<tlr>
[19]http://www.w3.org/mid/20070812120610.GX14409%2540raktajino.does-not
-exist.org
tyler: do we have consensus on this?
<ifette> There was a conclusion in meeting to add 101 in
<tlr> [20]http://www.w3.org/2006/WSC/track/issues/101
tlr: Issue 101, visiting known sites. We should just add that to the
document.
<stephenF> me too
<serge> the blacklisting is out of scope, no? who cares how the backend
works, we're interested in the display.
tyler: It worries me that this working group should recommend a black
listing technique
ifette: the usecase isn't promoting a black list directly.
tyler: I think this is dancing around the question
johnath: If we include this recommendation, do we need to recommend a
malware UI?
tlr: It's one of the things we should be looking at.
ifette: this is something browsers already are looking into. So it is a
not a bad idea for us to look at this
PHB2: I agree. We actually have a toolbar that does black listing.
tlr: Should malware detection UI, etc be on the agenda?
<ifette> Yes
<tlr> tlr: in favor
<tyler> The Note is *not* the agenda for what rec proposals will be
considered!
johnath: I can live with it, but I'd like to see the text.
<tyler> The Rec proposal list is the agenda
<stephenF> yes
<asaldhan> yes
jvkrey: I can live with it, but no strong opinion
PHB2: yes
rachna: yes, maybe we can make it more general
serge: ambivalent
<tlr> Should we include the use case included in ISSUE-101 in order to
keep UIs for blacklists, reputation, etc, on the overall agenda of the
group?
<ifette> I think the intent is "The browser believes the site is now
distributing malware" not anything regarding blacklists specifically...
yngve: I can live with it
maritzaj_: yes
tyler: object. The question is misleading.
... I think we should do this as a recommendation proposal
<tjh> Tim Hahn joined
tlr: this means two things. 1 - we have dissent. 2 - it will take
longer to get to a last call.
<ifette> Use case 19 is Vicki is interested in finding out more about
art auctions in the greater Boston area. She engages a search engine
and tries to follow a link there. Her web browser consults a reputation
service which has recorded that the link target will attempt to subvert
the browser and install malicious software. It already "presuppsoes
this"
tlr: Tyler, I suggest you adopt the other issues. And we will have
another mailing list discussion on issue 101.
<ifette> ok
loose ends for 5.3
<tyler> Ian, I agree that use case is faulty in the same way as the
proposed one
<ifette> I wasn't saying 19 was faulty, I was using 19 to justify mine.
<rachna> Tyler, in your email, it would be useful to know why you think
this should be a recommendation proposal versus a use case. That might
be interesting to discuss.
tlr: Serge, you had an action item to contribute references to 5.3, any
progress?
<tyler> Ok, I agree they share the same characteristic we are talking
about
<tlr> ACTION-283 continued
serge: yes, finishing up today
<asaldhan> tlr: already pinged serge. he knows about it
<tyler> Rachna, will do
tlr: Section 5.3.2 should include some kind of disclaimer
<yngve> RFC 2817/RFC 2818
<tyler> The Vicki use-case is:
<[21]http://www.w3.org/2006/WSC/drafts/note/#any-iui-2>
stephenF: 5.3.2 presupposes URL/cert matching
<tlr> [22]http://www.w3.org/2006/WSC/track/issues/new
section 4, tls for the web
<yngve> RFCs for checking cert for TLS
<tyler> URL?
stephenF: In general I think this section has a few terminiology
issues.
... having some pseudo code that explains the whole section better
would be nice
<tlr> ACTION: stephen to suggest fine-tuning of terminology in section
4 - due 2007-09-12 [recorded in
[23]http://www.w3.org/2007/08/29-wsc-minutes.html#action01]
<trackbot-ng> Created ACTION-284 - suggest fine-tuning of terminology
in section 4 [on Stephen Farrell - due 2007-09-12].
yngve: I mentioned a few things earlier. The line about trusted
certificates matches dereferenced URI should be cleared up a bit.
... When it comes to weaknesses, key sizes used in certificates should
be counted
<serge> I need to get to another meeting.
<tlr> [24]http://www.w3.org/2006/WSC/track/issues/new
<Zakim> stephenF, you wanted to ask about weakness
stephenF: Is it wise to nail down cipher suites and key lengths?
<johnath> stephenF++
<ifette> +1 stephenF
stephenF: I think it is difficult to come up with a exhaustive list of
weak ciphers
... Should we leave it up to the implementers to decide what is weak
and what is not?
<ifette> Is Camellia included in any of the things we're referencing?
cause that's big news in Japan right now and I would hate to leave it
out...
PHB2: I think there are other places that can give that information.
<johnath> we should be referencing, not decreeing. I feel like
evaluating cryptographic strength isn't even in scope
tlr: I don't think we should give detailed information about individual
algorithms
<tlr> ACTION: yngve to propose list of references on strong/weak
algorithms; intent to *reference*, not *import* - due 2007-09-12
[recorded in
[25]http://www.w3.org/2007/08/29-wsc-minutes.html#action02]
<trackbot-ng> Created ACTION-285 - propose list of references on
strong/weak algorithms; intent to *reference*, not *import* [on Yngve
Pettersen - due 2007-09-12].
<stephenF> I'd not mention camellia at all
<stephenF> I was asking whether we should keep the idea of the
no-user-interaction cert given
<stephenF> that pkix isn't planning to work on it
<stephenF> (I disagree with phb there)
<johnath> tlr: I'm going to drop off - phone issues abound, it seems
<tlr> johnath, would prefer to keep you on ;)
<johnath> I'd prefer that too!
PHB2: would like to issue a certificate that works now, and that
doesn't give a pad lock or bother the user with accept dialogs in the
future.
stephenF: why no padlock?
tlr: better phrased. The server can say; You don't have to trust me.
PHB2: the issue here is really about the implementation.
<tlr> [26]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2300585
tlr: One point that bothers me in 4.5.4 of the current editor's draft.
Typing in a https address is a bad thing, but clicking on a link is a
good thing. Strikes me as confusing.
PHB2: typing in "https" creates an expectation about security.
<PHB2> 'may create' - I am not certain it does create an expectation
but some might think it does
tlr: I'd like to make the "typing of https url" more generic.
<tlr> ACTION: tlr to change 4.5.4 into generic "if https typed, then
expectation of strong security" text [recorded in
[27]http://www.w3.org/2007/08/29-wsc-minutes.html#action03]
<trackbot-ng> Created ACTION-286 - Change 4.5.4 into generic \"if https
typed, then expectation of strong security\" text [on Thomas Roessler -
due 2007-09-05].
<PHB2> low assurance, ~zero assurance
PHB2: we now have 3 buckets of certificates. Bad ones, normal ones and
EV.
<tlr> 4.2 is a way to avoid validity period errors if OCSP isn't
checked at all.
<Zakim> stephenF, you wanted to ask if that hard error for OCSP is wise
tlr: If no OCSP or CRL checking is done. then do not do validation
checks
PHB2: Public wifi will redirect your webstart. This leads to problems
with SSL since OCSP will be blocked, since access isn't granted on the
access point yet.
<ifette> FYI re the use cases, consensus was already declared on that
use case, so it would be *really* nice if people actually paid
attention to their emails :(
[28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0149.html
<stephenF> ldap/ssl can have the same issue as wifi, but its way less
important
tlr: I suggest everyone to have a close look at section 4.5 (change of
security level). We will briefly come back to the question on dealing
with verification error.
yngve: I'm not sure if I understand 4.2. Clarifications are needed
Summary of Action Items
[NEW] ACTION: stephen to suggest fine-tuning of terminology in section
4 - due 2007-09-12 [recorded in
[29]http://www.w3.org/2007/08/29-wsc-minutes.html#action01]
[NEW] ACTION: tlr to change 4.5.4 into generic "if https typed, then
expectation of strong security" text [recorded in
[30]http://www.w3.org/2007/08/29-wsc-minutes.html#action03]
[NEW] ACTION: yngve to propose list of references on strong/weak
algorithms; intent to *reference*, not *import* - due 2007-09-12
[recorded in
[31]http://www.w3.org/2007/08/29-wsc-minutes.html#action02]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [32]scribe.perl version 1.128
([33]CVS log)
$Date: 2007/09/01 12:39:23 $
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0157.html
3. http://www.w3.org/2007/08/29-wsc-irc
4. http://www.w3.org/2007/08/29-wsc-minutes.html#agenda
5. http://www.w3.org/2007/08/29-wsc-minutes.html#item01
6. http://www.w3.org/2007/08/29-wsc-minutes.html#item02
7. http://www.w3.org/2007/08/29-wsc-minutes.html#item03
8. http://www.w3.org/2007/08/29-wsc-minutes.html#item04
9. http://www.w3.org/2007/08/29-wsc-minutes.html#item05
10. http://www.w3.org/2007/08/29-wsc-minutes.html#item06
11. http://www.w3.org/2007/08/29-wsc-minutes.html#ActionSummary
12. http://www.w3.org/2007/08/22-wsc-minutes.html
13. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0151.html
14. http://www.w3.org/2002/09/wbs/39814/codesprint/results
15. http://www.w3.org/2002/09/wbs/39814/wscaustin/
16. http://www.w3.org/2002/09/wbs/35125/TPAC2007/
17. http://www.w3.org/2002/09/wbs/39814/meet2008/
18. http://www.w3.org/2006/WSC/track/issues/92
19. http://www.w3.org/mid/20070812120610.GX14409%2540raktajino.does-not-exist.org
20. http://www.w3.org/2006/WSC/track/issues/101
21. http://www.w3.org/2006/WSC/drafts/note/#any-iui-2%3E
22. http://www.w3.org/2006/WSC/track/issues/new
23. http://www.w3.org/2007/08/29-wsc-minutes.html#action01
24. http://www.w3.org/2006/WSC/track/issues/new
25. http://www.w3.org/2007/08/29-wsc-minutes.html#action02
26. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2300585
27. http://www.w3.org/2007/08/29-wsc-minutes.html#action03
28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0149.html
29. http://www.w3.org/2007/08/29-wsc-minutes.html#action01
30. http://www.w3.org/2007/08/29-wsc-minutes.html#action03
31. http://www.w3.org/2007/08/29-wsc-minutes.html#action02
32. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
33. http://dev.w3.org/cvsweb/2002/scribe/
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 7 September 2007 09:33:31 UTC