Meeting record: WSC WG weekly 2007-08-29

Minutes from our meeting on 2007-08-29 were approved and are
available online here:

   http://www.w3.org/2007/08/29-wsc-minutes.html

A text version is included below the .signature.

-- 
Thomas Roessler, W3C  <tlr@w3.org>




   [1]W3C

               Web Security Context Working Group Teleconference
                                  29 Aug 2007

   [2]Agenda

   See also: [3]IRC log

Attendees

   Present
          ifette, Thomas, johnath, jvkrey, PHB, +3531896aaaa, Audian,
          asaldhana, stephenF, rachna, serge, +47.24.16.aabb, yngve,
          Maritza_Johnson, Tyler, Tim_Hahn

   Regrets
          mez, hal

   Chair
          tlr

   Scribe
          jvkrey

Contents

     * [4]Topics
         1. [5]Convene and stuff
         2. [6]action item review
         3. [7]upcoming meetings
         4. [8]state of note
         5. [9]loose ends for 5.3
         6. [10]section 4, tls for the web
     * [11]Summary of Action Items
     __________________________________________________________________



   <trackbot-ng> Date: 29 August 2007

Convene and stuff

   <tlr> tlr: shawn MIA, can jvkrey scribe?

   <tlr> jvkrey: yes, I wanted to do that anyway

   <ifette> Is PIIbar on the agenda today?

   <tlr> ScribeNick: jvkrey

   <tlr> [12]http://www.w3.org/2007/08/22-wsc-minutes.html

   tlr: any problems with the last minutes?

   <tlr> ifette: please fix chair name

   <tlr> RESOLVED: to approve minutes provided thomas fixes the chair
   entry

action item review

   <tlr> ACTION-281: closed

   <tlr> ACTION-248: bump due date

upcoming meetings

   <asaldha1> ifette, additionally clean up is needed for the phone
   numbers

   <tlr>
   [13]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0151.html

   <tlr> [14]http://www.w3.org/2002/09/wbs/39814/codesprint/results

   <ifette> ? I didn't say anything...

   tlr: suggested code sprint on the next f2f

   <ifette> @asaldha1, I didn't draft the minutes... did you mean to
   address that to someone else?

   tlr: propose code sprint will not happen this year, but perhaps
   sometime next year

   <asaldha1> ifette, yes. I have adding additional info to ur comment.

   <ifette> Aaah ok thanks ;-) I thought you meant I had something to do.

   johnath: sounds fine. Tyler might need help implementing PII, but that
   does not have to be anything formal

   <johnath> fine by me

   <tlr> RESOLUTION: no code sprint this year; continue to evaluate
   possibility for 08

   tlr: please go to the questionaire

   <tlr> [15]http://www.w3.org/2002/09/wbs/39814/wscaustin/

   <Zakim> johnath, you wanted to ask about the two remaining meetings

   tlr: the Austin f2f is coming up in little more than four weeks, so
   please sign up soon, so all the practicalities can be made

   johnath: Background on the w3c plenary?

   <tlr> [16]http://www.w3.org/2002/09/wbs/35125/TPAC2007/

   tlr: the tech planary is a week where people for all working groups
   meet, talks, discussions, etc
   ... We will need face time since we are behind schedule, so please come
   to the plenary also

   <Audian> TLR has heavy accent today ;-)

   tyler: are all days of the tech plenary equally important?

   <ifette> @Audian, echt?

   tlr: the most important days are monday and tuesday.

   <tlr> [17]http://www.w3.org/2002/09/wbs/39814/meet2008/

   tlr: recommend the other days also for seeing what's going on in other
   groups also
   ... Please have a look at the questionaire for f2f availability in 1st
   half of 2008

   <asaldha1> Australia?

   <stephenF> tech plenary registration form lists wsc meeting as member
   confid, maybe an error

state of note

   tlr: use cases was last updated May 25, should be updated last week. We
   should get this note done or almost done by the next meeting.
   ... I'd like to review what action items are still open

   tyler: I did a few changes for Issue 6. Looked on the list from Luis
   and Jan Vidar.

   <tlr> Conclusion: We believe that ISSUE-6 is done

   tlr: need cross checking with Luis

   <tlr> [18]http://www.w3.org/2006/WSC/track/issues/92

   tlr: Where are we on issue-92, p3p?

   <tlr>
   [19]http://www.w3.org/mid/20070812120610.GX14409%2540raktajino.does-not
   -exist.org

   tyler: do we have consensus on this?

   <ifette> There was a conclusion in meeting to add 101 in

   <tlr> [20]http://www.w3.org/2006/WSC/track/issues/101

   tlr: Issue 101, visiting known sites. We should just add that to the
   document.

   <stephenF> me too

   <serge> the blacklisting is out of scope, no? who cares how the backend
   works, we're interested in the display.

   tyler: It worries me that this working group should recommend a black
   listing technique

   ifette: the usecase isn't promoting a black list directly.

   tyler: I think this is dancing around the question

   johnath: If we include this recommendation, do we need to recommend a
   malware UI?

   tlr: It's one of the things we should be looking at.

   ifette: this is something browsers already are looking into. So it is a
   not a bad idea for us to look at this

   PHB2: I agree. We actually have a toolbar that does black listing.

   tlr: Should malware detection UI, etc be on the agenda?

   <ifette> Yes

   <tlr> tlr: in favor

   <tyler> The Note is *not* the agenda for what rec proposals will be
   considered!

   johnath: I can live with it, but I'd like to see the text.

   <tyler> The Rec proposal list is the agenda

   <stephenF> yes

   <asaldhan> yes

   jvkrey: I can live with it, but no strong opinion

   PHB2: yes

   rachna: yes, maybe we can make it more general

   serge: ambivalent

   <tlr> Should we include the use case included in ISSUE-101 in order to
   keep UIs for blacklists, reputation, etc, on the overall agenda of the
   group?

   <ifette> I think the intent is "The browser believes the site is now
   distributing malware" not anything regarding blacklists specifically...

   yngve: I can live with it

   maritzaj_: yes

   tyler: object. The question is misleading.
   ... I think we should do this as a recommendation proposal

   <tjh> Tim Hahn joined

   tlr: this means two things. 1 - we have dissent. 2 - it will take
   longer to get to a last call.

   <ifette> Use case 19 is Vicki is interested in finding out more about
   art auctions in the greater Boston area. She engages a search engine
   and tries to follow a link there. Her web browser consults a reputation
   service which has recorded that the link target will attempt to subvert
   the browser and install malicious software. It already "presuppsoes
   this"

   tlr: Tyler, I suggest you adopt the other issues. And we will have
   another mailing list discussion on issue 101.

   <ifette> ok

loose ends for 5.3

   <tyler> Ian, I agree that use case is faulty in the same way as the
   proposed one

   <ifette> I wasn't saying 19 was faulty, I was using 19 to justify mine.

   <rachna> Tyler, in your email, it would be useful to know why you think
   this should be a recommendation proposal versus a use case. That might
   be interesting to discuss.

   tlr: Serge, you had an action item to contribute references to 5.3, any
   progress?

   <tyler> Ok, I agree they share the same characteristic we are talking
   about

   <tlr> ACTION-283 continued

   serge: yes, finishing up today

   <asaldhan> tlr: already pinged serge. he knows about it

   <tyler> Rachna, will do

   tlr: Section 5.3.2 should include some kind of disclaimer

   <yngve> RFC 2817/RFC 2818

   <tyler> The Vicki use-case is:
   <[21]http://www.w3.org/2006/WSC/drafts/note/#any-iui-2>

   stephenF: 5.3.2 presupposes URL/cert matching

   <tlr> [22]http://www.w3.org/2006/WSC/track/issues/new

section 4, tls for the web

   <yngve> RFCs for checking cert for TLS

   <tyler> URL?

   stephenF: In general I think this section has a few terminiology
   issues.
   ... having some pseudo code that explains the whole section better
   would be nice

   <tlr> ACTION: stephen to suggest fine-tuning of terminology in section
   4 - due 2007-09-12 [recorded in
   [23]http://www.w3.org/2007/08/29-wsc-minutes.html#action01]

   <trackbot-ng> Created ACTION-284 - suggest fine-tuning of terminology
   in section 4 [on Stephen Farrell - due 2007-09-12].

   yngve: I mentioned a few things earlier. The line about trusted
   certificates matches dereferenced URI should be cleared up a bit.
   ... When it comes to weaknesses, key sizes used in certificates should
   be counted

   <serge> I need to get to another meeting.

   <tlr> [24]http://www.w3.org/2006/WSC/track/issues/new

   <Zakim> stephenF, you wanted to ask about weakness

   stephenF: Is it wise to nail down cipher suites and key lengths?

   <johnath> stephenF++

   <ifette> +1 stephenF

   stephenF: I think it is difficult to come up with a exhaustive list of
   weak ciphers
   ... Should we leave it up to the implementers to decide what is weak
   and what is not?

   <ifette> Is Camellia included in any of the things we're referencing?
   cause that's big news in Japan right now and I would hate to leave it
   out...

   PHB2: I think there are other places that can give that information.

   <johnath> we should be referencing, not decreeing. I feel like
   evaluating cryptographic strength isn't even in scope

   tlr: I don't think we should give detailed information about individual
   algorithms

   <tlr> ACTION: yngve to propose list of references on strong/weak
   algorithms; intent to *reference*, not *import* - due 2007-09-12
   [recorded in
   [25]http://www.w3.org/2007/08/29-wsc-minutes.html#action02]

   <trackbot-ng> Created ACTION-285 - propose list of references on
   strong/weak algorithms; intent to *reference*, not *import* [on Yngve
   Pettersen - due 2007-09-12].

   <stephenF> I'd not mention camellia at all

   <stephenF> I was asking whether we should keep the idea of the
   no-user-interaction cert given

   <stephenF> that pkix isn't planning to work on it

   <stephenF> (I disagree with phb there)

   <johnath> tlr: I'm going to drop off - phone issues abound, it seems

   <tlr> johnath, would prefer to keep you on ;)

   <johnath> I'd prefer that too!

   PHB2: would like to issue a certificate that works now, and that
   doesn't give a pad lock or bother the user with accept dialogs in the
   future.

   stephenF: why no padlock?

   tlr: better phrased. The server can say; You don't have to trust me.

   PHB2: the issue here is really about the implementation.

   <tlr> [26]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2300585

   tlr: One point that bothers me in 4.5.4 of the current editor's draft.
   Typing in a https address is a bad thing, but clicking on a link is a
   good thing. Strikes me as confusing.

   PHB2: typing in "https" creates an expectation about security.

   <PHB2> 'may create' - I am not certain it does create an expectation
   but some might think it does

   tlr: I'd like to make the "typing of https url" more generic.

   <tlr> ACTION: tlr to change 4.5.4 into generic "if https typed, then
   expectation of strong security" text [recorded in
   [27]http://www.w3.org/2007/08/29-wsc-minutes.html#action03]

   <trackbot-ng> Created ACTION-286 - Change 4.5.4 into generic \"if https
   typed, then expectation of strong security\" text [on Thomas Roessler -
   due 2007-09-05].

   <PHB2> low assurance, ~zero assurance

   PHB2: we now have 3 buckets of certificates. Bad ones, normal ones and
   EV.

   <tlr> 4.2 is a way to avoid validity period errors if OCSP isn't
   checked at all.

   <Zakim> stephenF, you wanted to ask if that hard error for OCSP is wise

   tlr: If no OCSP or CRL checking is done. then do not do validation
   checks

   PHB2: Public wifi will redirect your webstart. This leads to problems
   with SSL since OCSP will be blocked, since access isn't granted on the
   access point yet.

   <ifette> FYI re the use cases, consensus was already declared on that
   use case, so it would be *really* nice if people actually paid
   attention to their emails :(
   [28]http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0149.html

   <stephenF> ldap/ssl can have the same issue as wifi, but its way less
   important

   tlr: I suggest everyone to have a close look at section 4.5 (change of
   security level). We will briefly come back to the question on dealing
   with verification error.

   yngve: I'm not sure if I understand 4.2. Clarifications are needed

Summary of Action Items

   [NEW] ACTION: stephen to suggest fine-tuning of terminology in section
   4 - due 2007-09-12 [recorded in
   [29]http://www.w3.org/2007/08/29-wsc-minutes.html#action01]
   [NEW] ACTION: tlr to change 4.5.4 into generic "if https typed, then
   expectation of strong security" text [recorded in
   [30]http://www.w3.org/2007/08/29-wsc-minutes.html#action03]
   [NEW] ACTION: yngve to propose list of references on strong/weak
   algorithms; intent to *reference*, not *import* - due 2007-09-12
   [recorded in
   [31]http://www.w3.org/2007/08/29-wsc-minutes.html#action02]

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [32]scribe.perl version 1.128
    ([33]CVS log)
    $Date: 2007/09/01 12:39:23 $

References

   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0157.html
   3. http://www.w3.org/2007/08/29-wsc-irc
   4. http://www.w3.org/2007/08/29-wsc-minutes.html#agenda
   5. http://www.w3.org/2007/08/29-wsc-minutes.html#item01
   6. http://www.w3.org/2007/08/29-wsc-minutes.html#item02
   7. http://www.w3.org/2007/08/29-wsc-minutes.html#item03
   8. http://www.w3.org/2007/08/29-wsc-minutes.html#item04
   9. http://www.w3.org/2007/08/29-wsc-minutes.html#item05
  10. http://www.w3.org/2007/08/29-wsc-minutes.html#item06
  11. http://www.w3.org/2007/08/29-wsc-minutes.html#ActionSummary
  12. http://www.w3.org/2007/08/22-wsc-minutes.html
  13. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0151.html
  14. http://www.w3.org/2002/09/wbs/39814/codesprint/results
  15. http://www.w3.org/2002/09/wbs/39814/wscaustin/
  16. http://www.w3.org/2002/09/wbs/35125/TPAC2007/
  17. http://www.w3.org/2002/09/wbs/39814/meet2008/
  18. http://www.w3.org/2006/WSC/track/issues/92
  19. http://www.w3.org/mid/20070812120610.GX14409%2540raktajino.does-not-exist.org
  20. http://www.w3.org/2006/WSC/track/issues/101
  21. http://www.w3.org/2006/WSC/drafts/note/#any-iui-2%3E
  22. http://www.w3.org/2006/WSC/track/issues/new
  23. http://www.w3.org/2007/08/29-wsc-minutes.html#action01
  24. http://www.w3.org/2006/WSC/track/issues/new
  25. http://www.w3.org/2007/08/29-wsc-minutes.html#action02
  26. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#id2300585
  27. http://www.w3.org/2007/08/29-wsc-minutes.html#action03
  28. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Aug/0149.html
  29. http://www.w3.org/2007/08/29-wsc-minutes.html#action01
  30. http://www.w3.org/2007/08/29-wsc-minutes.html#action03
  31. http://www.w3.org/2007/08/29-wsc-minutes.html#action02
  32. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  33. http://dev.w3.org/cvsweb/2002/scribe/

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 7 September 2007 09:33:31 UTC