W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

Meeting record: WSC WG weekly 2008-01-16

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 23 Jan 2008 18:14:12 +0100
To: public-wsc-wg@w3.org
Message-ID: <20080123171412.GA794@iCoaster.does-not-exist.org>

Minutes from our meeting on 2008-01-16 were approved and are
available online here:


A text version is included below the .signature.

Thomas Roessler, W3C  <tlr@w3.org>


               Web Security Context Working Group Teleconference
                                  16 Jan 2008

   See also: [2]IRC log


          Mary Ellen Zurko, Phillip Hallam-Baker, Ian Fette, Jan Vidar
          Krey, Thomas Roessler, Yngve Pettersen, Johnathan Nightingale,
          Dan Schutzer, Hal Lockhart, Bill Doyle, Maritza Johnson, Tim
          Hahn, Anil Saldhana, Tyler Close

          Luis Barriga, Serge Egelman, Stephen Farrel, William Eburn

          Mary Ellen Zurko

          Jan Vidar Krey


     * [3]Topics
         1. [4]Agenda
         2. [5]ISSUE-128
         3. [6]ISSUE-124
         4. [7]ISSUE-125
         5. [8]ISSUE-129
     * [9]Summary of Action Items


   <ifette> link for minutes?

   <Mez> [10]http://www.w3.org/2008/01/09-wsc-minutes.html

   Mez: next item, approving minutes from last meeting
   ... Approved
   ... Weekly completed action items

   <tlr> sorry about the minutes, seems they were stuck



   Mez: action items closed to due to inactivity, none. Some might be
   closed later.
   ... Agenda bashing
   ... Issues 128, 124, 125, 129 have no next step

   Mez: Please fill out the questionaire for the next f2f by this week.

   Mez: Remind everyone there is a heartbeat requirement for xit and

   tlr: early February is a reasonably accurate date ;-)

   <Mez> [14]http://www.w3.org/2006/WSC/track/issues/128


   Mez: first item ISSUE-128, what is the next step?


   <Mez> [Definition: (normative) Strong TLS algorithms are defined as the
   algorithms recommended by [ref-ALGORITHMS].]

   Mez: A lot of discussion, but nothing summarizes it

   yngve: Point out for "What is a secure page", I put estimates for what
   encryption bit strength can be broken in a number of years... Can be
   used as a foundation.

   Mez: link ?

   yngve: coming up

   Mez: other proposals?

   <yngve> [16]http://www.w3.org/2006/WSC/track/actions/285

   johnath: maybe ping Stephen

   <tlr> I believe this was Yngve's proposal:

   <yngve> References:

   <johnath> yes - that looks like a lovely set of references to me

   <tlr> The Dining Cryptographers' List

   PHB2: It is not really something to do in usability.

   Bill: I beleive the structure is in place to do this, in Apache for

   PHB2: The usability document needs to reference the TLS recommendations

   <yngve> [19]http://www.ietf.org/rfc/rfc4346.txt

   <yngve> [20]http://www.ietf.org/rfc/rfc3766.txt

   tlr: rfc 3766 sounds like the one

   <tlr> ACTION: bill-d to draft language to reference RFC 3766 or
   successors in a useful way [recorded in

   <trackbot-ng> Sorry, couldn't find user - bill-d

   tlr: Something along the lines as "Only use algorithms in RFC3766 for
   public key encryption"

   <tlr> ACTION: doyle to draft language to reference RFC 3766 or
   successors in a useful way [recorded in

   <trackbot-ng> Created ACTION-370 - Draft language to reference RFC 3766
   or successors in a useful way [on Bill Doyle - due 2008-01-23].

   Mez: anything else ?
   ... Next issue, ISSUE-124.


   <Mez> [23]http://www.w3.org/2006/WSC/track/issues/124


   Mez: very visually oriented section. *Might* be something tricky about
   this one.
   ... one way is to substitute "display" with "present"

   tlr: Present vs display probably takes care of most of this issue.
   ... This sections needs to be cleaned up for normative language
   ... Would prefer someone else to do it

   asaldhan: I can do editorial changes to it

   <tlr> ACTION: anil to take a stab at ISSUE-124 [recorded in

   <trackbot-ng> Created ACTION-371 - Take a stab at ISSUE-124 [on Anil
   Saldhana - due 2008-01-23].

   <tlr> ACTION-371?

   <trackbot-ng> ACTION-371 -- Anil Saldhana to take a stab at ISSUE-124
   -- due 2008-01-23 -- OPEN

   <trackbot-ng> [26]http://www.w3.org/2006/WSC/track/actions/371


   <tlr> ISSUE-125?

   <trackbot-ng> ISSUE-125 -- Safe Form Bar: on screen masking phrased in
   terms of visual user agents -- OPEN

   <trackbot-ng> [27]http://www.w3.org/2006/WSC/track/issues/125

   <Mez> [28]http://www.w3.org/2006/WSC/track/issues/125

   Mez: next item, ISSUE-125
   ... sounds like more of the same, visually oriented

   <tlr> [29]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask

   Mez: ?
   ... If we removed the "onscreen" in title, substitute present and

   has brief discussion on this. tlr mentioning that it applies to voice

   Mez: attack is visual

   tlr: attack can also occur with a screen reader

   <tlr> I don't understand what the requirements mean for non standard
   GUI; I can see a high-level requirement usefully in the spec

   <tlr> ACTION: thomas to propose high-level wording instead of 7.6
   [31]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125
   [recorded in

   <trackbot-ng> Created ACTION-372 - Propose high-level wording instead
   of 7.6 [33]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
   ISSUE-125 [on Thomas Roessler - due 2008-01-23].

   <tlr> action-372?

   <trackbot-ng> ACTION-372 -- Thomas Roessler to propose high-level
   wording instead of 7.6
   [34]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125 --
   due 2008-01-23 -- OPEN

   <trackbot-ng> [35]http://www.w3.org/2006/WSC/track/actions/372

   <tlr> ACTION: mez to poll al G about shoulder surfing attacks in
   context of assistive technologies [recorded in

   <trackbot-ng> Created ACTION-373 - Poll al G about shoulder surfing
   attacks in context of assistive technologies [on Mary Ellen Zurko - due


   Mez: next is, ISSUE-129

   <Mez> [37]http://www.w3.org/2006/WSC/track/issues/129

   Mez: "Should we say anything about scoring techniques?"
   ... We have had some discussion with regards to the padlock


   tjh: It should remain in the document


   tjh: how to express it, as a colour, number, or sound... ?

   Mez: Another part of the thread, If there is a problem, a passive
   notification is not enough, how can this be communicated?
   ... How can the site identity be destilled into a number?
   ... some concern about legal issues, related to a score

   danschutzer: only certain things can be controlled. We would probably
   want to restrict ourselves to some things; Secure connection, accessing
   the site I think I am accessing
   ... cannot know about other things, such as compromized computer, or

   yngve: we have 2 types of security context indictators in many browsers
   1) padlock, 2) fraud warning.
   ... we have some checks for questionable sites, scammers, etc. using
   blacklists or whitelists of sites

   <tjh> maybe instead of "Page Security Score" it should be called
   "Connection Confidence Estimate".

   yngve: there are questions about privacy for these solutions

   <Zakim> ifette, you wanted to explain the legal issue thread

   ifette: The legal stuff
   ... If a browser says it is secure, that is full endorsement...
   ... If Bank A and bank B gets different scores, the one worse off might
   go after the browser vendor

   <MikeM> if browsers haven't been sued over padlock for past 20 years, I
   don't see why we expect lawsuits over other indicators that are
   actually better.

   <johnath> MikeM: that's a comfortable position to take when you're
   unlikely to be named in the suit, but I think Ian's point is that
   including this language will hurt adoption

   <Zakim> Mez, you wanted to say that I am glad we have something in xit
   that addresses the space of the padlock

   ifette: the padlock is not ambigous in the same way as these algorihms

   tjh: I don't recall our draft saying anything about "Safe for
   e-commerce" for page security score

   PHB2: Large browser vendors were concered about the legal implications
   of the padlock, that is why EV happened.

   <ifette> Phil, are you saying that the legal concerns over the score
   (or worries on behalf of browser vendors) are or are not founded?

   <Zakim> ifette, you wanted to say it's not what statement we intend but
   rather what the user interprets the statement as meaning

   PHB2: the liablity here... IANAL... the liability of the party who
   calculates/presents the information, and the party who provides the
   information needed

   ifette: worry about how people will interpret security scores when
   comparing sites... Why is my page not as secure ?

   <ifette> Potential next step would be to re-write this as something
   that is a back-end feature that is presented only when changes in this
   score are noted

   ifette: if you are getting sued in any case, I see no benefit.

   <ifette> But we're not writing new standards for stuff like that here

   <ifette> we're getting O/T...

   PHB2: Possible approach, use a third party trust service... can
   minimize the legal risks

   <Zakim> johnath, you wanted to reply to phil

   <MikeM> decision in Austin was to allow 3rd parties to define scoring
   algorthms and let market forces drive innvocation... only requirement
   on the UA is to allow these 3rd party scoring plugins

   johnath: The legal issues are important. If this is phrased as a MUST,
   we will have to investigate the issues in order to remain standards

   <Mez> I don't remember that decision mikem

   <ifette> I thought we said that new protocols etc were out of scope

   <ifette> e.g. new infrastructure

   <ifette> at least this was the argument Tyler raised against malware...

   <Zakim> johnath, you wanted to reply to tim

   <tlr> ACTION: tjh to rewrite page security score section [recorded in

   <trackbot-ng> Created ACTION-374 - Rewrite page security score section
   [on Tim Hahn - due 2008-01-23].

   tjh: i can take an action item to summarize what came from the padlock

   <ifette> I have to go in a minute, but if there is a straw poll put me
   down in whatever category is most strongly against this proposal.....

   <johnath> ifette: duly noted :)

   Mez: all four issues covered
   ... will try to point out which sections of xit are more mature, based
   on our review comments as a topic at the san jose f2f
   ... see you next week

Summary of Action Items

   [NEW] ACTION: anil to take a stab at ISSUE-124 [recorded in
   [NEW] ACTION: bill-d to draft language to reference RFC 3766 or
   successors in a useful way [recorded in
   [NEW] ACTION: doyle to draft language to reference RFC 3766 or
   successors in a useful way [recorded in
   [NEW] ACTION: mez to poll al G about shoulder surfing attacks in
   context of assistive technologies [recorded in
   [NEW] ACTION: thomas to propose high-level wording instead of 7.6
   [45]http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125
   [recorded in
   [NEW] ACTION: tjh to rewrite page security score section [recorded in

   [End of minutes]

    Minutes formatted by David Booth's [48]scribe.perl version 1.129
    ([49]CVS log)
    $Date: 2008/01/23 17:13:50 $


   1. http://www.w3.org/
   2. http://www.w3.org/2008/01/16-wsc-irc
   3. http://www.w3.org/2008/01/16-wsc-minutes.html#agenda
   4. http://www.w3.org/2008/01/16-wsc-minutes.html#item01
   5. http://www.w3.org/2008/01/16-wsc-minutes.html#item02
   6. http://www.w3.org/2008/01/16-wsc-minutes.html#item03
   7. http://www.w3.org/2008/01/16-wsc-minutes.html#item04
   8. http://www.w3.org/2008/01/16-wsc-minutes.html#item05
   9. http://www.w3.org/2008/01/16-wsc-minutes.html#ActionSummary
  10. http://www.w3.org/2008/01/09-wsc-minutes.html
  11. http://lists.w3.org/Archives/Member/member-wsc-wg/2008Jan/0009.html
  12. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0150.html
  13. http://www.w3.org/2002/09/wbs/39814/wscf2fgoog2008/
  14. http://www.w3.org/2006/WSC/track/issues/128
  15. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Dec/att-0021/rewrite-5-20071205.html
  16. http://www.w3.org/2006/WSC/track/actions/285
  17. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
  18. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
  19. http://www.ietf.org/rfc/rfc4346.txt
  20. http://www.ietf.org/rfc/rfc3766.txt
  21. http://www.w3.org/2008/01/16-wsc-minutes.html#action01
  22. http://www.w3.org/2008/01/16-wsc-minutes.html#action02
  23. http://www.w3.org/2006/WSC/track/issues/124
  24. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#safebar-reliabletext
  25. http://www.w3.org/2008/01/16-wsc-minutes.html#action03
  26. http://www.w3.org/2006/WSC/track/actions/371
  27. http://www.w3.org/2006/WSC/track/issues/125
  28. http://www.w3.org/2006/WSC/track/issues/125
  29. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask
  30. http://lists.w3.org/Archives/Member/member-wsc-wg/2007Nov/0006.html
  31. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
  32. http://www.w3.org/2008/01/16-wsc-minutes.html#action04
  33. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
  34. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
  35. http://www.w3.org/2006/WSC/track/actions/372
  36. http://www.w3.org/2008/01/16-wsc-minutes.html#action05
  37. http://www.w3.org/2006/WSC/track/issues/129
  38. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0165.html
  39. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0156.html
  40. http://www.w3.org/2008/01/16-wsc-minutes.html#action06
  41. http://www.w3.org/2008/01/16-wsc-minutes.html#action03
  42. http://www.w3.org/2008/01/16-wsc-minutes.html#action01
  43. http://www.w3.org/2008/01/16-wsc-minutes.html#action02
  44. http://www.w3.org/2008/01/16-wsc-minutes.html#action05
  45. http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask;
  46. http://www.w3.org/2008/01/16-wsc-minutes.html#action04
  47. http://www.w3.org/2008/01/16-wsc-minutes.html#action06
  48. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  49. http://dev.w3.org/cvsweb/2002/scribe/

Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 23 January 2008 17:14:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:36:52 UTC