Meeting record: WSC WG weekly 2008-07-02

Minutes from our meeting on 2008-07-02 were approved and are
available online here:

   http://www.w3.org/2008/07/02-wsc-minutes.html

A text version is included below the .signature.

-- 
Thomas Roessler, W3C  <tlr@w3.org>




   [1]W3C

               Web Security Context Working Group Teleconference
                                  02 Jul 2008

   See also: [2]IRC log

Attendees

   Present
          MaryEllen_Zurko, Thomas, johnath, yngve, joesteele, Tyler,
          +47.23.69.aaaa, jvkrey, dans, +1.312.660.aabb, anil

   Regrets
          BillD

   Chair
          Mez

   Scribe
          tlr

Contents

     * [3]Topics
         1. [4]Convene
         2. [5]action items
         3. [6]firefox 3.0 and conformance
     * [7]Summary of Action Items
     __________________________________________________________________



   <trackbot> Date: 02 July 2008

   <Mez> we need a scribe

   Yngve or Johnath or

   possibly myself

   <Mez> can't be johnath; he's the talent for the meeting

   so Yngve or me, I guess

   <johnath> Mez: my nemesis:
   [8]http://www.calphalon.com/calphalon/consumer/products/productGroup.jh
   tml?catId=CLCat100485

   <scribe> ScribeNick: tlr

Convene

   all there

   <Mez> [9]http://www.w3.org/2008/06/25-wsc-minutes.html

   so apporved

action items

   nothing spectacular

   <Mez>
   [10]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0101.html

   ACTION-478?

   <trackbot> ACTION-478 -- Joe Steele to pull together UT background on
   7.1.1 robustness recommendation (shared secret) -- due 2008-07-17 --
   PENDINGREVIEW

   <trackbot> [11]http://www.w3.org/2006/WSC/track/actions/478

   mez: ACTION-478 looks like it lacks activity

   joe: yeah, that's fine; I'll do it anyway

firefox 3.0 and conformance

   johnath: Is it the plan as a group to undertake conformance testing for
   third party implementations?
   ... i.e., any interest in evaluating other browsers

   tlr: careful, a bit, about conformance testing -- I'm not sure we're
   getting to a test suite that exercises all possible states
   ... and enables conformance claims just based on a test suite ...
   ... the more the merrier, but we probably need less to get through CR
   ...

   johnath: so, plans to third-party test other implementations?

   mez: nobody has broached that topic yet
   ... I have vague and scary plans ...
   ... and i'll call it "implementation testing" in the future ...

   <johnath> alert! The scribe is taking liberties!

   <johnath>
   [12]http://www.w3.org/2006/WSC/wiki/Firefox_3.0_Conformance_with_June_L
   C

   <johnath> section 6.4

   johnath: seems like the best way is section by section
   ... 6.4.1 is tricky. We're kind of getting there, but it's a bit hard
   ... to make a clear assertion ...
   ... we don't do "solely in terms of art" ...
   ... do enable users to go back to prior state ...
   ... there''s always a back button ...
   ... not sure if there's subtlety implied
   ... think this is all fine with us ...
   ... error interactions should have advanced user option ...
   ... we're doing error codes for security errors ...
   ... so you can go and look them up in the big binder ....
   ... error code can be used to search for details, but we don't do
   separate interaction
   ... for things like network timeouts, we don't do the precise error
   codes ...

   mez: error codes only for security?

   johnath: not by policy, but that's what we done
   ... most of the other ones have distinctive titles ...
   ... but SEC_ERROR_SERIAL_NUMBER_REUSED ...

   yngve: would like to mention that opera has sth similar
   ... more difficult to get to explanation
   ... for SSL errors, include TLS error code ...
   ... sometimes with additional information ...
   ... or flags ...
   ... useful to narrow down where the problematic code sits ...
   ... similarly, don't have these kinds of error codes on "can't connect
   to server" and the like ...

   johnath: seems like Opera's and FF's approaches are same.
   ... might be worth clarifying language ...

   mez: admit imagining that as we go through CR, we'll grapple with those
   issues
   ... don't mind grappling right away, though ...
   ... but not encouraging us to do this ...

   johnath: 6.4.2 - status indicator is site identity button ...
   ... for some other stuff, non-modal indicators ...
   ... persist in primary chrome till interacted with ...
   ... think pop-up blocking ...
   ... check ...
   ... warning/caution ...
   ... quite a mouthful ...
   ... we don't say "caution" or "warning", but visual signals ...
   ... might not be conformant ...
   ... there's a MUST here that refers to words ...
   ... could be a point of non-conformance ...
   ... recommended option, we have ...
   ... often "try again"...
   ... for security, "get me out" - known safe page ..
   ... also "add exception" for an override ...
   ... not creating situation where only thing is to dismiss warning and
   move on
   ... noted before that "danger" is easier than "caution". Odd.
   ... creates weird situation where "danger" is easier to conform with
   than "warning"
   ... our security errors actually match this ...
   ... if cynical, would recast conformance in terms of "danger" ...

   yngve: note that TLS has two levels of warning
   ... had possibility to open warning dialogues to ask whether continue
   or not for a long time ...
   ... recently changed to fatal error for everything ...
   ... except for some fatal cases ...
   ... warning or fatal in the protocol ...
   ... server could say it's a warning, it's not fatal ...
   ... there are some cases on that, could send warning about not having
   certificate ...
   ... in previous versions of SSL; TLS 1.0 changed that to sending empty
   cert ...
   ... warning about closing connection (not passing to user) ...
   ... anything that's warning is really an error and treated as fatal ...
   ... reason for going fatal is that choices aren't usefully possible for
   user

   mez: odd that it falls out that way given concern about habituation
   ... maybe we need to take another look at this point ...

   johnath: At any rate, 6.4.4 is really easier.
   ... 6.5, chrome reconfiguration
   ... yes, we have that ...
   ... except that there are add-ons ...

   mez: add-ons, incredibly important

   johnath: they can hook into "restore default" button

   <joesteele> are the APIs those add-ons can use exposed to a webpage?

   joe: These APIs.... exposed to web page?

   johnath: no no no
   ... categorically, no ..

   joe: install process?

   johnath: exactly
   ... 7.1.1 - this sounds like security skins ...
   ... I needed to know background to understand it ...
   ... useful to say "e.g. security skins" ...

   yngve: side remark - in some apps you can change user agent string in
   HTTP ...
   ...

   mez: would like to have a bit of experience with this kind of context
   ... are we going to see this tested with Opera?
   ... don't think we've anything direct, except you can skin opera ...
   ... no connection to user agent string or stuff like that ...
   ... if we have implementation experience, details interesting
   ... without any, difficult ...

   yngve: of two minds about whether to mention possibility
   ... sort of implied,

   mez: not sure this is going to make it if nobody implements

   <MikeM> yngve: that chameleon agent string feature causes problems for
   sites (like wellsfargo.com) that need to identify the browser for
   security & other reasons.

   johnath: walking further through spec
   ... visibility of chrome ...
   ... yes
   ... tabbed browsing and site identity button ...
   ... next one, padlock and mimicking ...
   ... people could use padlock as favicon ...
   ... we don't use icons to signal trust info ...
   ... add-on installation
   ... disable ok buttons in installation ...
   ... multi-step ui for certificate exceptions ...
   ... no synthetic button clicks from content ...]

   s/content...

   s/content...]//

   johnath: we do prevent web content from hiding certain buttons
   ... also, moving / resizing windows in ways that would cause them to be
   hidden...
   ... I'll claim that there's no way for content to override ...
   ... we do prevent window sizing and he like ...
   ... there's a bit in javascript, but not off the screen ...
   ... we don't allow web content to override security chrome ...
   ... re "overlay" - have titles in tab bar, don't overlay ...

   johnath; software installation - request consent for add-on and plugin
   install

   scribe: don't do installation of software ouside the browser ..
   ... pre-consent ...
   ... trivially conformant here ...
   ... only thing I can think of -- if web site just tries to install
   add-on, we block it ...
   ... you can chose to say that site is permitted to install add-on ...
   ... user interaction involved, not pre-consenting ...
   ... MAY on software install ...
   ... don't provide mechanisms for content to execute software
   ... in a direct fashion ..
   ... but hand off things to plugins or external handlers ...
   ... discussion of download manager ...
   ... some stuff that we don't do automatically ...
   ... 7.4.3 - no programmatic bookmarking ...
   ... don't do that, full stop ...
   ... second sentence here is weird, btw ..
   ... pop-up windows: do restrict ...
   ... permit pop-ups that *are* result of user interaction.
   ... we don't restrict them globally, though

   johnath: most implementors will read this and understand what it's
   getting at
   ... there's some ambiguity, but not very serious ...

   mez: think we've got raw material to see where we'll have challenges in
   CR
   ... we can now start looking at features at risk.

   <Mez> [13]http://www.w3.org/2006/WSC/wiki/FeaturesAtRisk

   mez: I'd love feed-back, but be scared, it's work in progress

   <yngve> Maybe 7.4.4 should be rephrased to "SHOULD be careful", "SHOULD
   control" opening of popups, or something similar, or as johnathan
   suggested saying restrict to only those initiated by user interaction

   tyler: add columns for add-ons?

   mez: hopefully!
   ... anything where we don't even have a single implementation, will
   give us pause

   tyler: wait - two columns saying CI?

   mez: I think this is going to be useful - any row that doesn't have two
   implementations, can't be required
   ... should seriously consider whether we want MAY with no
   implementation experience ...
   ... anything in a column that has "N" means we don't ahve single
   implementation that would even start claiming that it might be
   conforming ...

   tyler: yngve -- does opera have an add-on API?

   yngve; sorry, no

   mez: think I'm clear on most things at this point, no double-checking
   ... that's it for this agenda item ...
   ... in terms of what's next -- should work on how to do testing ...
   ... unclear how to structure that discussion ...
   ... tlr - can you help?

   tlr: I think anybody can go through implementation info for existing
   RECs
   ... maybe UAAG -- and btw, regrets for next week

   mez: umh.... maybe take a week off?

   joe: also regrets

   tlr: as a thought, you might want to talk about the idea of content
   best practices

   mez: number of topics
   ... to get us through July ..

   yngve: btw, I'm on vacation most of August

   mez: I had been warned that these things happen
   ... btw, appreciate some advance warning ...

Summary of Action Items

   [End of minutes]
     __________________________________________________________________


    Minutes formatted by David Booth's [14]scribe.perl version 1.133
    ([15]CVS log)
    $Date: 2008/07/10 13:21:58 $

References

   1. http://www.w3.org/
   2. http://www.w3.org/2008/07/02-wsc-irc
   3. http://www.w3.org/2008/07/02-wsc-minutes.html#agenda
   4. http://www.w3.org/2008/07/02-wsc-minutes.html#item01
   5. http://www.w3.org/2008/07/02-wsc-minutes.html#item02
   6. http://www.w3.org/2008/07/02-wsc-minutes.html#item03
   7. http://www.w3.org/2008/07/02-wsc-minutes.html#ActionSummary
   8. http://www.calphalon.com/calphalon/consumer/products/productGroup.jhtml?catId=CLCat100485
   9. http://www.w3.org/2008/06/25-wsc-minutes.html
  10. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jun/0101.html
  11. http://www.w3.org/2006/WSC/track/actions/478
  12. http://www.w3.org/2006/WSC/wiki/Firefox_3.0_Conformance_with_June_LC
  13. http://www.w3.org/2006/WSC/wiki/FeaturesAtRisk
  14. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
  15. http://dev.w3.org/cvsweb/2002/scribe/

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Thursday, 10 July 2008 13:23:20 UTC