Discussion of 6.1 for LC June from Mary Ellen Zurko on 2008-03-07 (public-wsc-wg@w3.org from March 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 7 Mar 2008 08:58:55 -0500
To: public-wsc-wg@w3.org
Message-ID: <OFB59741AA.5EC032F0-ON85257405.0045E902-85257405.004CCE3E@LocalDomain>
We had an excellent discussion of section 6.1 at our last call, but didn't 
quite make it to polling and consensus. Here's the roundup of issues as I 
remember them and some proposals. The minutes are at:
http://www.w3.org/2008/03/05-wsc-minutes.html#item06

Current text is at:
http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#IdentitySignal

Issue 1) Requiring a "no identity" state, particularly in primary chrome.
The text: 
User interactions to access this identity signal MUST be consistent across 
all Web interactions facilitated by the user agent, including interactions 
during which the Web user agent has no trustworthy information about the 
[[identity]] of the Web site that a user interacts with. In this case, 
user agents SHOULD indicate that no information is available.

Ian raised issues around both taking up scarce real estate and habituation 
(since lack of SSL based identity is likely to be a very common occurrence 
in daily web browsing). 
Thomas raised the counter issue that in general we've been leaning towards 
showing a lack of security context information for clarity and 
consistency. 

Issue 2) proposal to remove or downgrade requirement to show domain name 
label
During interactions with a TLS-secured Web page for which the top-level 
resource has been retrieved through a strongly TLS-protected interaction 
that involves an validated certificate, an applicable domain name label 
retrieved from the subject's Common Name attribute or from a 
subjectAltName extension MUST be displayed.

Allow for alternatives (better understood forms of identity, particularly 
from user agent state).

Issue 3) remove otherwise authenticated - resolved 

Issue 4) remove must on displaying CA or keep only for installed trust 
roots 

The term [Definition: validated certificate ] is used to denote a public 
key certificate that has been verified by chaining up to a locally 
configured trust anchor. The set of trust anchors used by a given Web User 
agent is implementation-dependent.
We have text about not allowing the user to configure local trust anchors 
when they're doing something else.
We have text about pinning SSC (but not how that relates to a local trust 
anchor)

Proposal - downgrade MUST to SHOULD. 

Issue 5)  Ian proposes only keeping this: 
During interactions with a TLS-secured Web page for which the top-level 
resource has been retrieved through a strongly TLS-protected interaction 
that involves an augmented assurance certificate, the identity signal MUST 
include the Subject field's Organization attribute to inform the user 
about the owner of the Web page

I do not want to lose all of the first (rfc 2119 normative) paragraph in 
6.1 (if possible). I do not want us to be silent on existing identity 
indicators (URL, for example), unless we explicitly choose to be and know 
why we are. I believe it is useful guidance, in the face of the common 
practice of displaying the URL, to recommend displaying an explicit 
identity signal, even if there is some vagueness about exactly what it 
should be. I believe Ian does not believe this. Also "the identity signal" 
has no definition without that first paragraph. So this proposal needs 
some sort of modest rewrite to be viable. Ian, let me know if you're 
taking that on (or if you disagree and really want to propose this text 
exactly as is, and alone). 

Issue 6) need to allow for o= not being present
MUST include the Subject field's Organization attribute 

Proposal
MUST include the Subject field's Organization attribute, if present,

Issue 7) objections to "unless a change of security level" - we've dropped 
that concept anyway - it shoudl be removed, leading to: 
During interactions with a Web page for which any of the resources 
involved was retrieved through a weakly TLS-protected transaction, the 
identity signal must be indistinguishable from one that would be shown for 
an unprotected HTTP transaction.

Issue 8) various objections to addressing logotypes 
to address Mez' on lack of prototype, Phil reminded us of the code, and 
sent out some screen shots:
http://lists.w3.org/Archives/Public/public-wsc-wg/2008Mar/0038.html
Ian's issue was that they are not extensively enough deployed. 


Please send any updates and reactions by Wednesday, the 12th (we have no 
meeting then, so you can use that time on this). I'll develop a logical 
sequence of proposals for a meeting for us to work through these to come 
to some text in 6.1 that we have consensus on.
Received on Friday, 7 March 2008 13:59:09 UTC