- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 19 Mar 2008 19:20:07 +0100
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2008-03-05 were approved and are
available online here:
http://www.w3.org/2008/03/05-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
05 Mar 2008
See also: [2]IRC log
Attendees
Present
Mary Ellen Zurko, Thomas Roessler, Tyler Close, Jan Vidar Krey,
Luis Barriga, Phillip Hallam-Baker, Bill Doyle, William Eburn,
Hal Lockhart, Stephen Farrel, Maritza Johnson, Yngve Pettersen,
Ian Fette, Mike McCormick
Regrets
Dan Schutzer, Tim Hahn, Anil Saldhana, Rachna Dhamija, Serge
Egelman, Johnathan Nightingale
Chair
Mary Ellen Zurko
Scribe
Jan Vidar Krey
Contents
* [3]Topics
1. [4]Approving minutes from last meeting
2. [5]newly completed action items
3. [6]open action items
4. [7]issues closed due to inactivity
5. [8]Agenda bashing
6. [9]Section 6.1 Identity and trust anchor
* [10]Summary of Action Items
__________________________________________________________________
<trackbot-ng> Date: 05 March 2008
<scribe> ScribeNick: jvkrey
Approving minutes from last meeting
<Mez> [11]http://www.w3.org/2008/02/27-wsc-minutes.html
Mez: approved
newly completed action items
<Mez>
[12]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0078.html
Mez: no particular items
open action items
Mez: no items
issues closed due to inactivity
Agenda bashing
<PHB2> Off topic: There is also:
<PHB2>
[13]http://blogs.verisign.com/websecurity/2008/03/what_it_takes_to_make
_the_inte.php
ifette: Problems booking hotel in Oslo, anyone else have problems?
yngve: can ask around
Mez: section 6.1 was not completed last week
... remaining issues on 8.1
... 9.2 and 9.3
... logistics, no meeting next week, the week thereafter there is a
timezone difference between europe and US
Section 6.1 Identity and trust anchor
<Mez> [14]http://www.w3.org/2008/02/06-wsc-minutes.html#item01
<Mez>
[15]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#IdentitySignal
<Mez>
[16]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0084.html
<Mez>
[17]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0086.html
Mez: start looking through the normative language, and raise issues
with it for the LC in June
ifette: if on a normal web page, what must be in the primary interface?
<ifette> (or should)
Mez: we have a line about it
ifette: question is about, validated as in not EV-cert
<ifette> this is too hypothetical
<Mez> I agree
<Mez> but luckily this is not about EV at all
<Mez> or even AA
PHB2: cert does not need to be EV to provide a strong identity signal.
Subject name, verisign class 3.
<ifette> sure, but I want to know that we're recommending something
that makes sense and right now it doesnt
<tyler> I'm on q to object to: "an applicable domain name label
retrieved from the subject's Common Name attribute or from a
subjectAltName extension MUST be displayed."
ifette: this is saying some indicator should always be there, should
always signal something, which is unclear unless we are using ssl.
... only thing that can be trusted is the domain name
<tyler> When the certificate is not issued by a built-in CA, I'm
worried about the text: "The Issuer field's Organization attribute MUST
be displayed to inform the user about the party responsible for that
information."
ifette: a lot of users are visiting sites they haven't visited before,
why are we taking up screen estate when we have no identify information
?
Mez: issue is, show nothing at all when we have no identify information
?
<tlr> SHOULD show identity signal, always
Mez: is that ok for the current text?
PHB2: make the text more explicit, in particular, users are discovering
new sites all the time
<Mez> During interactions with a TLS-secured Web page for which the
top-level resource has been retrieved through a strongly TLS-protected
interaction that involves an validated certificate, an applicable
domain name label retrieved from the subject's Common Name attribute or
from a subjectAltName extension MUST be displayed.
<tlr> tyler, you're objecting against the domain validated, not AA
case, correct?
tyler: can be confusing to users, and be suseptible for phising
<tlr> (just making sure we're not talking past each other)
<stephenF> The text "domain name label" is a bit odd there too - I
think it just means "DNS name"
Mez: do we want to allow for other pieces of information and/or
downgrade this section from a MUST to SHOULD or MAY?
<tlr> stephen, correct. Label would be a single label, as in, the thing
between two dots.
<stephenF> so just display ".com" then:-)
tyler: eliminate the paragraph that says we must display the altname
<Zakim> ifette, you wanted to elaborate on tylers point
ifette: domain names can be long, not likely display whole if really
long, which means they will be truncated
Mez: objections for removing this line?
ifette: what are we left with, if this is removed?
<Zakim> stephenF, you wanted to ask what "otherwise authenticated"
means after MUST
<Mez> Information displayed in the identity signal MUST be derived from
validated certificates, from user agent state, or be otherwise
authenticated.
<stephenF> that sentence is in 6.1.2 at the top (2nd para)
<Mez> tyler, you didn't get on q because you inserted a spurious comma
<luis> It could also be DNSSEC?
stephenF: probably give some examples, or constrain it somewhat
<ifette> -1 to DNSSEC
<stephenF> right, DNSSEC might be a good example (sometime)
<ifette> browsers dont necessarily have that information (e.g. done at
higher level)
<luis> i think DNSSEC is OK. It's authenticated with sort of PKI
tlr: do we have anything that is otherwise authenticated ?
<tlr> dnssec is on the wrong level, no?
Mez: any objections for removing the "otherwise authenticated" clause?
... resolved, will be removed.
PHB2: A validated cert, and no cert makes a big difference.
... we are not specifying X509, a DNSSEC is a certificate
<Mez> The Issuer field's Organization attribute MUST be displayed to
inform the user about the party responsible for that information.
tyler: propose to remove the MUST be displayed, or only applicable for
installed root CAs
<stephenF> maybe 5.1.2?
<stephenF>
[18]http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-interactivel
y
tyler: certificate might be issued by unknown CA, in that case must we
display the information ?
tlr: needs clarifications
<stephenF> sounds good to me to refer back to section 5 somewhere in 6
Mez: any problems with clarifying this?
tyler: what is the purpose of a MUST, in this case?
... this is sort of an advertisement spot for CAs.
tlr: one more general point, the basic idea is to always show things in
the same place. Should not rely on the absence of identify signals as a
signal of danger.
<Zakim> stephenF, you wanted to ask if we will include 2119 text about
what/how to display from x.509 certs
<Zakim> ifette, you wanted to disagree with tlr
stephenF: how do we display information from certificates? I would like
to have some definitions.
ifette: staying away from absence of identify indicators is not a
problem in most cases. In safe browsing mode then, yes.
<Zakim> stephenF, you wanted to ask about "all"
stephenF: "...across all web interactions", is that limited to user
agent?
Mez: means within user-agent
... On to 6.1.2
... "During interactions with a TLS-secured Web page for which the
top-level resource has been retrieved through a strongly TLS-protected
interaction that involves an augmented assurance certificate, the
identity signal MUST include the Subject field's Organization attribute
to inform the user about the owner of the Web page."
ifette: can we boil 6.1 down to this?
<Zakim> stephenF, you wanted to ask what if "O=" isn't present in the
cert (in the paragraph after the current one)
<ifette> (where this means the EV sentence)
Mez: typo in the next line, must is not capitalized
yngve: have a problem with the unless a change of security level has
occured.
tlr: will be dropped, link pointing nowhere
... probably needs to be coupled with 6.4.
Mez: next line
ifette: not sure about recommending logotype since it isn't being used,
yet
Mez: will be removed for LC in June
tlr: the next one depends on the previous paragraph
PHB2: hang on, there is a prototype
<tlr> [19]http://www.w3.org/2006/WSC/Group/demos/letterhead_u3.xpi
ifette: problem is not the lack of prototype, rather that there are no
certs with logotypes yet.
<MikeM>
[20]http://news.netcraft.com/archives/2008/02/17/extended_validation_ss
l_certificates_now_1_year_old.html
PHB2: actually, verisign have had logotype for 5 years, now
<stephenF> its fair to say that we don't know what if any effect would
be caused by display of logotypes
Mez: screenshot of prototype ?
<PHB2> just appeared on the list
<Mez> yes
tlr: will rewrite/remove some parts as discussed during the meeting...
will leave the logotype part alone for the moment.
<PHB2> next week is IETF
<tlr> no meeting next week
Mez: no meeting next week, will send a reminder about it
Summary of Action Items
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [21]scribe.perl version 1.133
([22]CVS log)
$Date: 2008/03/19 18:15:03 $
References
1. http://www.w3.org/
2. http://www.w3.org/2008/03/05-wsc-irc
3. http://www.w3.org/2008/03/05-wsc-minutes.html#agenda
4. http://www.w3.org/2008/03/05-wsc-minutes.html#item01
5. http://www.w3.org/2008/03/05-wsc-minutes.html#item02
6. http://www.w3.org/2008/03/05-wsc-minutes.html#item03
7. http://www.w3.org/2008/03/05-wsc-minutes.html#item04
8. http://www.w3.org/2008/03/05-wsc-minutes.html#item05
9. http://www.w3.org/2008/03/05-wsc-minutes.html#item06
10. http://www.w3.org/2008/03/05-wsc-minutes.html#ActionSummary
11. http://www.w3.org/2008/02/27-wsc-minutes.html
12. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0078.html
13. http://blogs.verisign.com/websecurity/2008/03/what_it_takes_to_make_the_inte.php
14. http://www.w3.org/2008/02/06-wsc-minutes.html#item01
15. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#IdentitySignal
16. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0084.html
17. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Feb/0086.html
18. http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-interactively
19. http://www.w3.org/2006/WSC/Group/demos/letterhead_u3.xpi
20. http://news.netcraft.com/archives/2008/02/17/extended_validation_ssl_certificates_now_1_year_old.html
21. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
22. http://dev.w3.org/cvsweb/2002/scribe/
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 19 March 2008 18:20:40 UTC