- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 3 Sep 2008 18:25:16 +0200
- To: WSC WG <public-wsc-wg@w3.org>
Minutes from our meeting on 2008-08-27 were approved and are
available online here:
http://www.w3.org/2008/08/27-wsc-minutes.html
A text version is included below the .signature.
--
Thomas Roessler, W3C <tlr@w3.org>
[1]W3C
Web Security Context Working Group Teleconference
27 Aug 2008
[2]Agenda
See also: [3]IRC log
Attendees
Present
Thomas, yngve, jvkrey, ifette, Tyler, steele, PHB
Regrets
BillDoyle, Johnath, Mez, DanS, Maritza
Chair
tlr
Scribe
tlr
Contents
* [4]Topics
1. [5]minutes closures
2. [6]beware of finer-grained origins
3. [7]review mobileOK things
4. [8]last call comments
5. [9]CR planning
6. [10]TPAC
* [11]Summary of Action Items
__________________________________________________________________
<trackbot> Date: 27 August 2008
<scribe> ScribeNick: tlr
minutes closures
trackbot, close ACTION-477
<trackbot> ACTION-477 Put soaps position paper in shared bookmarks
closed
trackbot, close ACTION-489
<trackbot> ACTION-489 Take care of publication of wsc-ui as Last Call
WD closed
ACTION-496: continued; Jan Vidar will need to offload to somebody else
<trackbot> ACTION-496 Fill out the Opera column in our features at risk
table notes added
ACTION-350?
<trackbot> ACTION-350 -- Tyler Close to report about browser security
model discussions -- due 2008-07-16 -- OPEN
<trackbot> [12]http://www.w3.org/2006/WSC/track/actions/350
tyler: don't think we have anything about impact of certificates of
different classes in a mix of frames
tlr: write up something?
tyler: basic scenario -- man in the middle attacker intercepts, uses
self-signed cert; there's window open; attacker opens other tab; other
tab has real site with real cert
... but now evil site can navigate that tab ...
... can inject, has full control, oooops ...
beware of finer-grained origins
yngve: shouldn't domain control in JavaScript handle that?
tyler: nope, this is a network attack
yngve: oh
tyler: user sees first pop-up -- not trustworthy, but "must be able to
trust the real thing"
yngve: if the url in the other window is for different domain...?
tyler: same domain!
yngve: but it's being presented as other -- or directly through -- ok
tyler: network attacker allows request to go through once, intercepts
once, two pages on same domain, controlled by different parties
... one might look trustworthy, one might not ...
trackbot, close ACTION-350
<trackbot> ACTION-350 report about browser security model discussions
closed
<scribe> ACTION: tyler to frame discussion about interaction of
navigation policy and security indicators [recorded in
[13]http://www.w3.org/2008/08/27-wsc-minutes.html#action01]
<trackbot> Created ACTION-503 - Frame discussion about interaction of
navigation policy and security indicators [on Tyler Close - due
2008-09-03].
yngve: would think that there isn't an EV indicator in that case
... or AA ;-) ...
tyler: multiple different certs for the same hostname, treat that as an
attack
... the attacker produces self-signed ...
yngve: yes, could be a problem
review mobileOK things
[14]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0013.html
[15]http://www.w3.org/TR/mobileOK-basic10-tests/#http_response
<yngve> tlr:
<scribe> ACTION: tlr to propose comment on mobileOK test; propose on
list with 24h objection period [recorded in
[16]http://www.w3.org/2008/08/27-wsc-minutes.html#action02]
<trackbot> Created ACTION-504 - Propose comment on mobileOK test;
propose on list with 24h objection period [on Thomas Roessler - due
2008-09-03].
[17]http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/#sec-https-link
-rewriting
yngve: should mention client-side certificates
tlr: also, breaks channel binding
[18]http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/#sec-https-link
-rewriting
yngve: channel binding is work in progress
... and the problem is that they won't find out until they actually do
the request ...
... most likely failure scenario is for the site to respond with
invalid login in text, in case they don't break the connection ...
draft-altman-tls-channel-bindings
tlr: propose we suggest that they ask Altman and Williams, and also TLS
WG
yngve: yeah, has been discussed at TLS WG meetings several times
... mechanisms to use the master secret to get more key material for
application use
<scribe> ACTION: tlr propose comment re https lnk rewriting,
client-side certs and channel bindings [recorded in
[19]http://www.w3.org/2008/08/27-wsc-minutes.html#action03]
<trackbot> Created ACTION-505 - Propose comment re https lnk rewriting,
client-side certs and channel bindings [on Thomas Roessler - due
2008-09-03].
yngve: one point about the channel binding -- that is going to require
special apps that have support for it
... question is whether or not that would happen; then again, url will
control
... question how relevant the issue is for this use case
last call comments
[20]http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080
724
yngve: have one that went directly to me
tlr: please forward to public comment mailing list
... propose that LC-2058 be dealt with at editor's discretion
... LC-2059 likewise
LC-2055 editorial too
tlr: LC-2056 -- update pkix to pkixbis
PROPOSED: to update reference to 5280
RESOLUTION: to update reference to 5280
<scribe> ACTION: thomas to update reference to 5280 [recorded in
[21]http://www.w3.org/2008/08/27-wsc-minutes.html#action04]
<trackbot> Created ACTION-506 - Update reference to 5280 [on Thomas
Roessler - due 2008-09-03].
yngve: propose using PKIX as bibliography key
steele: oh, backward reference in there
yngve: related, updated TLS reference?
... TLS 1.2 was released a couple of weeks back
tlr: yngve, please send mail
... propose that we add reference to TLSv12 ...
... anything on weak algorithms there?
yngve: moved elsewhere
... separate document on DES ...
... there is a separate document about DES and IDEA ..
... they removed all ancient ciphers from the document ...
tlr: I'll propose a detailed edit in response to your e-mail
CR planning
ACTION-500?
<trackbot> ACTION-500 -- Mary Ellen Zurko to inquire phb about ev cert
for test environment -- due 2008-08-20 -- OPEN
<trackbot> [22]http://www.w3.org/2006/WSC/track/actions/500
tlr: phill, anything new?
phb: cannot get you EV cert without going through the process
... however, we do know how to fiddle with IE to make it display
anything as EV ...
... presumably, FF and Opera can help with that ...
yngve: EV OIDs are digitally signed
... no test versions ...
... intentional that we don't let anybody override it ...
phb: in case of ie7, possible to override by manually marking trust
root
... as being EV ...
... it's not difficult ...
yngve: malware!
tlr: rathole!
ACTION-502?
<trackbot> ACTION-502 -- Phillip Hallam-Baker to drive test case matrix
for 6.12 -- due 2008-09-03 -- OPEN
<trackbot> [23]http://www.w3.org/2006/WSC/track/actions/502
phb: will do today
TPAC
[24]http://www.w3.org/2002/09/wbs/35125/TPAC2008/
[25]http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0026.html
adjourned
Summary of Action Items
[NEW] ACTION: thomas to update reference to 5280 [recorded in
[26]http://www.w3.org/2008/08/27-wsc-minutes.html#action04]
[NEW] ACTION: tlr propose comment re https lnk rewriting, client-side
certs and channel bindings [recorded in
[27]http://www.w3.org/2008/08/27-wsc-minutes.html#action03]
[NEW] ACTION: tlr to propose comment on mobileOK test; propose on list
with 24h objection period [recorded in
[28]http://www.w3.org/2008/08/27-wsc-minutes.html#action02]
[NEW] ACTION: tyler to frame discussion about interaction of navigation
policy and security indicators [recorded in
[29]http://www.w3.org/2008/08/27-wsc-minutes.html#action01]
[End of minutes]
__________________________________________________________________
Minutes formatted by David Booth's [30]scribe.perl version 1.133
([31]CVS log)
$Date: 2008/09/03 16:24:52 $
References
1. http://www.w3.org/
2. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0029.html
3. http://www.w3.org/2008/08/27-wsc-irc
4. http://www.w3.org/2008/08/27-wsc-minutes.html#agenda
5. http://www.w3.org/2008/08/27-wsc-minutes.html#item01
6. http://www.w3.org/2008/08/27-wsc-minutes.html#item02
7. http://www.w3.org/2008/08/27-wsc-minutes.html#item03
8. http://www.w3.org/2008/08/27-wsc-minutes.html#item04
9. http://www.w3.org/2008/08/27-wsc-minutes.html#item05
10. http://www.w3.org/2008/08/27-wsc-minutes.html#item06
11. http://www.w3.org/2008/08/27-wsc-minutes.html#ActionSummary
12. http://www.w3.org/2006/WSC/track/actions/350
13. http://www.w3.org/2008/08/27-wsc-minutes.html#action01
14. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0013.html
15. http://www.w3.org/TR/mobileOK-basic10-tests/#http_response
16. http://www.w3.org/2008/08/27-wsc-minutes.html#action02
17. http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/#sec-https-link-rewriting
18. http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/#sec-https-link-rewriting
19. http://www.w3.org/2008/08/27-wsc-minutes.html#action03
20. http://www.w3.org/2006/02/lc-comments-tracker/39814/WD-wsc-ui-20080724
21. http://www.w3.org/2008/08/27-wsc-minutes.html#action04
22. http://www.w3.org/2006/WSC/track/actions/500
23. http://www.w3.org/2006/WSC/track/actions/502
24. http://www.w3.org/2002/09/wbs/35125/TPAC2008/
25. http://lists.w3.org/Archives/Public/public-wsc-wg/2008Aug/0026.html
26. http://www.w3.org/2008/08/27-wsc-minutes.html#action04
27. http://www.w3.org/2008/08/27-wsc-minutes.html#action03
28. http://www.w3.org/2008/08/27-wsc-minutes.html#action02
29. http://www.w3.org/2008/08/27-wsc-minutes.html#action01
30. http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
31. http://dev.w3.org/cvsweb/2002/scribe/
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 3 September 2008 16:25:52 UTC