WSC WG Weekly
12 Dec 2006

pick scribe -- proposed: Praveen

<tlr> ScribeNick: Praveen

<tlr> RESOLVED: Praveen to scribe

Welcome to Praveen, AOL.

approve minutes from last meeting - http://www.w3.org/2006/12/05-wsc-minutes

RESOLVED: minutes are approved

<tlr> ScribeNick: tlr

<tlr> whoops, looks like Praveen has connection issues

scope discussion - http://www.w3.org/2006/WSC/wiki/NoteInScope / http://www.w3.org/2006/WSC/wiki/NoteOutOfScope

mez: would like to get through discussing scope today. Possibly defer goals.
... had some discussion ...
... out of scope, in scope, f2f and/or e-mail ...

<Mez> http://www.w3.org/2006/WSC/wiki/NoteInScope

mez: encourage people to edit things directly
... scope partially based on discussion with Hal ...
... outer boundaries ...
... set outer edges of what's in scope or not ...
... what we're going to do ...
... tyler, different spin on that?

tyler: trying to remember what hal said ...
... had discussion during one of the conference calls ...
... goals are the things group is trying to achieve, non-goals are things that might be achieved, but aren't targets by itself ...
... scope/out-of-scope setting boundaries ...
... obviously more discussion ...

mez: anything in particular missing in "in scope" ...

hal: what about things that ride on top of HTTP, but aren't HTML / XHTML ....
... SOAP ...

hal: web protocols ...
... obvious case, SOAP or HTTP ...
... leave it to others to justify things they deem in scope

stephenF: worth mentioning smaller devices ...
... be explicit that non-desktop is in scope ...

<malware> malware: along with phone, we have portable gaming devices such as Nintendo DS

<scribe> ACTION: stephenF to add mobile device text to scope text in wiki [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action01]

<trackbot> Created ACTION-50 - Add mobile device text to scope text in wiki [on Stephen Farrell - due 2006-12-20].

<Zakim> malware, you wanted to contribute my 2 cents to "phones in scope" discussion (and suggest, among other things, that generalizing to "constrained devices" instead of "phone"...)

<beltzner> +1 to stephenF's idea; small devices are becoming more common, have different design implications

malware: mobile handsets is more accurate description ...
... class of devices: *constrained* devices ...
... non-desktop-pc-browsers ...
... "constrained devices" catches the idea pretty well ...

stephenF: not too keen on "constrained" ...
... "mobile" ...

michael: not talking about devices that are mobile ...

malware: "mobile" ignores use cases, such as airline seat-backs ...
... we might explicitly rule constrained devices out-of-scope ...
... focus on desktop first, defer constrained ...
... "not focus on something" -- tacit acknowledgement that something is less important ...

mez: not tacit, but explicit

malware: if we're going to do this work and get more people involved that are more familiar with mobile web browsing use cases ...
... then might be worthwhile not to make them take second place ...
... by just saying display of security information across range of devices ...

<Tyler> Are we talking about constrained display devices instead of mobile devices

<Zakim> PHB, you wanted to talk abut drawing line at VOIP phishing

phb: draw bright line between our work and VOIP phishing
... problem on the context side ...
... have been getting calls to own house that are phishing attempts ...
... don't get into stuff that relates to how switches operate ...
... rule this out of scope ...

mez: wish brad was here

<stephenF> mobile devices that run http etc is a good scope

beltzner: what would a voice phishing attack look like?

<beltzner> tlr: beltzner asked

phb: (explains example)
... e-mail spam and telephone ...
... people don't realize that sth is phone's telephone number ...
... banks have trained people to enter phone number into telephone attendance system without listening for person ...
... can of worms ...

<beltzner> ok, thanks - noisy here, so I'll stay muted

<scribe> ACTION: Hallam-Baker to send proposed language on phones to mailing lists [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action03]

<trackbot> Created ACTION-40 - Send proposed alnguage on phones to mailing lists [on Phillip Hallam-Baker - due 2006-12-19].

billd: gets back to previous discussion about constrained devices ...
... capabilities, phone browsers, embedded browsers ...

<stephenF> what that action on me or phb?

billd: more devices to come out, more on scope ...

tlr: 1. make sure you send mail when you make substantive edits to the wiki
... 2. what I hear is PROPOSED: (a) constrained devices in scope, (b) telephone/voice interactions out of scope; maps to voice browsers

hal: let's be very clear where we draw this line

mez: haven't made decision, yet
... see potential for brad having opposing view to phil ...

phb: dns vs ss7 based approaches

<stephenF> just added "Mobile phones and other constrained devices that can run a generic web browser are expicitly in scope under this heading as well as standard desktop browsers." to the wiki - hack away at that!

<Praveen> phb: example of skype using DNS instead of tradinitional phone line

tlr: voice browser is the thing on the other side of the phone line; it can go out to the web

hal: careful about distinctions that might be indistinguishable

mez: agree

tlr: +1

hal: constrained devices ...
... uncomfortable with the term ...
... because it evolves ...
... choice is about how to deal with functional limits in interface ...
... "here's how you use things with that kind of functional limitation" ...
... or do "here's for desktop, here's for mobile" ...

<malware> some general characteristics of "constrained devices" that aren't likely to change is that they have smaller screens than desktop/laptop PCs, no keyboards, but touch screens or number pads

tlr: "constrained devices" is an argument in favor of the first choice of argument -- be clear about constraints and how they affect recommendations

<stephenF> q to ask about 3rd parties

mez: let's have a look at "in scope" section, http://www.w3.org/2006/WSC/wiki/NoteInScope, anything contentious there?
... replace "display" by "communicate" ...

mez walking through list

beltzner: would like to see recommendation on communication behavior ...
... in order to avoid phishing attacks ...
... how to begin secure communication ...

<PHB> (The groups mentioned are the FSTC and APWG)

<scribe> ACTION: beltzner to propose draft language to capture "how to begin secure communication" [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action05]

<trackbot> Created ACTION-42 - Propose draft language to capture \"how to begin secure communication\" [on Mike Beltzner - due 2006-12-19].

tyler: SOAP?

mez: use case from tim hahn
http://www.w3.org/2006/WSC/wiki/DesktopDecoration

<beltzner> http://diveintomark.org/archives/2006/12/07/rest-for-toddlers (better HTTP error codes)

<Zakim> stephenF, you wanted to ask about 3rd parties

<scribe> ACTION: tyler to review DesktopDecoration [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action07]

<trackbot> Created ACTION-44 - Review DesktopDecoration [on Tyler Close - due 2006-12-19].

StephenF: last one "in scope" -- reputation services, third party sources in scope?
... currently it's protocol-centric ...

mez: not suggesting that third party services be out of scope

stephenF: There might be proprietary services there

mez: don't spend a lot of time on proprietary services

stephenF: As long as it's not just intended to be PKI

mez: PKI in final bullet is example, not meant to scope entire bullet point

<stephenF> change I made is s/PKI/e.g. PKI, generic reptutation services/

tlr: pki in scope as concrete example; there might also be generic recommendations

chair diagnoses violent agreement between tlr and stephenF

mez: .. more about general categories in scope ...
... presume that what's there is pretty good ..
... large categories missing ...

tlr: authoring / deployment guidelines should be in scope

mez: thought that was part of ACTION-42

<scribe> ACTION: roessler to work with beltzner on ACTION-42 to possibly broaden it [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action08]

<trackbot> Created ACTION-45 - Work with beltzner on ACTION-42 to possibly broaden it [on Thomas Roessler - due 2006-12-19].

(some discussion about restating charter)

tlr: use cases, and how they're mapped to scope sections

mez: hope we'll get there soon
... any other things that should be in scope and aren't called out?
... going to out of scope

<Mez> http://www.w3.org/2006/WSC/wiki/NoteOutOfScope

hal: hesitant; think the second bullet is a null category
... don't think there's a thing that's not potentially dangerous

mez: trying to draw a boundary. "It's null" or "it's in scope" is different statements.

hal: Agree that something that's not dangerous is out of scope, but disagree on def of "dangerous"

mez: worried about slippery slope of trying to get across security context information for "4 o'clock"

hal: if the clock happens to use ssl ...

mez: potentially taking up valuable screen real estate
... turning security context information into noise ...

tlr: suggest we rule *in* *scope* the discussion of when security context information is to be communicated, and when it might be detrimental
... note use the scope discussion as a proxy for this ...

mez: ok

hal: ok, but was thinking about having some stuff always on the screen

mez: well, this is going to basic design principles discussion ...
... tradeoffs are a different area ...

hal: historically, people have found very imaginative attacks; "not dangerous" is fargile statement ...

<scribe> ACTION: roessler to add in-scope for appropriateness of communication of security conext information [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action09]

<trackbot> Created ACTION-46 - Add in-scope for appropriateness of communication of security context information [on Thomas Roessler - due 2006-12-19].

<scribe> ACTION: zurko to yank "not dangerous" from out-of-scope [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action10]

<trackbot> Created ACTION-47 - Yank \"not dangerous\" from out-of-scope [on Mary Ellen Zurko - due 2006-12-19].

<Zakim> stephenF, you wanted to qualify the non-web protocols bullet

stephenF: there's a multi-protocol point to be taken into account

<scribe> ACTION: farrell to propose revised "non-web protocols" text for NoteOutOfScope [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action12]

<trackbot> Created ACTION-48 - Propose revised \"non-web protocols\" text for NoteOutOfScope [on Stephen Farrell - due 2006-12-19].

billd: ??

<scribe> bill, please scribe what you said

<stephenF> I just changed the "non-web" bullet to: "Uses of non-web protocols (such as ftp, smtp, pop3) that cannot affect the web security context."

tyler: "calculation ..." -- is that ruling spam detection like techniques out of scope?

mez: trying to rule that level of functionality out of scope

tyler: want to clarify that, would like to add text on it

phb: it's the main approach, but entirely tactical; always reacting to latest attack of bad guys
... as soon as they come up with proposal, it's too late ...

rob: good point, if we're going to have these different anti-phishing technologies, way to present to user needs to be consistent, ...
... with regard to the experience, that's something that we're saying is in scope ...
... but actual heuristics that power engines are out of scope ...
... would also agree on that ...

mez: did want to rule out of scope visualization of this stuff

<stephenF> if that last was correct then I'm confused about it

<billd> take off-line and determine if it is possible to clarify the need to keep certain parts of a session private or secure and in-scope protected by security context an not worry about other components of a user session.

<PHB> This is the same approach we have for PKI, the results are in scope, the way the results are arrived at is out of scope

<stephenF> for PKI the algs. are defined

<malware> Tyler, if you can, maybe type in your point in IRS

<malware> IRC

PHB: techniques to detect attack are out of scope, but way to present results to user is in scope

stephenF: confused by that
... if there's some kind of heuristic behind it, how do you communicate that it's out of scope?

<Zakim> malware, you wanted to suggest that we make sure we capture Tyler's original point in the minutes

malware: thinks this is important, make sure it gets into minutes -- Tyler, please type in more complete description of this point

tlr: +1 to rob; would like to see advanced heuristics out of scope, but petnames-like approaches ("is the same") in scope

<stephenF> its ok that I'm confused btw :-)

<Tyler> I wanted to find out if the current "Out of scope" text puts spam like detection, heuriistic techniques out of scope.

tlr: also, abstractions in scope ...

hal: "risky site" -- notion could change in future

rob: In IE, "suspicious" warning, "positively bad" warning
... likely to remain that way in IE ...
... want to talk about these two levels of warning ...
... understand which part of experience is effective ...
... which parts to merge and melt with ...
... bring things together to be more consistent, more effective ...

mez: action to amend in-scope to reflect this?

<scribe> ACTION: beltzner to amend in-scope to reflect consistency of user experiences, warning levels, etc [recorded in http://www.w3.org/2006/12/12-wsc-minutes.html#action13]

<trackbot> Created ACTION-49 - Amend in-scope to reflect consistency of user experiences, warning levels, etc [on Mike Beltzner - due 2006-12-19].

tyler: results about heuristics to add to bookmark page?

tyler: success measurements from browser vendors?

malware: can't speak for other browser vendors, but not willing to publish outside marketing literature

mez: back to out of scope at next meeting; next meeting next week
... more on the e-mail list and next week ...

<stephenF> bye then

adjourned

<billd> bye

<malware> I didn't mean to say not willing, just possibly not willing to share data about success of propriety features

<malware> And data about on this coming from vendors is likely to not exactly be unbiased