See also: IRC log
<ifette> link for minutes?
<Mez> http://www.w3.org/2008/01/09-wsc-minutes.html
Mez: next item, approving minutes
from last meeting
... Approved
... Weekly completed action items
<tlr> sorry about the minutes, seems they were stuck
<tlr> http://lists.w3.org/Archives/Member/member-wsc-wg/2008Jan/0009.html
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0150.html
Mez: action items closed to due
to inactivity, none. Some might be closed later.
... Agenda bashing
... Issues 128, 124, 125, 129 have no next step
Mez: Please fill out the
questionaire for the next f2f by this week. http://www.w3.org/2002/09/wbs/39814/wscf2fgoog2008/
Mez: Remind everyone there is a heartbeat requirement for xit and usecases.
tlr: early February is a reasonably accurate date ;-)
<Mez> http://www.w3.org/2006/WSC/track/issues/128
Mez: first item ISSUE-128, what is the next step?
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Dec/att-0021/rewrite-5-20071205.html
<Mez> [Definition: (normative) Strong TLS algorithms are defined as the algorithms recommended by [ref-ALGORITHMS].]
Mez: A lot of discussion, but nothing summarizes it
yngve: Point out for "What is a secure page", I put estimates for what encryption bit strength can be broken in a number of years... Can be used as a foundation.
Mez: link ?
yngve: coming up
Mez: other proposals?
<yngve> http://www.w3.org/2006/WSC/track/actions/285
johnath: maybe ping Stephen
<tlr> I believe this was Yngve's proposal: http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
<yngve> References: http://lists.w3.org/Archives/Public/public-wsc-wg/2007Sep/0014.html
<johnath> yes - that looks like a lovely set of references to me
<tlr> The Dining Cryptographers' List
PHB2: It is not really something to do in usability.
Bill: I beleive the structure is in place to do this, in Apache for example
PHB2: The usability document needs to reference the TLS recommendations
<yngve> http://www.ietf.org/rfc/rfc4346.txt
<yngve> http://www.ietf.org/rfc/rfc3766.txt
tlr: rfc 3766 sounds like the one
<tlr> ACTION: bill-d to draft language to reference RFC 3766 or successors in a useful way [recorded in http://www.w3.org/2008/01/16-wsc-minutes.html#action01]
<trackbot-ng> Sorry, couldn't find user - bill-d
tlr: Something along the lines as "Only use algorithms in RFC3766 for public key encryption"
<tlr> ACTION: doyle to draft language to reference RFC 3766 or successors in a useful way [recorded in http://www.w3.org/2008/01/16-wsc-minutes.html#action02]
<trackbot-ng> Created ACTION-370 - Draft language to reference RFC 3766 or successors in a useful way [on Bill Doyle - due 2008-01-23].
Mez: anything else ?
... Next issue, ISSUE-124.
<Mez> http://www.w3.org/2006/WSC/track/issues/124
<Mez> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#safebar-reliabletext
Mez: very visually oriented
section. *Might* be something tricky about this one.
... one way is to substitute "display" with "present"
tlr: Present vs display probably
takes care of most of this issue.
... This sections needs to be cleaned up for normative
language
... Would prefer someone else to do it
asaldhan: I can do editorial changes to it
<tlr> ACTION: anil to take a stab at ISSUE-124 [recorded in http://www.w3.org/2008/01/16-wsc-minutes.html#action03]
<trackbot-ng> Created ACTION-371 - Take a stab at ISSUE-124 [on Anil Saldhana - due 2008-01-23].
<tlr> ACTION-371?
<trackbot-ng> ACTION-371 -- Anil Saldhana to take a stab at ISSUE-124 -- due 2008-01-23 -- OPEN
<trackbot-ng> http://www.w3.org/2006/WSC/track/actions/371
<tlr> ISSUE-125?
<trackbot-ng> ISSUE-125 -- Safe Form Bar: on screen masking phrased in terms of visual user agents -- OPEN
<trackbot-ng> http://www.w3.org/2006/WSC/track/issues/125
<Mez> http://www.w3.org/2006/WSC/track/issues/125
Mez: next item, ISSUE-125
... sounds like more of the same, visually oriented
<tlr> http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask
Mez: ?
... If we removed the "onscreen" in title, substitute present
and display
<asaldhan> http://lists.w3.org/Archives/Member/member-wsc-wg/2007Nov/0006.html has brief discussion on this. tlr mentioning that it applies to voice
Mez: attack is visual
tlr: attack can also occur with a screen reader
<tlr> I don't understand what the requirements mean for non standard GUI; I can see a high-level requirement usefully in the spec
<tlr> ACTION: thomas to propose high-level wording instead of 7.6 http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125 [recorded in http://www.w3.org/2008/01/16-wsc-minutes.html#action04]
<trackbot-ng> Created ACTION-372 - Propose high-level wording instead of 7.6 http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125 [on Thomas Roessler - due 2008-01-23].
<tlr> action-372?
<trackbot-ng> ACTION-372 -- Thomas Roessler to propose high-level wording instead of 7.6 http://www.w3.org/TR/wsc-xit/#safebar-onscreenmask; ISSUE-125 -- due 2008-01-23 -- OPEN
<trackbot-ng> http://www.w3.org/2006/WSC/track/actions/372
<tlr> ACTION: mez to poll al G about shoulder surfing attacks in context of assistive technologies [recorded in http://www.w3.org/2008/01/16-wsc-minutes.html#action05]
<trackbot-ng> Created ACTION-373 - Poll al G about shoulder surfing attacks in context of assistive technologies [on Mary Ellen Zurko - due 2008-01-23].
Mez: next is, ISSUE-129
<Mez> http://www.w3.org/2006/WSC/track/issues/129
Mez: "Should we say anything
about scoring techniques?"
... We have had some discussion with regards to the padlock
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0165.html
tjh: It should remain in the document
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2008Jan/0156.html
tjh: how to express it, as a colour, number, or sound... ?
Mez: Another part of the thread,
If there is a problem, a passive notification is not enough,
how can this be communicated?
... How can the site identity be destilled into a number?
... some concern about legal issues, related to a score
danschutzer: only certain things
can be controlled. We would probably want to restrict ourselves
to some things; Secure connection, accessing the site I think I
am accessing
... cannot know about other things, such as compromized
computer, or server
yngve: we have 2 types of
security context indictators in many browsers 1) padlock, 2)
fraud warning.
... we have some checks for questionable sites, scammers, etc.
using blacklists or whitelists of sites
<tjh> maybe instead of "Page Security Score" it should be called "Connection Confidence Estimate".
yngve: there are questions about privacy for these solutions
<Zakim> ifette, you wanted to explain the legal issue thread
ifette: The legal stuff
... If a browser says it is secure, that is full
endorsement...
... If Bank A and bank B gets different scores, the one worse
off might go after the browser vendor
<MikeM> if browsers haven't been sued over padlock for past 20 years, I don't see why we expect lawsuits over other indicators that are actually better.
<johnath> MikeM: that's a comfortable position to take when you're unlikely to be named in the suit, but I think Ian's point is that including this language will hurt adoption
<Zakim> Mez, you wanted to say that I am glad we have something in xit that addresses the space of the padlock
ifette: the padlock is not ambigous in the same way as these algorihms
tjh: I don't recall our draft saying anything about "Safe for e-commerce" for page security score
PHB2: Large browser vendors were concered about the legal implications of the padlock, that is why EV happened.
<ifette> Phil, are you saying that the legal concerns over the score (or worries on behalf of browser vendors) are or are not founded?
<Zakim> ifette, you wanted to say it's not what statement we intend but rather what the user interprets the statement as meaning
PHB2: the liablity here... IANAL... the liability of the party who calculates/presents the information, and the party who provides the information needed
ifette: worry about how people will interpret security scores when comparing sites... Why is my page not as secure ?
<ifette> Potential next step would be to re-write this as something that is a back-end feature that is presented only when changes in this score are noted
ifette: if you are getting sued in any case, I see no benefit.
<ifette> But we're not writing new standards for stuff like that here :-)
<ifette> we're getting O/T...
PHB2: Possible approach, use a third party trust service... can minimize the legal risks
<Zakim> johnath, you wanted to reply to phil
<MikeM> decision in Austin was to allow 3rd parties to define scoring algorthms and let market forces drive innvocation... only requirement on the UA is to allow these 3rd party scoring plugins
johnath: The legal issues are important. If this is phrased as a MUST, we will have to investigate the issues in order to remain standards compliant
<Mez> I don't remember that decision mikem
<ifette> I thought we said that new protocols etc were out of scope
<ifette> e.g. new infrastructure
<ifette> at least this was the argument Tyler raised against malware...
<Zakim> johnath, you wanted to reply to tim
<tlr> ACTION: tjh to rewrite page security score section [recorded in http://www.w3.org/2008/01/16-wsc-minutes.html#action06]
<trackbot-ng> Created ACTION-374 - Rewrite page security score section [on Tim Hahn - due 2008-01-23].
tjh: i can take an action item to summarize what came from the padlock discussion
<ifette> I have to go in a minute, but if there is a straw poll put me down in whatever category is most strongly against this proposal.....
<johnath> ifette: duly noted :)
Mez: all four issues
covered
... will try to point out which sections of xit are more
mature, based on our review comments as a topic at the san jose
f2f
... see you next week