See also: IRC log
<Mez> http://www.w3.org/2007/03/06-wsc-minutes
<tlr> minutes approved
Mez: closing action items, no objections
<Zakim> thomas, you wanted to ask about path forward for glossary
tlr: inquiring about status of glossary action
Mez: nobody has the action now
... we could use the wiki to develop a glossary
<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0072.html
<tlr> ACTION: schechter to put Tim Hahn's outline into Wiki, fill in some, [recorded in http://www.w3.org/2007/03/13-wsc-minutes.html#action01]
<trackbot> Created ACTION-152 - Put Tim Hahn\'s outline into Wiki, fill in some, [on Stuart Schechter - due 2007-03-20].
Mez: wants to talk about the status of the Note
Mez: Who has reviewed the Note in detail
praveen: I have reviewed it, will open an email thread
<Chuck> Yes, I have reviewed Notes, with perspective on how to address my Action 150
Shawn: I have also reviewed it
<ses> i've only glanced at it.
<ses> (very briefly)
billd: I have also reviewed the Note and have a list of comments I am working on
<jvkrey> Only briefly here aswell
Mez: Please log with the group once you've reviewed the Note so that we can track the review process
<Chuck> When you refer to the "Note," you do mean the "Web Security Experience, Indicators and Trust: Scope and Use Cases" document we just released???
Mez: Looking to set a deadline for review of the Note
<Chuck> ydx
<Chuck> err, yes
<ses> Depends what you want us looking for in terms of response to review
<Zakim> thomas, you wanted to suggest that we schedule a note review call in 4 weeks or so
Mez: Does a week sound plausible for review w/o comments of the Note?
<ses> <--Has put list of terms Tim generated for Glossary into the wiki. This does not mean that I agree that these are the important terms or that I even understand what's requested by them.
<Mez> many thanks ses
<ses> <http://www.w3.org/2006/WSC/wiki/GlossaryFile>
tlr: explains parts of the process for creating new version's of the Public Working Draft
<tlr> ACTION: thomas to tell tyler about how to do diffs for specprod documents [recorded in http://www.w3.org/2007/03/13-wsc-minutes.html#action02]
<trackbot> Created ACTION-153 - Tell tyler about how to do diffs for specprod documents [on Thomas Roessler - due 2007-03-20].
Mez: look at the outstanding ISSUES list to determine needed edits to the Note
<Mez> http://www.w3.org/2006/WSC/drafts/note/#status-quo
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
<tlr> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0055.html
Mez: Continuing the conversation on the "Document the status quo" section of the Note
bill-d: We're missing something on multi-factor authentication
bill-d: For example, scenarios involving smart
cards
... Am also working on the "Available security information" section.
<Chuck> When considering authentication, it is also worth paying attention to which entity is being authenticated: e.g., the user (a person), their computer, their browser, a smart card, a token
<ses> I was reading what supposedly? Where?
<Mez> http://www.w3.org/2006/WSC/drafts/note/#status-quo
<ses> OIC
<Mez> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Mar/0050.html
Mez: summarizes the above linked email
http://www.w3.org/2006/WSC/drafts/note/Overview.html#available
Mez: Switching topics to "Available security information"
bill-d: Have a number of additions I would like to make to the Note
Mez: Anyone have additional information about current presentation of security information?
<Chuck> What about indicators of cookies, javascripts, flash objects, images from third party sites
<ses> Firefox has some nice add-ons that let you see what cookies are stored for a given page.
<Chuck> All of these indicators are shown by one or more browsers and/or plugins
bill-d: "Provided by HTTP" section should also include response codes and more HTTP Auth modes.
<ses> This may be brain dead, but isn't the source code of the page contents useful security information? It's the only way I know to know where a form will be submitted.
<tlr> ACTION: doyle to track HTTP Auth related extensions [recorded in http://www.w3.org/2007/03/13-wsc-minutes.html#action03]
<trackbot> Created ACTION-154 - Track HTTP Auth related extensions [on Bill Doyle - due 2007-03-20].
praveen: Notes some additional cookie information could be presented
<tlr> ACTION: praveen to track P3P header related indicators [recorded in http://www.w3.org/2007/03/13-wsc-minutes.html#action04]
<trackbot> Created ACTION-155 - Track P3P header related indicators [on Praveen Alavilli - due 2007-03-20].
<ses> zakin, mute ses so that he can sneeze
Chuck: A number of plugins are presenting additional information
Mez: Will you take an ACTION to start a list?
Chuck: OK, but want help
<tlr> proposed ACTION: chuck to circulate his list of privacy and security indicators
<tlr> ACTION: chuck to circulate his list of privacy and security indicators [recorded in http://www.w3.org/2007/03/13-wsc-minutes.html#action05]
<trackbot> Created ACTION-156 - Circulate his list of privacy and security indicators [on Chuck Wade - due 2007-03-20].
<Chuck> Agreed
ses: We also need the HTML source to show up in available security information
<Chuck> Excellent point, both an important issue (forms receiver) and an example of a terrible user interface/indicator
Mez: suggests "Provided by HTML" for this topic
ses: Don't understand the meaning of "Provided by HTML"
<jvkrey> document?
ses: Javascript content isn't covered in the current list
<staikos> sorry, I have to go :( however I wanted to update that my browser app is almost ready for testing now
<staikos> just a few things left
bill-d: I might have some suggestions for changing the structure of "Available security information"
<tlr> just say "proposed action" or some such, and I'll make sure the bot swallows it
<Mez> proposed action - ask Tyler to update description of 7.2 to encompass the page source, not just URL spec
<Mez> may be superceded by bill's suggestions later
<tlr> ACTION: tyler to update 7.2 to encompass page source [recorded in http://www.w3.org/2007/03/13-wsc-minutes.html#action06]
<trackbot> Created ACTION-157 - Update 7.2 to encompass page source [on Tyler Close - due 2007-03-20].
Mez: Interested in "Has the page completed loading?" Noticed a problem with the display of this status in Safari
<Chuck> When the little wheel stops spinning (for Safari)
<Mez> aahhhhh
<Mez> I didn't see the wheel
bill-d: Who really provides the information
that the page has completed loading?
... Doesn't the user agent really determine when the page has completed
loading?
Mez: Need more information in the section about why it is structured the way it is
<Chuck> Dare we open up the question of CSS, and CSS overrides??
Mez: Is the redirection list displayed anywhere
Tyler: The back button drop down list presents some of this information. Will send an email to the list.
<Mez> proposed action - the line tyler just put in
Chuck: The user agent often does not display which CSS styling has been applied to the page
<jvkrey> css content replace?
<ses> I think this is the issue that if we're enumerating section 7 by standards, we're missing a bunch (scripting languages, CSS, etc.)
Chuck: The page could look very different if the intended CSS was not applied to the page
<jvkrey> I think this touches the "has the page completed loading?" again
ses: If the attacker can change the page content, the user's decisions may be changed
<ses> Tyler -- the salient point there is that the attacker could do this only using CSS
Chuck: Need an indicator of whether the page is being displayed based on full information from the web site, or whether the browser only got partial information and "filled in the rest", possibly causing a material change to the information perceived by the user
<Chuck> I think so
PHB: For example, I've seen a case where the site intended to display white text on a colored background, but the browser did not fetch the CSS and so displayed white text on a white background.
<PHB> There is no way at present to know if a contract offer is pure HTML, HTML + CSS or script.
<Mez> mute thomas
<PHB> Fixing this requires major issues to change HTML
TLR: This discussion seems to be running up against part of the design of the web, in particular ability to render content incrementally, as it is fetched.
<Chuck> The issue we probably want to address here is how to communicate to a user that the form they are viewing is complete as intended by the authoritative source.
<Chuck> This is important to indicated before a user fills in data into the form.
<bill-d> Chuck, agree - I will incorporate and will send out text for comment
Mez: Let's keep working on this on the mailing list, in particular, we need more information about user interpretations of this information from user studies.
TLR: Perhaps we should also note the
"robustness" of the current presentation as we enumerate it.
... For example as part of completing the goal "Reliable presentation of
security information"
<tlr> ACTION: roessler to add documentation of known systemic flaws to "Document the status quo" goal [recorded in http://www.w3.org/2007/03/13-wsc-minutes.html#action07]
<trackbot> Created ACTION-158 - Add documentation of known systemic flaws to \"Document the status quo\" goal [on Thomas Roessler - due 2007-03-20].
Mez: Any closing comments on this goal?
... Will look at threat trees next week.
... goodbye