W3C home > Mailing lists > Public > public-bpwg@w3.org > February 2009

[ACTION-899] Web Security Context feedback on security Best Practice for MWABP

From: Francois Daoust <fd@w3.org>
Date: Wed, 04 Feb 2009 10:45:04 +0100
Message-ID: <498963A0.401@w3.org>
To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>

Hi,

I had contacted Thomas and the Web Security Context Working Group to get 
feedback on section 3.2.1 [1] of the Mobile Web Application Best 
Practices draft. They discussed the topic in one of their calls and sent 
their advice to the comments mailing-list:
 
http://lists.w3.org/Archives/Public/public-bpwg-comments/2009JanMar/0005.html

In short, they strongly advise us *not to* write a best practice that 
would recommend to use a Hashed Identity Token in lieu of a proper HTTPS 
connection. Potentially valid use-cases would be too hard to capture in 
a short best practice statement.

When you ask security experts about trading security, the outcome is to 
be expected, I suppose, but I must say I find their arguments 
particularly relevant to MWABP. Any reaction to that?

Francois.

[1] 
http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/ED-mobile-bp2-20090101#bp-security-infoexchange
Received on Wednesday, 4 February 2009 09:45:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:43:00 UTC