W3C home > Mailing lists > Public > public-bpwg@w3.org > February 2009

RE: [ACTION-899] Web Security Context feedback on security Best Practice for MWABP

From: Jo Rabin <jrabin@mtld.mobi>
Date: Mon, 9 Feb 2009 06:51:50 -0000
Message-ID: <C8FFD98530207F40BD8D2CAD608B50B401ABA009@mtldsvr01.DotMobi.local>
To: "Mobile Web Best Practices Working Group WG" <public-bpwg@w3.org>

For any x "Are there risks involved in doing x?" has the correct answer
"Yes" e.g. where x is "eating ham sandwich" it remains true.

Best Practice would surely be: "Balance the convenience of the user with
the possible risks involved. If you don't feel you know enough about the
risks, err on the safe side."

Jo



> -----Original Message-----
> From: public-bpwg-request@w3.org [mailto:public-bpwg-request@w3.org]
On
> Behalf Of Francois Daoust
> Sent: 04 February 2009 09:45
> To: Mobile Web Best Practices Working Group WG
> Subject: [ACTION-899] Web Security Context feedback on security Best
> Practice for MWABP
> 
> 
> Hi,
> 
> I had contacted Thomas and the Web Security Context Working Group to
get
> feedback on section 3.2.1 [1] of the Mobile Web Application Best
> Practices draft. They discussed the topic in one of their calls and
sent
> their advice to the comments mailing-list:
> 
> http://lists.w3.org/Archives/Public/public-bpwg-
> comments/2009JanMar/0005.html
> 
> In short, they strongly advise us *not to* write a best practice that
> would recommend to use a Hashed Identity Token in lieu of a proper
HTTPS
> connection. Potentially valid use-cases would be too hard to capture
in
> a short best practice statement.
> 
> When you ask security experts about trading security, the outcome is
to
> be expected, I suppose, but I must say I find their arguments
> particularly relevant to MWABP. Any reaction to that?
> 
> Francois.
> 
> [1]
>
http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/ED-mobile
-
> bp2-20090101#bp-security-infoexchange
> 
> 
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.233 / Virus Database: 270.10.16/1925 - Release Date:
01/30/09
> 07:37:00
Received on Monday, 9 February 2009 06:52:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:43:00 UTC