W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

RE: Secure Chrome and Secure MetaData

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Tue, 20 Jun 2006 18:15:47 -0400
To: "'Hallam-Baker, Phillip'" <pbaker@verisign.com>, "'Drew Dean'" <ddean@yahoo-inc.com>
Cc: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-usable-authentication@w3.org>
Message-ID: <E1FsoVv-0000fJ-1T@maggie.w3.org>

I do think there is merit to focus and not to digress, but regarding the
out-of-scope comment

Just remember two things:

1. There can be solutions that can both solve in-scope and out-of-scope
problems, and these solutions might be favored just for that reason
2. If all the hard problems are put on someone else's plate and no progress
is ever made on these hard problems, that we might be building our solution
on a base of sand.

-----Original Message-----
From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of
Hallam-Baker, Phillip
Sent: Tuesday, June 20, 2006 5:44 PM
To: Drew Dean
Cc: Mary Ellen Zurko; public-usable-authentication@w3.org
Subject: RE: Secure Chrome and Secure MetaData

> From: Drew Dean [mailto:ddean@yahoo-inc.com] 

> To follow up on Phil and Mary's points:
> I find it rather interesting that there's been no discussion 
> of the Compartmented Mode Workstations (CMW) of the 
> 1980s-1990s.  While they aren't a shining example of success, 
> unambiguously displaying the  
> security label of a window is exactly the "secure chrome" problem.   
> If we don't study history, we'll be condemned to repeat it....

I agree that this is a very attractive approach for some problems. For
example Civilization IV refuses to run without full admin privs. I don't
want to give admin privs on the machine but I would allow full admin privs
on a virtual machine that had no ability to affect anything outside its

This is simply good old compartmentalized security.

> I mostly, but not entirely, agree with Phil's ruling platform 
> attacks out of scope.  I agree that solving that problem 
> isn't our problem, but think that we can reasonably specify 
> requirements on the platform at and below us (i.e., browser & 
> underlying OS) to support a trusted path of some sort.  The 
> details, however, should be out of scope -- and may/probably 
> be implementation dependent, so there's not much to standardize.

I think that we can have a wide ranging discussion and we should discuss the
requirements interfaces across the entities. For example CardSpace (nee
Infocard) is bolted into the Vista O/S and that is a large part of the

What we do need to do though is to exclude all comments of the form 'this is
not going to work because of [out of scope attack]'. The answer to that has
to be 'that topic is out of scope for this forum'.

On the other hand I would very much welcome someone who did a security
analysis of the latest Internet Crime Attack 'Phuming' in which they
identified six components that relate to topics that are in scope and
another ten that turn out to be out of scope. Just don't suggest that this
is the place to solve those problems or that the group should do nothing
until the problem is solved.

The point is to deliver on a tightly focused statement of work, not to solve
every problem in this space. 

Received on Tuesday, 20 June 2006 22:16:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC