W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re: Draft charters available; please comment.

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 21 Jun 2006 14:26:52 -0400
To: Thomas Roessler <tlr@w3.org>
Cc: public-usable-authentication@w3.org
Message-ID: <OF1B7CCA42.5602DC8F-ON85257194.006454A1-85257194.00655E03@notesdev.ibm.com>
> 
>   - Web Security Context Baseline.
>     http://www.w3.org/2005/Security/wsc-charter
> 
>     Think of this as "Secure Metadata" and "Secure Chrome" put
>     together:  What should user agents display, and how can
>     they do this securely?

No surprise to anyone on this list, I like this one. I think it provide 
real value, both against attacks and as a foundation to other works. It 
explicitly goes after the space of what can be spoofed, which needs more 
attention. 


>   - Form Annotations for HTTP Authentication.
>     http://www.w3.org/2005/Security/htmlauth-charter
> 
>     Think of this as form-filler support on steroids, as
>     sketched in late May on this list.

I'm less excited about this one, but it could be that I don't have the 
full vision. What irks me about this one is that passwords aren't the only 
thing. In fact, they're not even always the most useful thing. Other PII 
like credit card numbers, SSN, etc. are still ripe forms of attack. So 
what I don't get about this one is "why"? If it's "just" to provide an 
excellent foundation for exploring solultions that need this feature, then 
I do get that, because there's research that's having problems with this. 
I'm missing why if protecting passwords is the question, Digest isn't the 
answer. It may be obvious to pretty much everyone else, so apoligies if it 
is.
        Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
IBM Lotus/WPLC Security Strategy and Architecture
Received on Wednesday, 21 June 2006 18:27:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC