W3C home > Mailing lists > Public > public-usable-authentication@w3.org > September 2006

Re: Comprehensive list - known Threat and Protection table

From: James A. Donald <jamesd@echeque.com>
Date: Fri, 29 Sep 2006 12:55:31 +1000
Message-ID: <451C8B23.1060207@echeque.com>
To: George Staikos <staikos@kde.org>
CC: public-usable-authentication@w3.org

     --
 > > > > I mean - by way of example - imagine you walk up
 > > > > to a free public internet terminal in an airport
 > > > > - then click the "back" button on the browser a
 > > > > few times.  You get all kinds of fun stuff -
 > > > > personal emails, bank statements, corporate
 > > > > intranets, etc etc...

  George Staikos wrote:
 > > >   I don't think this is a solvable problem.  It's
 > > >   I/O error.  I could
 > > > leave my wallet on the cashier counter and lose
 > > > all my money and credit card/SSN/etc numbers too.

James A. Donald
 > > But you know you are leaving your wallet on the
 > > cashier counter.
 > >
 > > The display of personal information should require a
 > > login, and a login should result in an icon or page
 > > somewhere on the screen that displays a logout
 > > button.  And if that page or icon goes away, you
 > > should be logged out.  Alternatively there should be
 > > an icon on the desktop showing that you are
 > > currently logged in to whatever, and you can click
 > > on that icon to logout all.

George Staikos wrote:
 >   Basically what you are talking about is a floating
 >   login token.

No.

I am talking about user interface for representing login
state.  Login should be done by the client rather than
the web page so that, among other things, the client
knows whether you are logged in or not.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      jNwyTdG8v6uo+512pHZa8Vd0iBeOhgOJ8NN94P3y
      4zLBWD9alA5ZJtZTNHiJblitVeQri6N4PpjBFdOZb
Received on Friday, 29 September 2006 02:55:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT