- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 23 Mar 2007 12:39:04 +0100
- To: public-usable-authentication@w3.org
- Cc: rsalz@us.ibm.com, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, "Close, Tyler J." <tyler.close@hp.com>
----- Forwarded message from Richard Salz <rsalz@us.ibm.com> -----
From: Richard Salz <rsalz@us.ibm.com>
Subject: Comments on FPWD of scope and use cases
Date: Thu, 22 Mar 2007 16:22:58 -0400
This is a pretty comprehensive document; nice job. A few suggestions:
Add some words about who the intended audience is in the abstract and
section 1
I'd move use-case 20 before 16 (the start of a couple that have a
different format.) Also, a summary table of the characteristics might be
useful, as in:
20 | Known, prior visit | No interaction | None
It might help show any patterns in the use-cases and also show if there
are gaps.
In section 7, are you that confident that you can claim it's truly an
exhaustive list? :) For cookies, do you want to explicitly call out "both
those sent and server requests to store"? DNS can also provide
reverse-mapping addresses; if example.com has IP address 1.2.3.4, does
4.3.2.1.in-addr.arpa map to example.com? Also IP ping/traceroute can show
packet flows ("since when is Citibank HQ in Uzbekistan"?) Also, IP/geo
mapping facilities. These aren't commonly done, but since you mention
repuation service...
Section 8.1 -- not something we veterans of the previous decade thought
we'd see... :) But in 8.4, what do the managers use to make sure they
don't give the credentials to a phisher?
In section 9.2.5, isn't it really the decision to support display of a
logo that the visited web site can control?
In section 10, I'd say we've been doing research on making security usable
for a long time, but still have yet to get any widely-applicable
satisfactory answers.
Hope this helps.
/r$
--
STSM
Senior Security Architect
DataPower SOA Appliances
----- End forwarded message -----
Received on Friday, 23 March 2007 11:38:55 UTC