Re: What problems are we trying to solve? from Thomas Roessler on 2006-12-08 (public-wsc-wg@w3.org from December 2006)

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 8 Dec 2006 06:27:58 +0100
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: tyler.close@hp.com, public-wsc-wg@w3.org
Message-ID: <20061208052758.GA17975@raktajino.does-not-exist.org>

Mez,

when I had first seen your list, I had read that point with an
emphasis on "discovered an attack", and had thought of heuristic
techniques, IDS-like stuff, and so on.

I do think that discussion on how user agents ought to react to
failures of security protocols is in scope -- the prime example here
being the MITM detection in SSL which is subverted by giving users
an override button that they'll of course push.

When discussing what the right approach to communicating this kind
of failure is, aborting the transaction shouldn't be off the table
purely for scope reasons.

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>






On 2006-12-07 18:04:50 -0500, Mary Ellen Zurko wrote:
> From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
> To: tyler.close@hp.com
> Cc: public-wsc-wg@w3.org
> Date: Thu, 7 Dec 2006 18:04:50 -0500
> Subject: RE: What problems are we trying to solve?
> List-Id: <public-wsc-wg.w3.org>
> X-Spam-Level: 
> X-Archived-At:
> 	http://www.w3.org/mid/OFCF3BFB45.97D2F8CB-ON8525723D.007FA0F2-8525723D.007FF3CF@LocalDomain
> 
> Since our charter is recommendations on secure and usable presentation of 
> web security context information, it does not cover recommendations on 
> what browsers should do should they display or determine that web security 
> context information indicates (the potential for) an attack. For example, 
> stating whether or not users should be allowed to go to sites under 
> particular circumstances would be out of charter. 
>         Mez
> 
> 
> 
> 
> "Close, Tyler J." <tyler.close@hp.com> 
> Sent by: public-wsc-wg-request@w3.org
> 12/05/2006 02:08 PM
> 
> To
> <public-wsc-wg@w3.org>
> cc
> 
> Subject
> RE: What problems are we trying to solve?
> 
> 
> 
> 
> 
> 
> 
> Mary Ellen Zurko wrote:
> > Out of scope: 
> > *              techniques to stop the user from taking an action because
> >     an attack has been discovered 
> 
> Could you clarify the above item?
> 
> Thanks,
> Tyler
> 
> 
>

Received on Friday, 8 December 2006 05:27:44 UTC