W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007


From: Doyle, Bill <wdoyle@mitre.org>
Date: Thu, 12 Apr 2007 15:16:27 -0400
Message-ID: <518C60F36D5DBC489E91563736BA4B58016919D0@IMCSRV5.MITRE.ORG>
To: "Chuck Wade" <Chuck@Interisle.net>, <public-wsc-wg@w3.org>
This is the text that I asked to be added to "Available Security
Context" section of the note. 
We needed something, this still has its issues.

Web Server / Application Security

The Web Server and User Agent must negotiate a configuration that is
mutually acceptable as noted in the User Agent section. Application
security adds additional safe guards in addition to transport layer
security (HTTPs). Application security can provide additional security
context in order to maintain session security or enhance web server
security to ensure that user data is private and secure from both
external and internal attacks.

Connection Security 

*	User Agent / Web Server config - connection (e.g. HTTP protocol
used in a secure mode) 
*	Acceptable Ciphers negotiated 
*	Certificate Authentication (verify the client cert) 

Hosted Application Security 

*	Authentication Robustness 

	*	Additional fields/services used by the web server to
verify the users authenticity

		*	Password customization
		*	Tokens, Biometrics

Received on Thursday, 12 April 2007 19:14:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:15 UTC