Re: ISSUE-50: present web security is not good enough; even \'though fixing that is out of scope for this deliverable (public comment)

The presumption was that the reader woud understand that these points were 
all in context of the charter and direction of the working group. 

I propose clarifying that, by changing the intro text in sectin 8 to: 

Successive generations of web servers and user agents have improved upon 
past implementations and achieved greater deployment of security relevant 
infrastructure. This work provides a base upon which this working group 
will build its recommendations. This section calls out the aspects of the 
currently deployed web infrastructure that have already narrowed the 
problem space we need to address, or that we intend to learn from or build 
on. 

I propose we also clarify section 9, but changing the opening to sentence 
to the following:

Though much implementation progress has been made, there remain problems 
with the basic design for communicating security information to the user, 
which is the core of the mission of this working group. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/16/2007 06:50 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


To
public-wsc-wg@w3.org
cc

Subject
ISSUE-50: present web security is not good enough; even \'though fixing 
that is out of scope for this deliverable (public comment)








ISSUE-50: present web security is not good enough; even 'though fixing 
that is out of scope for this deliverable (public comment)

http://www.w3.org/2006/WSC/Group/track/issues/50

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html
present web security is not good enough; even 'though fixing that is out 
of 
scope for this deliverable
where it says, in 8 Merits of the status quo and 9 Problems with the 
status quo
(impression is that the security of the Web is OK, it's just the user is 
gullible and ill informed)
please consider
recognize that there are defects in the platform, say that this 
deliverable is 
limited to boosting understanding at the user-browser connection.  Collect 
and 
document (even in a companion note) the things you would rather have done 
but 
didn't because the platform technology is not as widely deployed as you 
feel 
you need.
Why? 
Just because this deliverable is going to try to improve things at the 
cognitive connection between the browser and the user, don't pretend that 
that's the only problem left to fix.  For example, present practice is to 
offer the user a printed hardcopy for their records, not a fully 
machinable 
data record.  This is a violation of what ought to be basic business 
rights of 
the consumer.  The merchants claim that the user can't be trusted to 
secure 
these data.  But they don't tell the user that.  They use their wiles to 
keep 
the user ignorant of what the could have, and should have, had access to. 
That needs to be laid at the door of the Operating System as a defect in 
user 
support, not blown by with "best current practice is good enough."   While 

this is presented as a matter of general consumer defence, it becomes 
critical 
for people with certain disabilities where having your personal-business 
office in a personal computer is the only way to be able to independently 
conduct your personal business, not just a convenience.  One shouldn't 
have to 
pay web merchants through a credit card in order to import the results 
into 
Quicken, for example.  And you should be able to import the full, itemized 

invoice, not just the bottom line.