W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: Safe Web Browsing Mode

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Mon, 23 Apr 2007 06:23:14 -0400
To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
Message-ID: <023501c78591$684198b0$6500a8c0@dschutzer>
Yes, this was not meant to be exclusive to communicating to banks; it should
be extensible to many other classes - just that banks might be early



From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Mary Ellen Zurko
Sent: Friday, April 20, 2007 6:17 PM
To: Dan Schutzer; public-wsc-wg@w3.org
Subject: RE: Safe Web Browsing Mode


Thanks for posting that Dan. 

"These websites can only be selected from an approved list of websites that
have gone to some lengths (e.g. compliance with special PKI technical
requirements (see Part 1: Technical below), and undergoing a rigorous
certification and compliance process) to allow it to be reliably
distinguished from spoof sites. Examples of such certification steps
include: being able to prove the website is from a trusted top level domain
(e.g. .bank); or having the site credentials verified by a Bridge Authority;
or verified by an EV where special verification and compliance steps have
been taken to provide a guaranteed level of trust). "

As a user, I'd want to use this for my work sites as well, which are not
banks. I imagine that would be true of many users; they'd want to trust the
sites associated with their place of work with PII or similiarly sensitive

"(e.g. see FSTC BMA document entitled "FSTC BMA Browser Recommendations"),"
For that to be part of this discussion, we'll need a URL for it. Is it the
document that Chuck shared for discussion at our last meeting?
At a glance, it's not clear to me which parts of that document cover the
distinct look, and which part the items that should be turned off. But I
think the latter won't be core to the initial discussion. 

"In fact, banks and other "trusted sites" could incent users who only access
them on-line via SBM Mode (e.g. provide loyalty points, safety guarantees,
fee discounts or higher interest rates). "
I think they could only "know" that via updates in protocols, which are out
of scope. But maybe I'm missing something. 

"To make SBM useful, three things must be true: a. users must be in SBM mode
before there is any possibility of providing bogus FI sites with information
b. users must be aware that they are in SBM c. users must understand that
only legitimate "trusted" websites will be accessible in SBM, and that it is
therefore safe to provide information to sites that are accessible in SBM "
This is a really nice summary. What it brings home to me is the two-tier
model of the proposal, which I struggle with. The more general it is, the
wider the range of data the user could be asked to provide inappropriately
(FIs could ask for something that would be company confidential, if it also
includes my work sites). But the more narrow it is, the more attacks from
totally unknown parties it leaves out. 

I see your proposal does in fact address some of those concerns, but
conciously wants to leave them out "to start with". Do you mean for the
duration of this WG's recommendations? (2nd to last paragraphy before the
Part 1 - Technical). 

I really like this writeup. It puts together a whole proposal, but it's easy
to look at each of the components as well (how the trustworthy sites are
determined, for example, can be configurable or change over time; the set of
things that cannot be done is a separable consideration).


Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> 
Sent by: public-wsc-wg-request@w3.org

04/19/2007 07:54 AM


"Dan Schutzer" <dan.schutzer@fstc.org>




RE: Safe Web Browsing Mode




Dan has posted an updated proposal on Safe WEb Browsing, which I hope we'll
be able to discuss next week:



Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect
Received on Monday, 23 April 2007 10:23:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:15 UTC