W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2007

Luis Barriga's WSC-XIT Review

From: Luis Barriga <luis.barriga@ericsson.com>
Date: Fri, 21 Dec 2007 14:36:56 +0100
Message-ID: <1C6A13C92F510849B72272A71F9F3BCB027B2112@esealmw105.eemea.ericsson.se>
To: <public-wsc-wg@w3.org>

As agreed at the latest meeting, my comments to the draft from November
28th.

4.2.2 Attacks
-------------
Why is the whack-a-mole attack the only attack mentioned here? There are
other attacks too. Shouldn't this section me moved to the threat trees
document? Or maybe this section should also refer to the Threat Trees
document?

5.0 Applying TLS to the Web
----------------------------
Which version of TLS is the draft assuming? RFC2818 (HTTP over TLS) is
informational which in turn refers to TLS 1.0 (RFC2246) obsoleted by 1.1
that will be obsoleted by v1.2 (RFC4346). 

One of the additions to the new TLS is that pre-shared keys (PSK) can be
used for establishing a TLS session. It is open for future discussion
whether we class this type of transaction as weak or strong TLS.

5.3.6 Interactively accepting trust anchors or certificates
-----------------------------------------------------------
The definition of "interactively accepted" trust anchor (TA) or cert
excludes the case when a user installs a TA/Cert as a primary task. I
recall having seen cases in enterprises where employees receive
directives on how to update roots/certs. Also, when I update the OS in
my home PC, some certs are updated too.

Whether that is done as primary or secondary task doesn't look relevant
to me, since the result is the same.

I suggest to let the definition focusing on that the user is involved
providing explicit consent to install TA/Cert.

9.2 Use TLS for Login Pages
---------------------------
Current text is: "All login pages MUST be served from secure servers ie.
login pages must be TLS protected"

Shouldn't that be "login pages must be strongly TLS-protected"?

9.5 Security Experience Across Devices
--------------------------------------
I have commented this section previously. See
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Nov/0015.html 

I include those comments sligthly rephrased for better readibility. 

Current text>> "Web content SHOULD be designed offer the same security
user experience across ..."

Web content designers can't control user experience (UX) which is
largely defined by the browser. Asking for the *same* UX is
non-desirable. The web content designer can only control trust anchor
and TLS consistency. Proposal to rephrase to: 

Proposal>> "Web content SHOULD be designed offer the same trust and TLS
consistency across ..."

Current text>>"Web site owners operating TLS-protected sites should
anticipate the use of those sites from mobile devices which may have
constrained capabilities, or diverging sets of trust anchors"

luis>> As phrased, "diverging sets of trust anchors" looks like an
alternative to "constrained capabilities". In reality, the divergence a
consequence of constrained capabilities:

Proposal>>"Web site owners operating TLS-protected sites should
anticipate the use of those sites from mobile devices which may have
constrained capabilities e.g. diverging sets of trust anchors or limited
cryptographic mechanisms"

Typos
-----
Occured >> occurred
Atttested >> attested
6.3 "... provide a a primary "
Received on Friday, 21 December 2007 13:37:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:55 GMT