W3C home > Mailing lists > Public > public-wsc-wg@w3.org > December 2007

RE: wsc-xit review notes

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Fri, 28 Dec 2007 14:52:12 -0500
To: "'Doyle, Bill'" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>
Cc: "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <004a01c8498b$246834f0$6500a8c0@dschutzer>
I think we need to clarify what it means in this document. When I looked it
up, I found a number of different meanings being used for whack-a-mole



From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Doyle, Bill
Sent: Thursday, December 27, 2007 1:07 PM
To: public-wsc-wg@w3.org
Subject: wsc-xit review notes







4.2.2 whack-a-mole -  means many things in terms of attacks (e.g. DDoS
whack-a-mole ) do not believe WSC wants to say "whack-a-mole refers to a web
site" without clarifying in this document whack-a-mole means xxx. 


Section 5


5.1 Would take out the text  -the alternative upgrade mechanism
<http://www.w3.org/TR/wsc-xit/#ref-RFC2817> [RFC2817] is used rarely, if at
all , Think is it best to note expected usage of the protocol. Seems to side
track the actual issues.


The discussions could describe that TLS is a versioned IETF protocol. It is
an ongoing specification where latest version of the protocol has the
ability to be configured to accept a specific set of ciphers considered
"strong enough" for that version 


TLS  Strong algorithms

Configuration settings can be used to drive cipher settings (e.g the Apache
setting SSLCipherSuite -all +HIGH)



5.3  seems confusing. 


Needs discussion on what is considered weak / strong TLS interaction. This
paragraph could then describe how weak protection may provide IA in passive
attacks if strong tls is not achievable. The more aggressive the attacker,
the higher the IA bar needs to be.


5.3.2 may want to add corporate intranets to list


6.1.2 - possibly restructure the paragraph and organize it, it is very
difficult to read. Suggestions - strong and week TLS could to be grouped - 

During interactions with a  <http://www.w3.org/TR/wsc-xit/#def-secure-Page>
TLS-secured Web page for which the top-level resource has been retrieved
through a  <http://www.w3.org/TR/wsc-xit/#strong-tls> strongly TLS-protected
interaction  must follow the following steps

1. When the interaction is based off of a an
<http://www.w3.org/TR/wsc-xit/#AAcert> augmented assurance certificate, the
<http://www.w3.org/TR/wsc-xit/#def-identity-signal> identity signal MUST
include the Subject field's Organization attribute to inform the user about
the owner of the  <http://www.w3.org/TR/wsc-xit/#def-Page> Web page.

2 When the interaction involves an
<http://www.w3.org/TR/wsc-xit/#def-attested-cert> atttested certificate, an
applicable domain name label retrieved from the subject's Common Name
attribute or from a subjectAltName extension MUST be displayed.

3 When the interaction involves an  <http://www.w3.org/TR/wsc-xit/#AAcert>
extended validation certificate....


and then discuss weakly TLS protected sites 



7.4   - couldn't get through this sentence -


Each hyperlink in the list provided when the user selects the first option
in the first message of the bootstrap interaction MUST use the petname as
the hypertext




Need to standardize the name of the secure portion of the UI and all
references to this secure area of the UI.


Web user agents MUST prevent web content from obscuring, hiding, or
disabling security UI.


User agent relies on many applications, does this include modification of
pluggins and helper apps?


Web user agents MUST NOT expose programming interfaces which permit
installation of software, or execution of privileged code without user




Received on Friday, 28 December 2007 19:52:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:19 UTC