RE: Clarifying "reputation service" in section 7.7 of the Note from Close, Tyler J. on 2007-02-13 (public-wsc-wg@w3.org from February 2007)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Tue, 13 Feb 2007 01:01:38 -0000
To: <public-wsc-wg@w3.org>
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF799F0E@G3W0072.americas.hpqcorp.net>
Does the WG want items 1,2,3 and 5 below added to section 7.7 of the
Note? If so, we also need some text on how this relates to Out of Scope
section 5.5, see:
 
http://www.w3.org/2006/WSC/drafts/note/#filters
 
Tyler



________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of
michael.mccormick@wellsfargo.com
	Sent: Monday, February 12, 2007 10:01 AM
	To: public-wsc-wg@w3.org
	Subject: Re: Clarifying "reputation service" in section 7.7 of
the Note
	
	

	Responding at Mary Ellen's request. 

	I'm not the most qualified participant to supply detail for the
Note on reputation services.  If we have any participants from the
phishing toolbar vendors (?) then I gladly defer to them.  Here's what I
can offer:

	----------------------- 
	Web reputation services in the past typically were provided via
so-called phishing toolbars from companies ranging from Cloudmark &
Whole Security to Norton & Symantec to Google & Yahoo.  Building
reputation services directly into the base browser is a fairly new
phenomenon; MSIE 7.0 and Firefox 2.0 have incorporated native reputation
services for the first time.

	Certain features are generally found in web reputation services.
>From most to least common: 

	1. Black listing.  The services maintains a list of known
illegitimate sites, mostly forged sites creating for phishing.  The
black list is maintained by the web reputation service provider (WRSP)
sometimes as part of a network in partnership with other providers.  In
addition end users are typically allowed to submit URLs for potential
inclusion on the black list.  When a user browses a black-listed site, a
warning indicator appears.  Access may also be blocked or made
contingent on an "Are You Sure?" dialog.

	2. White listing.  The service maintains a list of known
legitimate sites, mostly sites of well known financial institutions and
other common phishing targets.  Companies who pass a vetting process
(defined by the WRSP) can request their site be added to the white list.
Some WRSPs may charge a fee for vetting & white-listing companies who
make such requests.  When a user browses a white-listed site, a safety
indicator or "seal of approval" may appear.  The safety indicator may be
contingent on SSL with a certificate name matching the white list (see
item 4 below).

	3. Intel & incident tracking.  A reasonably sophisticated WRSP
has the capability to perform intelligence gathering and incident
tracking.  Some WRSPs may partner with another company for this (such as
iDefense or Websense).  Some WRSPs operate honeypot mailboxes to attract
phishing attacks and thereby gather intelligence and potential black
list sites. The WRSP updates its white & black lists in response to
incoming intelligence as rapidly as possible.  For example, a phishing
incident involving a spoof site at a particular IP address will cause
that IP to go on the black list.  Or a database breach at a major online
retailer might trigger its removal from the white list.  The end user
may be offered dynamic links to web site intelligence when trying to
access such sites (see item 5 below also).

	4. SSL certificate analysis.  The WRSP may tie in reputation to
the strength of the SSL session a web site establishes (if any).  SSL
strength runs from none to low (e.g., self-signed cert) to moderate
(trusted CA, good cipher) to high (EV certificate, OCSP check passed,
etc.).  Reputation correlates proportionally to SSL strength because the
latter measures likelihood that the site is who it appears to be, and
any white or black list checks must rely on that site authentication.
When a user browses a site the WRSP may offer a visual indicator of SSL
strength, or the WRSP may modify its normal reputation indicators (see
items 1, 2 above) based on SSL strength.

	5. Site metadata.  The WRSP may provide metadata about a web
site to help the end user make his/her own decisions about site
authenticity and risk.  Real world examples include WRSPs that display
"whois" information about the site and geo-location information about
the site (e.g., "site hosted in Ukraine").

	----------------- 

	I invite comments.  Underlined terms are those I feel should be
linked to a glossary definition or some other section of the Note for
further explanation.  I have not placed any of the above in the wiki.
Cheers Mike

	From: Close, Tyler J. <tyler.close@hp.com
<mailto:tyler.close@hp.com?Subject=Re%3A%20Clarifying%20%22reputation%20
service%22%20in%20section%207.7%20of%20the%20Note&In-Reply-To=%253C08CA2
245AFCF444DB3AC415E47CC40AF7173D6%40G3W0072.americas.hpqcorp.net%253E&Re
ferences=%253C08CA2245AFCF444DB3AC415E47CC40AF7173D6%40G3W0072.americas.
hpqcorp.net%253E> >
	Date: Mon, 5 Feb 2007 12:07:25 -0600 

	
http://www.w3.org/2006/WSC/drafts/note/Overview.html#third-party-source
<http://www.w3.org/2006/WSC/drafts/note/Overview.html>  

	The "reputation service" item seems too vague to me. The other
entries 
	in section 7 are very specific. Could someone expand "reputation

	service" into a list of specific security information available
in 
	current web user agents? It could be that this item is actually
already 
	covered by other parts of section 7. For example, installed CA 
	certificates are already listed in section 7.5. If so, we should
remove 
	the "reputation service" item from section 7.7. 

	Thanks, 
	Tyler
Received on Tuesday, 13 February 2007 01:02:04 UTC