RE: Close ACTION-56 and ACTION-62 from Mary Ellen Zurko on 2007-01-17 (public-wsc-wg@w3.org from January 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 17 Jan 2007 17:22:42 -0500
To: pbaker@verisign.com
Cc: public-wsc-wg@w3.org
Message-ID: <OFAAE49BC5.A7FD90AB-ON85257266.007AE2B8-85257266.007AF425@LocalDomain>

The proposal is ill formed, as it doesn't represent the merging of the 
goal and non goal information you have as an action. 

Nevertheless, move it to the (merged version you will also do) in the 
wiki. 

          Mez





"Hallam-Baker, Phillip" <pbaker@verisign.com> 
Sent by: public-wsc-wg-request@w3.org
01/09/2007 10:15 AM

To
"Hal Lockhart" <hlockhar@bea.com>, <public-wsc-wg@w3.org>
cc

Subject
RE: Close ACTION-56 and ACTION-62






In response to Hal's comments on Action 56/62 I propose ammending the 
goals as follows
Goals
Catalog the existing context information provided to the users of the Web. 

Consider the interpretations that users reasonably infer from existing 
information. 
Set out a series of use cases and abuse cases specifying commonplace 
security sensitive Web transactions and likely forms of criminal attack 
respectively. 
Analyze context information the user requires to safely complete the 
proposed use cases and prevent abuse cases. 
Perform a gap analysis to identity areas where the context information 
provided to the user is either insufficient or misleading 
Propose changes to the presentation of existing context information and 
additional context information that might be provided to close the 
identified security gaps. 
Propose a limited set of security conditions that may be used to sumarize 
the risk status to the user.
Non Goals
The group will not attempt to solve the following problems: 
Provision of trustworthy computing platforms. 
Design of cryptographic algorithms or protocols. 
Algorithms for evaluating the security condition from the risk factors.
Rationale (sumarizing Hal): There is an aversion to specifying how to 
determine whether we are in a high security or high risk situation, this 
is undoubtedly correct since the calculation is dependent on the current 
threat environment and thus changeable. We do not want to standardize the 
mapping of risk to reporting as it may change and we want to encourage 
development in this area. On the other had we do want to be able to come 
to a common understanding of the number of security quanta (e,g, High, 
Low, unknown) and ensure that browsers A and B do not use the same signs 
to represent opposite meaning.

Received on Wednesday, 17 January 2007 22:23:05 UTC