W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: Need updates for the following proposals

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 18 Jul 2007 22:25:23 +0200
To: Shawn Duffy <Shawn.Duffy@corp.aol.com>
Cc: Web Security Context WG <public-wsc-wg@w3.org>, stephen.farrell@cs.tcd.ie, pbaker@verisign.com
Message-ID: <20070718202523.GT9569@raktajino.does-not-exist.org>

On 2007-07-18 13:39:00 -0400, Shawn Duffy wrote:

> Revisiting Past Decisions
> - Missing 'Applicability', 'Examples', and 'Attack Resistance and
> Limitations'
> http://www.w3.org/2006/WSC/wiki/RecRevisitingPastDecisions

Applicability

	This requirement is applicable to web user agents that
	enable interactive trust decisions by users.

Examples

	An example of a non-conforming implementation is a web user
	agent that enables interactive trust decisions about
	accepting unknown PKI trust roots, yet does not give users
	an interface that enables them to understand whether these
	have an effect on their current security context, or does
	not enable them to revert these decisions.
	
	An example of a conforming implementation is a web user
	agent that displays a trust indicator different from the
	standard padlock when visiting a Web site that has shown a
	certificate from a PKI trust root that was accepted
	interactively, and makes a user interface available to
	revert the earlier trust decision.

Attack Resistance and Limitations
	
	This requirement is enables users to revert interactive
	usage errors.  Such errors might be induced by impersonation
	attacks in which a fictitious trust root is used.

	Implementing the requirement does not defend against the
	user reaching the attacker's site in this scenario.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 18 July 2007 20:25:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT