RE: What Is A Secur ePage - Templateified from Dan Schutzer on 2007-06-27 (public-wsc-wg@w3.org from June 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Wed, 27 Jun 2007 16:57:58 -0400
To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, <yngve@opera.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <015301c7b8fd$d8c0a910$6500a8c0@dschutzer>
Secure server might be interpreted in the spirit of the SBM write up. A site
that submits itself to special audit and security requirements 

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Mary Ellen Zurko
Sent: Wednesday, June 27, 2007 4:50 PM
To: yngve@opera.com
Cc: public-wsc-wg@w3.org
Subject: Re: What Is A Secur ePage - Templateified

 


HI Yngve,

"All login forms to a secure service MUST be served from a secure server,
and MUST NOT not be included inside a page containing unsecure content. "

To give this review (and I think this will be true for others as well), the
proposal needs some definition of "secure" before this line, or needs to use
another term. I gave you this feedback before, and I think it's important
(my defintiion of something important is that it is something that will draw
comments due to  confusion or concern, and we can do something ahead of time
to minimize those, and therefore minimize our overall overhead). So let me
try another take on this problem. 

The Overview and Background presume that there is some primary Security
Context Indicator (SCI). What exactly it is and what exactly it represents
are not defined there; the status quo and some other potential inputs to the
status quo (aka the padlock) are laid out. So is "secure" meant to refer to
a particular state of the SCI? As I mentioned before (I think), I can't give
this a proper review with the terminology the way it is, because it's too
imprecise. And I imagine others will have the same problem. And I do not
think it needs to be imprecise. I think you can defined a term up front that
means "a user agent context where the sci shows the highest level of
security" and then use that term in recommendations like this one. But I
can't quite come up with it myself. 

Or maybe all you mean by "secure" is "using a secure form of transport,
which is reflected in the primary SCI". Or maybe you mean "protected" as in
"protected in transit with a cryptographic protocol that is reflected in the
SCI". 


" Change from and unsecure to secure parts of a service SHOULD be done by
direct links, and not redirects. If unsecure->secure redirects are needed
then the redirect SHOULD be immediate, and not multistep. This lets the user
know where he or she is headed before intiating the transition. "

This reasoning seems wrong to me. Users don't really know where they're
going, and we're not encouraging the use of URLs to figure out where you're
going and where you are, since they're not secure and usable SCIs. 

"Clients MUST display padlock/security information in a manner that clearly
separates it from what the content controls."
This shold be rephrased as: 

"Clients MUST display any primary SCIs in a manner that clearly separates
them from what the content controls."

"A client MUST NOT submit passwords from an unsecure page (even if the form
is in a "secure" frame) to a secure server. Enhancement suggestion: Do not
permit focus/input to the password forms field. "
There is a robust discussion on this on TAG (which I believe I'm meant to do
something about). See this message and the replies: 
http://lists.w3.org/Archives/Public/www-tag/2007Jun/0130.html
This will give you a sense of the potential comments on this one. It would
be good to do what we can to understand and minimize them. 

"The results of immediate (within 15-30 seconds?) automatic Meta/javascript
redirects SHOULD NOT get a security level higher than the original document.
"
Why not? I missed any explanation of this one. 

"A client SHOULD NOT display a padlock (or similar security indicator) if at
least one of the resources required user interaction to accept the
certificate of the server or other security protocol related problem, also
if the user have specified that he should not be asked about that particular
site certificate again. This does not apply to root certificates installed
separately by the user. "

I disagree. I regularly work with certs not from a CA. I would deeply
distrust any security indicator that did not claim that the IBM configured
servers I work with are secure (because in fact I believe they are). That
said, if there is something IBM can and should be doing to properly install
our certificates on our many, many desktops, I would change my opinion. Your
last sentence indicates there might be something. 







"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> 
Sent by: public-wsc-wg-request@w3.org

06/23/2007 07:44 PM


To

"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>


cc

 


Subject

What Is A Secur ePage - Templateified

 


 

 





<URL: http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#preview >

Hello all,

I have just modified my "What is a secure page?"-proposal so that it  
conforms (at least roughly) to the most recent template.

There may still be a couple of rough spots, and I combined the overview  
and background section from the template into a single section.

I added a couple of new proposals for EV, based on recent findings, as  
well as a comment about servers still using 512 bit RSA keys (the most  
recent I found are both banks).

Comments and suggestions?

-- 
Sincerely,
Yngve N. Pettersen
 
********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Wednesday, 27 June 2007 20:58:36 UTC