Re: ACTION-148 Discussion: The role of technology-specific security aids in our recommendations from Timothy Hahn on 2007-03-13 (public-wsc-wg@w3.org from March 2007)

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Tue, 13 Mar 2007 10:52:41 -0400
To: W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <OFD6D698B0.BE326B25-ON8525729D.00516BF4-8525729D.0051BA8B@us.ibm.com>

Mez,

I like the additional wording you have proposed.

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> 
Sent by: public-wsc-wg-request@w3.org
03/13/07 09:03 AM

To
"Johnathan Nightingale <johnath"
cc
W3C WSC Public <public-wsc-wg@w3.org>
Subject
Re: ACTION-148 Discussion: The role of technology-specific security  aids 
in our recommendations







Your logic is impecable. 

However, I remain uncomfortable with the Note seeming to be silent on 
technologies that can reduce risk so that user understanding of security 
context is lessened (or eliminated).  So I propose the following change to 
2.6: 

Authoring and deployment techniques
The Working Group will recommend authoring and deployment techniques that 
cause appropriate security information to be communicated to users. 
Techniques already available at authoring and deployment time which reduce 
the need for communication of security information to the user will be 
considered in the recommendations. 




Johnathan Nightingale <johnath@mozilla.com>
Sent by: public-wsc-wg-request@w3.org
03/06/2007 02:01 PM


To
W3C WSC Public <public-wsc-wg@w3.org>
cc

Subject
ACTION-148 Discussion: The role of technology-specific security  aids in 
our recommendations









Hello all,

As discussed on today's call, I have taken the action to initiate 
discussion of a proposed change to the note/recs to more explicitly 
include mention of auxiliary security technologies that may be relevant 
within the user's context.  If you are lazy, you may skip down to the ***, 
where I get to the point. 

The two that were discussed specifically in the call were:
- SRP (ref: http://en.wikipedia.org/wiki/Secure_remote_password_protocol).
- RSA-style 2-factor authentication (ref: 
http://en.wikipedia.org/wiki/Two_Factor_Authentication and for our 
purposes, particularly 
http://en.wikipedia.org/wiki/Two_Factor_Authentication#Other_types )

The question is, what role (if any) do these technologies play in our 
recommendations.

Section 5.1 (Out of scope: Protocols) and 5.4 (Out of scope: New security 
information) would seem to argue for a limited role.  We don't want to go 
down the path of investigating each of these protocols and making 
judgements based on their fitness.

I was initially inclined to approach this in terms of adding a subsection 
to section 7, but:

a) It would extremely difficult to make this list even remotely 
exhaustive.  Bolt-on web security augmentation is, I'm sure, a thriving 
multinational industry.

b) Much of it would not pass the preamble to section 7 ("This section 
provides an exhaustive list of security information *currently available* 
in web user agents." [emphasis added])  User agent support for SRP is 
(afaik) non-existent, and two-factor authentication, while widely 
deployed, is not available to the user agent in any consistent way.  There 
is not, e.g., a <link rel="application/2factorauth".../> standard markup.

*** 
My proposal therefore is to close the action with no change to the note or 
recommendations unless there are specific technologies in this category 
which are:

a) available to the user agent in some cross-platform way
b) already deployed

I am, of course, open to discussion on the matter.  :)

Cheers,

Johnathan

-- 
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Tuesday, 13 March 2007 14:53:54 UTC