W3C home > Mailing lists > Public > public-wsc-wg@w3.org > May 2007

RE: ISSUE-38: no safe haven in presentation space (from public comments)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 22 May 2007 11:28:10 -0400
Message-ID: <518C60F36D5DBC489E91563736BA4B580179BA25@IMCSRV5.MITRE.ORG>
To: "Close, Tyler J." <tyler.close@hp.com>, <public-wsc-wg@w3.org>
I am not in favor of breaking it up, I feel that the text is already
implied in the note but needs to be stated in a clear concise message. 
I can see adding more strength and clarity to the text of "directly
addressing". We are not trying to fix the underlying IA mechanisms,
after all if correctly implemented and working the underlying security
services are very capable. Lack of consistency is one of the
reoccurring themes that has come up. The lack of consistency can be
very misleading to the user.
In term of the login ceremony, as I understand the WSC is looking at
the login ceremony in terms of consistency;  presentation, user
expectations - HTTPs means xxxx, user sees this represented as X.  The
web site is free to choose how they authenticate users and the
underlying mechanisms used. 
Bill D


	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Close, Tyler J.
	Sent: Monday, May 21, 2007 6:39 PM
	To: public-wsc-wg@w3.org
	Subject: RE: ISSUE-38: no safe haven in presentation space
(from public comments)
	Mez's proposed text is:
	5.n Other Security Challenges
	As stated in the charter, the mission of the Web Security
Context Working 
	Group is to specify a baseline set of security context
information that 
	should be accessible to Web users, and practices for the secure
and usable 
	presentation of this information, to enable users to come to a
	understanding of the context that they are operating in when
making trust 
	decisions on the Web. While the work this group does may have a
	and beneficial effect on other security challenges on the web,
	addressing such challenges (including user authentication to
web sites, 
	single sign-on, and security models for active content on the
web) are out 
	of scope. 
	I think it would be better to break this text up into different
sections. The first part of it seems like it might be part of the
introductory paragraph of the "Out of scope" section. The last part
lists a series of topics that should each be a sub-section of
"Out-of-scope". Just listing them, without further clarification, in an
"Other" section might be inviting confusion. The "user authentication
to web sites" item in particular seems tricky since we have decided
parts of the login ceremony are in scope, such as how the user enters
information into their user agent.


		From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
		Sent: Thursday, May 10, 2007 7:49 AM
		To: public-wsc-wg@w3.org
		Subject: ISSUE-38: no safe haven in presentation space
(from public comments)

		I declare concensus. Editors will make the change and
close the issue. 
		Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l
		Lotus/WPLC Security Strategy and Patent Innovation
Received on Tuesday, 22 May 2007 15:30:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:16 UTC