Re: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI from Johnathan Nightingale on 2007-11-14 (public-wsc-wg@w3.org from November 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Wed, 14 Nov 2007 10:39:06 -0500
To: "Doyle, Bill" <wdoyle@mitre.org>
Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
Message-Id: <791CBC1F-EEE1-43FF-B573-BB84D479A742@mozilla.com>
I'd agree that this sounds like a Robustness (§8) topic too.  There  
is already an 8.2 though, so I would expect this to be 8.4.

I would also point out that we should be clear here, because there  
are two kinds of mixing:

  - Mixing web content some of which was obtained over SSL and some  
of which was not
  - Displaying unverified certificate fields alongside verified  
fields, in certificate-based UI

This action deals with the second one only, which is fine, but it  
should be made clear that we are talking about certificate contents,  
since "mixed content" usually refers to the first type.

I'll also be interested to see how this phrasing ends up, because I  
wouldn't want us writing a recommendation that, for instance, makes  
browsers with a "View Certificate" button non-conforming since that  
UI will show all the fields of the cert, verified alongside  
unverified.  If we want to specify presentation even in cases like  
that, we should be deliberate about it.

Cheers,

J

On 14-Nov-07, at 10:04 AM, Doyle, Bill wrote:

> Section 8
>
> Given the description of section 8 and 8.1 included below
>
> http://www.w3.org/TR/wsc-xit/#Robustness
>
> 8.1 Do not mix content and security indicators
>
> add
>
> 8.2 Do not mix secure an insecure content in UI ...
>     - blah - blah - Certificates include secure and non-secured  
> content, non-secured certificate content should not be represented  
> in secured areas of the UI
>
>
>
>
>
>
>
> From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com]
> Sent: Wednesday, November 14, 2007 9:47 AM
> To: Doyle, Bill
> Cc: public-wsc-wg@w3.org
> Subject: RE: ACTION-318: Draft a new subsection to section 7  
> discussing the mixing of trusted/untrusted information in the UI
>
>
> You're still not looking at the right document Bill. Please read my  
> EVERY word :-)
>
> http://www.w3.org/TR/wsc-xit/
>
>           Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
>
> From:	"Doyle, Bill" <wdoyle@mitre.org>
> To:	"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
> Cc:	<public-wsc-wg@w3.org>
> Date:	11/14/2007 08:22 AM
> Subject:	RE: ACTION-318: Draft a new subsection to section 7  
> discussing the mixing  of trusted/untrusted information in the UI
>
>
>
>
> could go under section 9 - problems with status quo
>
> Secured and non-secured content is mixed
>
>
>
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg- 
> request@w3.org] On Behalf Of Mary Ellen Zurko
> Sent: Wednesday, November 14, 2007 7:50 AM
> To: Doyle, Bill
> Cc: public-wsc-wg@w3.org
> Subject: RE: ACTION-318: Draft a new subsection to section 7  
> discussing the mixing of trusted/untrusted information in the UI
>
>
> I believe the referernce is to wsc-xit, not wsc-usecases.
>
> http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html
>
> And I agree; section 7 doesn't look like the right place to me. If  
> it's about mixing trusted and untrusted info in certs; maybe  
> sections 4 or 8? Johnathan, Thomas, Tyler - you were all on the  
> discussion; any better recall?
>
>          Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
> From:	"Doyle, Bill" <wdoyle@mitre.org>
> To:	"Doyle, Bill" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>
> Date:	11/09/2007 03:48 PM
> Subject:	RE: ACTION-381: Draft a new subsection to section 7  
> discussing the mixing of trusted/untrusted information in the UI
>
>
>
>
>
> Seems like UI issues and mixing of trusted/untrusted information  
> should go under this heading
>
> 2.5 Reliable presentation of security information
>
>
>
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg- 
> request@w3.org] On Behalf Of Doyle, Bill
> Sent: Friday, November 09, 2007 3:24 PM
> To: public-wsc-wg@w3.org
> Subject: ACTION-381: Draft a new subsection to section 7 discussing  
> the mixing of trusted/untrusted information in the UI
>
> If I have this action right I am not sure if this belongs in  
> section 7 - The section is titled Security Information Available to  
> the User Agent
>
> Furthermore, section 7 has a heading titled "defined by user agent"  
> and UI is defined by user agent.  Is the WG making a statement that  
> this particular UI decision should not be left up to browser  
> developer community?
>
> I am thinking that section 7 is the inputs and UI is an output, UI  
> is the application or use of security information. Do we need a new  
> section?
>
> Cheers
> Bill D.
>
>
>
>
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Wednesday, 14 November 2007 15:39:40 UTC