W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

RE: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 27 Nov 2007 08:47:49 -0500
Message-ID: <518C60F36D5DBC489E91563736BA4B5801C327E3@IMCSRV5.MITRE.ORG>
To: "Johnathan Nightingale" <johnath@mozilla.com>
Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
Thanks!


________________________________

	From: Johnathan Nightingale [mailto:johnath@mozilla.com] 
	Sent: Monday, November 26, 2007 6:29 PM
	To: Doyle, Bill
	Cc: Mary Ellen Zurko; public-wsc-wg@w3.org
	Subject: Re: ACTION-318: Draft a new subsection to section 7
discussing the mixing of trusted/untrusted information in the UI
	
	
	Hey Bill, 

	The guidelines specify the fields for which EV certificates
make specific guarantees.

	http://cabforum.org/EV_Certificate_Guidelines.pdf

	Cheers,

	Johnathan

	On 26-Nov-07, at 4:20 PM, Doyle, Bill wrote:


		Johnathan,
		 
		Do you have a link to the attributes required by EV
certs? 
		 
		Thx
		B
		 


________________________________

			From: Johnathan Nightingale
[mailto:johnath@mozilla.com] 
			Sent: Wednesday, November 14, 2007 10:39 AM
			To: Doyle, Bill
			Cc: Mary Ellen Zurko; public-wsc-wg@w3.org
			Subject: Re: ACTION-318: Draft a new subsection
to section 7 discussing the mixing of trusted/untrusted information in
the UI
			
			
			I'd agree that this sounds like a Robustness
(8) topic too.  There is already an 8.2 though, so I would expect this
to be 8.4. 

			I would also point out that we should be clear
here, because there are two kinds of mixing:

			 - Mixing web content some of which was
obtained over SSL and some of which was not
			 - Displaying unverified certificate fields
alongside verified fields, in certificate-based UI

			This action deals with the second one only,
which is fine, but it should be made clear that we are talking about
certificate contents, since "mixed content" usually refers to the first
type.

			I'll also be interested to see how this
phrasing ends up, because I wouldn't want us writing a recommendation
that, for instance, makes browsers with a "View Certificate" button
non-conforming since that UI will show all the fields of the cert,
verified alongside unverified.  If we want to specify presentation even
in cases like that, we should be deliberate about it.

			Cheers,

			J
			

			On 14-Nov-07, at 10:04 AM, Doyle, Bill wrote:


				Section 8
				 
				Given the description of section 8 and
8.1 included below
				 
	
http://www.w3.org/TR/wsc-xit/#Robustness
				 
				8.1 Do not mix content and security
indicators <http://www.w3.org/TR/wsc-xit/#site-identifying> 
				 
				add
				 
				8.2 Do not mix secure an insecure
content in UI ...
				    - blah - blah - Certificates
include secure and non-secured content, non-secured certificate content
should not be represented in secured areas of the UI
				 
				 
				 
				 
				 
				 
				
				

________________________________

				From: Mary Ellen Zurko
[mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
				Sent: Wednesday, November 14, 2007 9:47
AM
				To: Doyle, Bill
				Cc: public-wsc-wg@w3.org
				Subject: RE: ACTION-318: Draft a new
subsection to section 7 discussing the mixing of trusted/untrusted
information in the UI
				
				

				You're still not looking at the right
document Bill. Please read my EVERY word :-)
				
				http://www.w3.org/TR/wsc-xit/
<http://www.w3.org/TR/wsc-xit/> 
				
				          Mez
				
				Mary Ellen Zurko, STSM, IBM Lotus CTO
Office       (t/l 333-6389)
				Lotus/WPLC Security Strategy and Patent
Innovation Architect
				
				
				
				
From: 	"Doyle, Bill" <wdoyle@mitre.org> 	
To: 	"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> 	
Cc: 	<public-wsc-wg@w3.org> 	
Date: 	11/14/2007 08:22 AM 	
Subject: 	RE: ACTION-318: Draft a new subsection to section 7
discussing the mixing  of trusted/untrusted information in the UI


________________________________




				could go under section 9 - problems
with status quo
				 
				Secured and non-secured content is
mixed 
				 
				 
				
				
________________________________

				From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Mary Ellen Zurko
				Sent: Wednesday, November 14, 2007 7:50
AM
				To: Doyle, Bill
				Cc: public-wsc-wg@w3.org
				Subject: RE: ACTION-318: Draft a new
subsection to section 7 discussing the mixing of trusted/untrusted
information in the UI
				
				
				I believe the referernce is to wsc-xit,
not wsc-usecases. 
				
	
http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html
<http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html> 
				
				And I agree; section 7 doesn't look
like the right place to me. If it's about mixing trusted and untrusted
info in certs; maybe sections 4 or 8? Johnathan, Thomas, Tyler - you
were all on the discussion; any better recall? 
				
				         Mez
				
				Mary Ellen Zurko, STSM, IBM Lotus CTO
Office       (t/l 333-6389)
				Lotus/WPLC Security Strategy and Patent
Innovation Architect
				
				
				
From: 	"Doyle, Bill" <wdoyle@mitre.org> 	
To: 	"Doyle, Bill" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>

Date: 	11/09/2007 03:48 PM 	
Subject: 	RE: ACTION-381: Draft a new subsection to section 7
discussing the mixing of trusted/untrusted information in the UI


				
				
________________________________

				
				
				
				Seems like UI issues and mixing of
trusted/untrusted information should go under this heading
				
				2.5 Reliable presentation of security
information
<http://www.w3.org/TR/2007/WD-wsc-usecases-20071101/#trusted-path> 
				
				
				
				
________________________________

				From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Doyle, Bill
				Sent: Friday, November 09, 2007 3:24 PM
				To: public-wsc-wg@w3.org
				Subject: ACTION-381: Draft a new
subsection to section 7 discussing the mixing of trusted/untrusted
information in the UI
				
				If I have this action right I am not
sure if this belongs in section 7 - The section is titled Security
Information Available to the User Agent
				
				Furthermore, section 7 has a heading
titled "defined by user agent" and UI is defined by user agent.  Is the
WG making a statement that this particular UI decision should not be
left up to browser developer community?
				
				I am thinking that section 7 is the
inputs and UI is an output, UI is the application or use of security
information. Do we need a new section?
				
				Cheers
				Bill D.
				
				
				
				
				
				
				
				


			
			---
			Johnathan Nightingale
			Human Shield
			johnath@mozilla.com





	
	---
	Johnathan Nightingale
	Human Shield
	johnath@mozilla.com
Received on Tuesday, 27 November 2007 13:48:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT