W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Tue, 27 Nov 2007 11:13:49 -0500
To: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <OF7EDC969C.2CB87932-ON852573A0.005788C1-852573A0.00592768@us.ibm.com>
Hi all,

To be clear, the requirement does not state that the information is not 
available.  The requirement states that there is a "usage mode" where the 
information is not available.

Michael McCormick asked for real world examples where this would be 
valuable.  I have thought of a couple:
 - public access terminals (kiosks, user agents installed in libraries, 
and schools, etc.)
 - usage modes for pre-school children (they won't call a help desk, and 
their parents probably don't want them calling the help desk - other than 
calling their parent for help)
 - airline ticketing agent usage mode (they are not in the business of 
fixing security problems with their user agent.  A support staff for such 
terminals would likely have a "admin"/"management" path by which they 
could access, even remotely, the security information from the user agent 
system without  making the end user recite some security-complex 
information over the phone)

And another example of this type of model: parental restrictions on 
television and video game systems.  You have to enter a "admin mode" in 
order to even view the settings, let alone change them.

When a user (or the same user) is ready to deal with security-related 
information and settings, let them operate in such a usage mode that 
allows for such view and modification.

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From:
"Doyle, Bill" <wdoyle@mitre.org>
To:
"Ian Fette" <ifette@google.com>, "Dan Schutzer" <dan.schutzer@fstc.org>
Cc:
"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Web Security 
Context Working Group WG" <public-wsc-wg@w3.org>
Date:
11/26/2007 04:16 PM
Subject:
RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from 
updated browser lock down wiki page




Removing the ability to view security settings appears to be in
conflict with an issue that was brought up a long time ago and noted by
UAAG 1.0

http://www.w3.org/2006/WSC/track/issues/40


 

-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Ian Fette
Sent: Monday, November 26, 2007 12:40 PM
To: Dan Schutzer
Cc: Mary Ellen Zurko; Web Security Context Working Group WG
Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with information
from updated browser lock down wiki page


Yes, but then they call up their help desk / ISP / son / whomever, and
are asked "Is HTTPS over SOCKS checked or unchecked" and they say "I
don't see where that option is...".

I really don't see why the user should ever be prevented from at least
viewing the settings.

On Nov 26, 2007 9:16 AM, Dan Schutzer <dan.schutzer@fstc.org> wrote:
>
>
>
>
> I would agree that a user should always be able to view and modify
> security-related configuration settings, but that if a user agent
does their
> job correctly, it should not be necessary, especially for the user
who would
> have trouble understanding the kind of detailed security
configuration
> settings that one sees today in the Security tab
>
>
>
>  ________________________________
>
>
> From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On
> Behalf Of Mary Ellen Zurko
>  Sent: Monday, November 26, 2007 11:36 AM
>  To: Web Security Context Working Group WG
>  Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with
information
> from updated browser lock down wiki page
>
>
>
>
>
>  "A user agent MUST support a mode of operation whereby the user is
unable
> to view or modify the security-related configuration settings. "
>
>  It seems wrong to me that there is a mode where the user is unable
to view
> the security related configuration settings. In every context I've
ever been
> in, having some ability to get to more information if helpful.
>
>  I would remove the "view or" part of this, unless I'm missing
something.






Received on Tuesday, 27 November 2007 16:14:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT