W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

Re: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page

From: Ian Fette <ifette@google.com>
Date: Wed, 28 Nov 2007 07:48:50 -0800
Message-ID: <bbeaa26f0711280748t2e1d6b28yec53c65cae4fe473@mail.gmail.com>
To: "Timothy Hahn" <hahnt@us.ibm.com>
Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
I would personally prefer the rec to stay silent on the matter (neither
should nor may). It doesn't seem like a particularly good idea (to me) to
have such a mode, but if an implementation can come up with a good reason
for having it, I am not going to try to stop them... (I may or may not
become frustrated with their product should I ever have to use it, but we're
not here to dictate product decisions.)

On Nov 28, 2007 7:35 AM, Timothy Hahn <hahnt@us.ibm.com> wrote:

>
> Hi all,
>
> I would prefer SHOULD, but am willing to downgrade all the way to MAY.
>
> What do others think?
>
> Regards,
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
>
>
>
>  From: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
> To: "Timothy Hahn" <Timothy_Hahn%IBMUS@notesdev.ibm.com<Timothy_Hahn%25IBMUS@notesdev.ibm.com>
> > Cc: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
> Date: 11/28/2007 07:40 AM
> Subject: RE: ISSUE-132: Update Section 10.1 of wsc-xit with information
> from updated   browser lock down wiki page
>
> ------------------------------
>
>
>
>
> I'm only seeing this as a "MAY".  Most of those situations, it's OK to
> have a command/icon that brings up additional security information. And user
> agent vendors may choose not to add features that allow them to sell into
> those scenarios.
>
>          Mez
>
>
>
>   From: Timothy Hahn/Durham/IBM@IBMUS To: "Web Security Context Working
> Group WG" <public-wsc-wg@w3.org> Date: 11/27/2007 01:43 PM Subject: RE:
> ISSUE-132: Update Section 10.1 of wsc-xit with information from updated
>  browser lock down wiki page
>
>  ------------------------------
>
>
>
> Hi all,
>
> To be clear, the requirement does not state that the information is not
> available.  The requirement states that there is a "usage mode" where the
> information is not available.
>
> Michael McCormick asked for real world examples where this would be
> valuable.  I have thought of a couple:
> - public access terminals (kiosks, user agents installed in libraries, and
> schools, etc.)
> - usage modes for pre-school children (they won't call a help desk, and
> their parents probably don't want them calling the help desk - other than
> calling their parent for help)
> - airline ticketing agent usage mode (they are not in the business of
> fixing security problems with their user agent.  A support staff for such
> terminals would likely have a "admin"/"management" path by which they could
> access, even remotely, the security information from the user agent system
> without  making the end user recite some security-complex information over
> the phone)
>
> And another example of this type of model: parental restrictions on
> television and video game systems.  You have to enter a "admin mode" in
> order to even view the settings, let alone change them.
>
> When a user (or the same user) is ready to deal with security-related
> information and settings, let them operate in such a usage mode that allows
> for such view and modification.
>
> Regards,
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
>
>
>   From: "Doyle, Bill" <wdoyle@mitre.org> To: "Ian Fette" <
> ifette@google.com>, "Dan Schutzer" <dan.schutzer@fstc.org> Cc: "Mary Ellen
> Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Web Security Context Working
> Group WG" <public-wsc-wg@w3.org> Date: 11/26/2007 04:16 PM Subject: RE:
> ISSUE-132: Update Section 10.1 of wsc-xit with information from updated
> browser lock down wiki page
>
>  ------------------------------
>
>
>
>
>
> Removing the ability to view security settings appears to be in
> conflict with an issue that was brought up a long time ago and noted by
> UAAG 1.0
> *
> **http://www.w3.org/2006/WSC/track/issues/40*<http://www.w3.org/2006/WSC/track/issues/40>
>
>
>
>
> -----Original Message-----
> From: public-wsc-wg-request@w3.org
> [*mailto:public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>] On
> Behalf Of Ian Fette
> Sent: Monday, November 26, 2007 12:40 PM
> To: Dan Schutzer
> Cc: Mary Ellen Zurko; Web Security Context Working Group WG
> Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with information
> from updated browser lock down wiki page
>
>
> Yes, but then they call up their help desk / ISP / son / whomever, and
> are asked "Is HTTPS over SOCKS checked or unchecked" and they say "I
> don't see where that option is...".
>
> I really don't see why the user should ever be prevented from at least
> viewing the settings.
>
> On Nov 26, 2007 9:16 AM, Dan Schutzer <dan.schutzer@fstc.org> wrote:
> >
> >
> >
> >
> > I would agree that a user should always be able to view and modify
> > security-related configuration settings, but that if a user agent
> does their
> > job correctly, it should not be necessary, especially for the user
> who would
> > have trouble understanding the kind of detailed security
> configuration
> > settings that one sees today in the Security tab
> >
> >
> >
> >  ________________________________
> >
> >
> > From: public-wsc-wg-request@w3.org
> [*mailto:public-wsc-wg-request@w3.org* <public-wsc-wg-request@w3.org>] On
> > Behalf Of Mary Ellen Zurko
> >  Sent: Monday, November 26, 2007 11:36 AM
> >  To: Web Security Context Working Group WG
> >  Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with
> information
> > from updated browser lock down wiki page
> >
> >
> >
> >
> >
> >  "A user agent MUST support a mode of operation whereby the user is
> unable
> > to view or modify the security-related configuration settings. "
> >
> >  It seems wrong to me that there is a mode where the user is unable
> to view
> > the security related configuration settings. In every context I've
> ever been
> > in, having some ability to get to more information if helpful.
> >
> >  I would remove the "view or" part of this, unless I'm missing
> something.
>
>
>
> [attachment "smime.p7s" deleted by Mary Ellen Zurko/Westford/IBM]
>
>
>
Received on Wednesday, 28 November 2007 15:49:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT