W3C home > Mailing lists > Public > public-wsc-wg@w3.org > November 2007

RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page

From: <michael.mccormick@wellsfargo.com>
Date: Wed, 28 Nov 2007 14:28:13 -0600
Message-ID: <9D471E876696BE4DA103E939AE64164D8684B8@msgswbmnmsp17.wellsfargo.com>
To: <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>
I would only use a public kiosk that let me view its security settings.
I would only let my children use a school computer (esp. if Internet
connected) that let me view its security settings.
I see no harm in letting a ticket counter agent view security settings on
her terminal if she wants to.
I don't mind if my kids look at security settings on a video game (as long
as they can't change them).

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Timothy Hahn
Sent: Tuesday, November 27, 2007 10:14 AM
To: Web Security Context Working Group WG
Subject: RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from
updated browser lock down wiki page



Hi all, 

To be clear, the requirement does not state that the information is not
available.  The requirement states that there is a "usage mode" where the
information is not available. 

Michael McCormick asked for real world examples where this would be
valuable.  I have thought of a couple: 
 - public access terminals (kiosks, user agents installed in libraries, and
schools, etc.) 
 - usage modes for pre-school children (they won't call a help desk, and
their parents probably don't want them calling the help desk - other than
calling their parent for help) 
 - airline ticketing agent usage mode (they are not in the business of
fixing security problems with their user agent.  A support staff for such
terminals would likely have a "admin"/"management" path by which they could
access, even remotely, the security information from the user agent system
without  making the end user recite some security-complex information over
the phone) 

And another example of this type of model: parental restrictions on
television and video game systems.  You have to enter a "admin mode" in
order to even view the settings, let alone change them. 

When a user (or the same user) is ready to deal with security-related
information and settings, let them operate in such a usage mode that allows
for such view and modification. 

Regards, 
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From: 	"Doyle, Bill" <wdoyle@mitre.org> 

To: 	"Ian Fette" <ifette@google.com>, "Dan Schutzer"
<dan.schutzer@fstc.org> 

Cc: 	"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Web
Security Context Working Group WG" <public-wsc-wg@w3.org> 

Date: 	11/26/2007 04:16 PM 

Subject: 	RE: ISSUE-132: Update Section 10.1 of wsc-xit with
information from updated browser lock down wiki page

  _____  





Removing the ability to view security settings appears to be in
conflict with an issue that was brought up a long time ago and noted by
UAAG 1.0

 <http://www.w3.org/2006/WSC/track/issues/40>
http://www.w3.org/2006/WSC/track/issues/40




-----Original Message-----
From: public-wsc-wg-request@w3.org
[ <mailto:public-wsc-wg-request@w3.org> mailto:public-wsc-wg-request@w3.org]
On Behalf Of Ian Fette
Sent: Monday, November 26, 2007 12:40 PM
To: Dan Schutzer
Cc: Mary Ellen Zurko; Web Security Context Working Group WG
Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with information
from updated browser lock down wiki page


Yes, but then they call up their help desk / ISP / son / whomever, and
are asked "Is HTTPS over SOCKS checked or unchecked" and they say "I
don't see where that option is...".

I really don't see why the user should ever be prevented from at least
viewing the settings.

On Nov 26, 2007 9:16 AM, Dan Schutzer <dan.schutzer@fstc.org> wrote:
>
>
>
>
> I would agree that a user should always be able to view and modify
> security-related configuration settings, but that if a user agent
does their
> job correctly, it should not be necessary, especially for the user
who would
> have trouble understanding the kind of detailed security
configuration
> settings that one sees today in the Security tab
>
>
>
>  ________________________________
>
>
> From: public-wsc-wg-request@w3.org
[ <mailto:public-wsc-wg-request@w3.org> mailto:public-wsc-wg-request@w3.org]
On
> Behalf Of Mary Ellen Zurko
>  Sent: Monday, November 26, 2007 11:36 AM
>  To: Web Security Context Working Group WG
>  Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with
information
> from updated browser lock down wiki page
>
>
>
>
>
>  "A user agent MUST support a mode of operation whereby the user is
unable
> to view or modify the security-related configuration settings. "
>
>  It seems wrong to me that there is a mode where the user is unable
to view
> the security related configuration settings. In every context I've
ever been
> in, having some ability to get to more information if helpful.
>
>  I would remove the "view or" part of this, unless I'm missing
something.







Received on Wednesday, 28 November 2007 20:28:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:53 GMT