W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2008

Re: Authoring practices on mixed content and unsafe redirects.

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 25 Apr 2008 14:28:03 -0400
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Cc: public-wsc-wg@w3.org
Message-ID: <OF6CB477F7.D7294353-ON85257436.00655B07-85257436.00657145@LocalDomain>
> On Thu, 24 Apr 2008 22:56:38 +0200, Mary Ellen Zurko 
> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
> 
> >> > "Sensitive transactions also MUST be protected using the same level 
of
> >
> >> > protection."
> >> > I don't know how to give examples of something that is sensitive, 
and
> >> > something that isn't. Which seems important for understanding
> > conformance
> >> > to this one.
> >>
> >> I don't know who contributed this text and have no strong opinion
> >> about it.
> >
> > If nobody's got any clue, we should remove it.
> 
> 
> IMO examples would be online banking transactions, credit card 
> transactions, one may also consider authoring email a sensitive 
> transaction. I'd also say that anything that make assertions about the 
> user's identity and authorization to perform, in particular, economic 
> transactions, should be considered sensitive.

What is an example of a transaction that is not sensitive?

> 
> A question to ask is what the solicited secret is meant to protect? If 
the 
> secret is solited in a TLS protected it indicates that information and 
> actions it protects are of value to the user and as a consequence to an 
> attacker. If that wasn't the case, the secret or the protection wouldn't 
 
> be as necessary.

So you are saying that any information that requires authentication for 
protection (for authorization) is a sensitive transaction.

Does everyone buy into that? 
Received on Friday, 25 April 2008 18:28:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 April 2008 18:28:50 GMT