- From: Sullivan, Bryan <BS3131@att.com>
- Date: Thu, 14 Feb 2008 14:14:35 -0800
- To: "BPWG-Public" <public-bpwg@w3.org>
Hi all, This is one of a series of emails addressing ACTION-660. This thread will address the requirements and recommendations for Security and Privacy in BP2. Here is the current editor's draft text in the Requirements and Best Practice Statements sections: +++++ 2.2 Security and privacy Security is important to address in the mobile environment, due to more frequent dependence upon personalized information. While this information is essential to increasing service value, its use represents a security and/or privacy risk. The overall goal for security is to protect any personally identifiable information, and especially user identifiers or keys to user identity. 5.2 Security and privacy Personally identifiable information (e.g. user identity or information usable as a key to user identity) should be accepted or sent securely, i.e. over secure transport (HTTPS), or securely hashed if sent over non-secure transport. +++++ [bryan] This recommendation addresses the basic ability to protect user personally identifiable information. It can be considered the root of privacy protections generally, enabling primarily the confidentiality and integrity of information. Note that given confidentiality and integrity in transit, the "trust" in the source (or authenticity) of the information is a different aspect, which we might address, but is more difficult as trust depends upon larger issues which are not as easily verifiable as confidentiality and integrity. We welcome suggestions for other recommendations in this area. Best regards, Bryan Sullivan | AT&T
Received on Thursday, 14 February 2008 22:15:16 UTC