W3C home > Mailing lists > Public > public-bpwg@w3.org > February 2009

[ACTION-899] Web Security Context feedback on security Best Practice for MWABP

From: Francois Daoust <fd@w3.org>
Date: Wed, 04 Feb 2009 10:45:04 +0100
Message-ID: <498963A0.401@w3.org>
To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>


I had contacted Thomas and the Web Security Context Working Group to get 
feedback on section 3.2.1 [1] of the Mobile Web Application Best 
Practices draft. They discussed the topic in one of their calls and sent 
their advice to the comments mailing-list:

In short, they strongly advise us *not to* write a best practice that 
would recommend to use a Hashed Identity Token in lieu of a proper HTTPS 
connection. Potentially valid use-cases would be too hard to capture in 
a short best practice statement.

When you ask security experts about trading security, the outcome is to 
be expected, I suppose, but I must say I find their arguments 
particularly relevant to MWABP. Any reaction to that?


Received on Wednesday, 4 February 2009 09:45:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:08:59 UTC