- From: Francois Daoust <fd@w3.org>
- Date: Wed, 04 Feb 2009 10:45:04 +0100
- To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Hi, I had contacted Thomas and the Web Security Context Working Group to get feedback on section 3.2.1 [1] of the Mobile Web Application Best Practices draft. They discussed the topic in one of their calls and sent their advice to the comments mailing-list: http://lists.w3.org/Archives/Public/public-bpwg-comments/2009JanMar/0005.html In short, they strongly advise us *not to* write a best practice that would recommend to use a Hashed Identity Token in lieu of a proper HTTPS connection. Potentially valid use-cases would be too hard to capture in a short best practice statement. When you ask security experts about trading security, the outcome is to be expected, I suppose, but I must say I find their arguments particularly relevant to MWABP. Any reaction to that? Francois. [1] http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/ED-mobile-bp2-20090101#bp-security-infoexchange
Received on Wednesday, 4 February 2009 09:45:39 UTC