- From: Jo Rabin <jrabin@mtld.mobi>
- Date: Mon, 9 Feb 2009 06:51:50 -0000
- To: "Mobile Web Best Practices Working Group WG" <public-bpwg@w3.org>
For any x "Are there risks involved in doing x?" has the correct answer "Yes" e.g. where x is "eating ham sandwich" it remains true. Best Practice would surely be: "Balance the convenience of the user with the possible risks involved. If you don't feel you know enough about the risks, err on the safe side." Jo > -----Original Message----- > From: public-bpwg-request@w3.org [mailto:public-bpwg-request@w3.org] On > Behalf Of Francois Daoust > Sent: 04 February 2009 09:45 > To: Mobile Web Best Practices Working Group WG > Subject: [ACTION-899] Web Security Context feedback on security Best > Practice for MWABP > > > Hi, > > I had contacted Thomas and the Web Security Context Working Group to get > feedback on section 3.2.1 [1] of the Mobile Web Application Best > Practices draft. They discussed the topic in one of their calls and sent > their advice to the comments mailing-list: > > http://lists.w3.org/Archives/Public/public-bpwg- > comments/2009JanMar/0005.html > > In short, they strongly advise us *not to* write a best practice that > would recommend to use a Hashed Identity Token in lieu of a proper HTTPS > connection. Potentially valid use-cases would be too hard to capture in > a short best practice statement. > > When you ask security experts about trading security, the outcome is to > be expected, I suppose, but I must say I find their arguments > particularly relevant to MWABP. Any reaction to that? > > Francois. > > [1] > http://www.w3.org/2005/MWI/BPWG/Group/Drafts/BestPractices-2.0/ED-mobile - > bp2-20090101#bp-security-infoexchange > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.233 / Virus Database: 270.10.16/1925 - Release Date: 01/30/09 > 07:37:00
Received on Monday, 9 February 2009 06:52:33 UTC