ISSUE-28: [Policy] Requirement for NO security prompting [Security Policy Framework — General] from Device APIs and Policy Working Group Issue Tracker on 2009-10-06 (public-device-apis@w3.org from October 2009)

From: Device APIs and Policy Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 6 Oct 2009 19:46:32 +0000 (GMT)
To: public-device-apis@w3.org
Message-Id: <20091006194632.A6C015F76D@stu.w3.org>

ISSUE-28: [Policy] Requirement for NO security prompting  [Security Policy Framework — General]

http://www.w3.org/2009/dap/track/issues/28

Raised by: Frederick Hirsch
On product: Security Policy Framework — General

A number of workshop position papers noted that prompting the user for permission when making security decisions can be harmful, especially when repeated often.

Do we have a requirement for no user security prompting, or perhaps only allow user-configuration and then no prompting?

Proposal: Add policy Requirement: User agents MUST NOT present modal dialogs to prompt users for security decisions no user prompting for security decisions
Add policy Requirements: Users SHOULD have control over general configuration of security decisions

Rationale is in 2.1 of the OMTP position paper [1], the Mozilla position paper [2], Johnson/Bellovin [3]

[1] http://www.w3.org/2008/security-ws/papers/OMTP_Security_Position_Paper.pdf

[2] http://www.w3.org/2008/security-ws/papers/mozilla.html

[3] http://www.w3.org/2008/security-ws/papers/security_assurance_webapi.pdf

Received on Tuesday, 6 October 2009 19:46:34 UTC