- From: Device APIs and Policy Working Group Issue Tracker <sysbot+tracker@w3.org>
- Date: Tue, 6 Oct 2009 19:46:32 +0000 (GMT)
- To: public-device-apis@w3.org
ISSUE-28: [Policy] Requirement for NO security prompting [Security Policy Framework — General] http://www.w3.org/2009/dap/track/issues/28 Raised by: Frederick Hirsch On product: Security Policy Framework — General A number of workshop position papers noted that prompting the user for permission when making security decisions can be harmful, especially when repeated often. Do we have a requirement for no user security prompting, or perhaps only allow user-configuration and then no prompting? Proposal: Add policy Requirement: User agents MUST NOT present modal dialogs to prompt users for security decisions no user prompting for security decisions Add policy Requirements: Users SHOULD have control over general configuration of security decisions Rationale is in 2.1 of the OMTP position paper [1], the Mozilla position paper [2], Johnson/Bellovin [3] [1] http://www.w3.org/2008/security-ws/papers/OMTP_Security_Position_Paper.pdf [2] http://www.w3.org/2008/security-ws/papers/mozilla.html [3] http://www.w3.org/2008/security-ws/papers/security_assurance_webapi.pdf
Received on Tuesday, 6 October 2009 19:46:34 UTC