RE: ISSUE-28: [Policy] Requirement for NO security prompting [Security Policy Framework — General] from Marcin Hanclik on 2009-10-06 (public-device-apis@w3.org from October 2009)

From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Date: Tue, 6 Oct 2009 22:54:53 +0200
To: Device APIs and Policy Working Group WG <public-device-apis@w3.org>
Message-ID: <FAA1D89C5BAF1142A74AF116630A9F2C2890BCA521@OBEEX01.obe.access-company.com>

>>Add policy Requirement: User agents MUST NOT present modal dialogs to prompt users for security decisions no user prompting for security decisions
I am not sure whether we should explicitly prohibit modal dialogs. This may be vendor-dependent and could be a differentiator.

>>Add policy Requirements: Users SHOULD have control over general configuration of security decisions
I assume the comments raised for geolocation API [1] are also valid here, i.e. this one issue.
If solved in one WG, it should propagate to the other.

Thanks,
Marcin

[1] http://lists.w3.org/Archives/Public/public-geolocation/2009Aug/0006.html
________________________________________
From: public-device-apis-request@w3.org [public-device-apis-request@w3.org] On Behalf Of Device APIs and Policy Working Group Issue Tracker [sysbot+tracker@w3.org]
Sent: Tuesday, October 06, 2009 9:46 PM
To: public-device-apis@w3.org
Subject: ISSUE-28: [Policy] Requirement for NO security prompting  [Security Policy Framework — General]

ISSUE-28: [Policy] Requirement for NO security prompting  [Security Policy Framework — General]

http://www.w3.org/2009/dap/track/issues/28

Raised by: Frederick Hirsch
On product: Security Policy Framework — General

A number of workshop position papers noted that prompting the user for permission when making security decisions can be harmful, especially when repeated often.

Do we have a requirement for no user security prompting, or perhaps only allow user-configuration and then no prompting?

Proposal: Add policy Requirement: User agents MUST NOT present modal dialogs to prompt users for security decisions no user prompting for security decisions
Add policy Requirements: Users SHOULD have control over general configuration of security decisions

Rationale is in 2.1 of the OMTP position paper [1], the Mozilla position paper [2], Johnson/Bellovin [3]

[1] http://www.w3.org/2008/security-ws/papers/OMTP_Security_Position_Paper.pdf

[2] http://www.w3.org/2008/security-ws/papers/mozilla.html

[3] http://www.w3.org/2008/security-ws/papers/security_assurance_webapi.pdf






________________________________________

Access Systems Germany GmbH
Essener Strasse 5  |  D-46047 Oberhausen
HRB 13548 Amtsgericht Duisburg
Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda

www.access-company.com

CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the
individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited.
If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.

Received on Tuesday, 6 October 2009 21:00:20 UTC