- From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
- Date: Wed, 7 Oct 2009 14:47:01 +0200
- To: Frederick Hirsch <frederick.hirsch@nokia.com>
- CC: Device APIs and Policy Working Group WG <public-device-apis@w3.org>
Hi Frederick, I assume when doing so, we would get the similar comments as in GeoWG. I think it should be left to the user agent or deployment. Thanks, Marcin Marcin Hanclik ACCESS Systems Germany GmbH Tel: +49-208-8290-6452 | Fax: +49-208-8290-6465 Mobile: +49-163-8290-646 E-Mail: marcin.hanclik@access-company.com -----Original Message----- From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] Sent: Wednesday, October 07, 2009 2:35 PM To: Marcin Hanclik Cc: Frederick Hirsch; Device APIs and Policy Working Group WG Subject: Re: ISSUE-28: [Policy] Requirement for NO security prompting [Security Policy Framework - General] I was suggesting the extreme approach for *security* dialogs, since it seems to be a security not-best-practice, and taking an extreme point might help with making a decision by eliciting responses... Given the arguments in the position papers, I'm wondering why we shouldn't say something in DAP about this. regards, Frederick Frederick Hirsch Nokia On Oct 6, 2009, at 4:54 PM, ext Marcin Hanclik wrote: >>> Add policy Requirement: User agents MUST NOT present modal dialogs >>> to prompt users for security decisions no user prompting for >>> security decisions > I am not sure whether we should explicitly prohibit modal dialogs. > This may be vendor-dependent and could be a differentiator. > >>> Add policy Requirements: Users SHOULD have control over general >>> configuration of security decisions > I assume the comments raised for geolocation API [1] are also valid > here, i.e. this one issue. > If solved in one WG, it should propagate to the other. > > Thanks, > Marcin > > [1] http://lists.w3.org/Archives/Public/public-geolocation/2009Aug/0006.html > ________________________________________ > From: public-device-apis-request@w3.org [public-device-apis-request@w3.org > ] On Behalf Of Device APIs and Policy Working Group Issue Tracker [sysbot+tracker@w3.org > ] > Sent: Tuesday, October 06, 2009 9:46 PM > To: public-device-apis@w3.org > Subject: ISSUE-28: [Policy] Requirement for NO security prompting > [Security Policy Framework - General] > > ISSUE-28: [Policy] Requirement for NO security prompting [Security > Policy Framework - General] > > http://www.w3.org/2009/dap/track/issues/28 > > Raised by: Frederick Hirsch > On product: Security Policy Framework - General > > A number of workshop position papers noted that prompting the user > for permission when making security decisions can be harmful, > especially when repeated often. > > Do we have a requirement for no user security prompting, or perhaps > only allow user-configuration and then no prompting? > > Proposal: Add policy Requirement: User agents MUST NOT present modal > dialogs to prompt users for security decisions no user prompting for > security decisions > Add policy Requirements: Users SHOULD have control over general > configuration of security decisions > > Rationale is in 2.1 of the OMTP position paper [1], the Mozilla > position paper [2], Johnson/Bellovin [3] > > [1] http://www.w3.org/2008/security-ws/papers/OMTP_Security_Position_Paper.pdf > > [2] http://www.w3.org/2008/security-ws/papers/mozilla.html > > [3] http://www.w3.org/2008/security-ws/papers/security_assurance_webapi.pdf > > > > > > > ________________________________________ > > Access Systems Germany GmbH > Essener Strasse 5 | D-46047 Oberhausen > HRB 13548 Amtsgericht Duisburg > Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda > > www.access-company.com > > CONFIDENTIALITY NOTICE > This e-mail and any attachments hereto may contain information that > is privileged or confidential, and is intended for use only by the > individual or entity to which it is addressed. Any disclosure, > copying or distribution of the information by anyone else is > strictly prohibited. > If you have received this document in error, please notify us > promptly by responding to this e-mail. Thank you. > ________________________________________ Access Systems Germany GmbH Essener Strasse 5 | D-46047 Oberhausen HRB 13548 Amtsgericht Duisburg Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda www.access-company.com CONFIDENTIALITY NOTICE This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited. If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Received on Wednesday, 7 October 2009 12:47:47 UTC