RE: Secure Chrome

I believe this is a good first start.

-----Original Message-----
From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of
Hallam-Baker, Phillip
Sent: Monday, April 17, 2006 10:36 AM
To: Jeffrey Altman; George Staikos
Cc: public-usable-authentication@w3.org
Subject: RE: Secure Chrome

Lets break the problem down.

Secure Chrome has a number of attributes:

* Must be recognizable as secure chrome to the user
* Must be under exclusive control of the application
* [Possibly more]

There are a number of ways that secure chrome might be achieved and a number
of degrees of security possible:

* Secure Chrome - security guaranteed by the operating system
* Spoof resistant chrome - security guaranteed by application level best
effort

Adding the Google toolbar is an unintentional but effective protection
against many phishing attacks spoofing the address bar in javascript because
it mucks up their pixel counts. 

Refusing to create frameless pop ups. Rejecting the idiotic notion that the
content provider has the right to determine the end user experience does a
lot.

To get to absolutely secure chrome we are going to need close coupling to
the O/S security layer. But this is a goal to work towards not a must
achieve first day requirement.

Received on Monday, 17 April 2006 14:47:35 UTC