- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Mon, 17 Apr 2006 10:47:21 -0400
- To: "'Hallam-Baker, Phillip'" <pbaker@verisign.com>, "'Jeffrey Altman'" <jaltman@secure-endpoints.com>, "'George Staikos'" <staikos@kde.org>
- Cc: <public-usable-authentication@w3.org>
I believe this is a good first start. -----Original Message----- From: public-usable-authentication-request@w3.org [mailto:public-usable-authentication-request@w3.org] On Behalf Of Hallam-Baker, Phillip Sent: Monday, April 17, 2006 10:36 AM To: Jeffrey Altman; George Staikos Cc: public-usable-authentication@w3.org Subject: RE: Secure Chrome Lets break the problem down. Secure Chrome has a number of attributes: * Must be recognizable as secure chrome to the user * Must be under exclusive control of the application * [Possibly more] There are a number of ways that secure chrome might be achieved and a number of degrees of security possible: * Secure Chrome - security guaranteed by the operating system * Spoof resistant chrome - security guaranteed by application level best effort Adding the Google toolbar is an unintentional but effective protection against many phishing attacks spoofing the address bar in javascript because it mucks up their pixel counts. Refusing to create frameless pop ups. Rejecting the idiotic notion that the content provider has the right to determine the end user experience does a lot. To get to absolutely secure chrome we are going to need close coupling to the O/S security layer. But this is a goal to work towards not a must achieve first day requirement.
Received on Monday, 17 April 2006 14:47:35 UTC