- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Wed, 21 Jun 2006 14:26:52 -0400
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-usable-authentication@w3.org
- Message-ID: <OF1B7CCA42.5602DC8F-ON85257194.006454A1-85257194.00655E03@notesdev.ibm.com>
>
> - Web Security Context Baseline.
> http://www.w3.org/2005/Security/wsc-charter
>
> Think of this as "Secure Metadata" and "Secure Chrome" put
> together: What should user agents display, and how can
> they do this securely?
No surprise to anyone on this list, I like this one. I think it provide
real value, both against attacks and as a foundation to other works. It
explicitly goes after the space of what can be spoofed, which needs more
attention.
> - Form Annotations for HTTP Authentication.
> http://www.w3.org/2005/Security/htmlauth-charter
>
> Think of this as form-filler support on steroids, as
> sketched in late May on this list.
I'm less excited about this one, but it could be that I don't have the
full vision. What irks me about this one is that passwords aren't the only
thing. In fact, they're not even always the most useful thing. Other PII
like credit card numbers, SSN, etc. are still ripe forms of attack. So
what I don't get about this one is "why"? If it's "just" to provide an
excellent foundation for exploring solultions that need this feature, then
I do get that, because there's research that's having problems with this.
I'm missing why if protecting passwords is the question, Digest isn't the
answer. It may be obvious to pretty much everyone else, so apoligies if it
is.
Mez
Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
IBM Lotus/WPLC Security Strategy and Architecture
Received on Wednesday, 21 June 2006 18:27:08 UTC