- From: Chris Drake <christopher@pobox.com>
- Date: Wed, 20 Jun 2007 07:35:43 +1000
- To: "Close, Tyler J." <tyler.close@hp.com>
- CC: public-usable-authentication@w3.org
Hi Tyler, Two comments: 1. This is a security issue - thus one should be familiar with Bruce Schneir and his work in order to put forward suggestions. In short - It's well known and documented that "security issues" cannot be "broken down" into smaller areas. To summarize the reason: almost all security problems are born at the junctions of "broken down" components. 2. You wrote "My own understanding" ... I humbly suggest that you don't know everything, and are thus not in a position to make the suggestion that follows. Further - unless you consider the whole scope, you're never going to be *able* to arrive at a near-comprehensive solution at all. That was - after all - my whole point... Kind Regards, Chris Drake Wednesday, June 20, 2007, 7:15:27 AM, you wrote: CTJ> Hi Chris, CTJ> My own understanding of this problem space leads me to believe that CTJ> there does not exist a potential solution which will simultaneously CTJ> address all of the threats facing web users. Given that hypothesis, the CTJ> only practical way forward is to break the problem space down into CTJ> smaller areas and attempt solutions for each of these. The WSC WG is CTJ> focused on one of those smaller areas, mostly centered around web site CTJ> impersonation. I'm also involved in work which addresses some of the CTJ> other smaller areas and believe this WG's work will integrate well with CTJ> solutions in the other areas of this problem space. I remain hopeful CTJ> that this WG's work is a step in the right direction. I would be highly CTJ> skeptical of any attempt to address the whole problem space in one go. CTJ> Tyler >> -----Original Message----- >> From: public-usable-authentication-request@w3.org >> [mailto:public-usable-authentication-request@w3.org] On >> Behalf Of Chris Drake >> Sent: Tuesday, June 19, 2007 7:54 AM >> To: public-usable-authentication@w3.org >> Subject: Comments Universal Design review of WSC Draft >> >> >> Hi, >> >> I present just one review comment - the exclusive nature of >> the scope renders much of the rest of the document largely pointless. >> >> Victims care about not becoming victims. They're not >> interested in only avoiding becoming a victim in a predefined >> narrow set of circumstances. They just want to be safe. >> >> It *should* be the simple goal of any WSC draft to propose >> genuine usable solutions that protect potential victims in as >> many hostile situations as possible. >> >> Good: Follow these recommendations, and your users will be safe. >> >> Bad: Follow these recommendations, and attackers will adjust to >> taking advantage of your users using slightly different >> techniques to before. >> >> There are a lot of experts and smart people on this list. >> While I sympathize with the enormity of the task involved in >> correcting the goals and scope of this document, I think it's >> well worth while, since this is the last time you'll be able >> to seriously access these professionals and their experience >> in order to produce a work that could do some serious good to >> the world. >> >> Kind Regards, >> Chris Drake >> >> >>
Received on Tuesday, 19 June 2007 21:36:08 UTC