- From: <mzurko@us.ibm.com>
- Date: Fri, 09 Jan 2009 20:03:03 +0000
- To: Francois Daoust <fd@w3.org>
- Cc: public-usable-authentication@w3.org
Dear Francois Daoust , The Web Security Context Working Group has reviewed the comments you sent [1] on the Last Call Working Draft [2] of the Web Security Context: User Interface Guidelines published on 24 Jul 2008. Thank you for having taken the time to review the document and to send us comments! The Working Group's response to your comment is included below. Please review it carefully and let us know by email at public-usable-authentication@w3.org if you agree with it or not before 26 January 2009. In case of disagreement, you are requested to provide a specific solution for or a path to a consensus with the Working Group. If such a consensus cannot be achieved, you will be given the opportunity to raise a formal objection which will then be reviewed by the Director during the transition of this document to the next stage in the W3C Recommendation Track. Thanks, For the Web Security Context Working Group, Thomas Roessler W3C Staff Contact 1. http://www.w3.org/mid/48CA9D24.6050201@w3.org 2. http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ ===== Your comment on : > Hi, > > I stumbled upon several obscure terms and sentences while reading the > spec (see list below). The terms are not defined. As far as I can tell, > > they are all basic terms when one is used to dealing with security on > the Web. > > Even though it contains "Security", the title looks friendly, and > doesn't seem to infer that a technical background on security is > required. Since there is no audience section, I expect I'm reasonably > well-versed into Web matters to understand the spec. That is not the > case: I understand the clauses, which is good, but I sometimes fail to > > understand the rationale behind them. > > Depending on the audience you are targeting, you may not want to define > > these terms in the spec. That is the gist of this comment: the audience > > is not defined. If your primary target is security experts, no need to > > read the following list. If your primary target is user interface > developers, you should clarify them. In any case, you should probably > mention it and precise the expected knowledge before reading the spec > so > that readers know what to expect beforehand. > > Here is the list of security-related topics that are not so common for > > other communities (well, "for me" at least, that is ;)): > - Section 5: The "TLS" acronym is actually never defined (only > mentioned > in the references part). > - Section 5.1.5: "use of TLS provides confidentiality protection > services against passive attackers". What is a "passive attacker"? > - Section 5.1.5: "this can be strong evidence that protection against > an > active attacker has been achieved as well". What is an "active > attacker"? > - Section 5.1.5: "evidence that a man in the middle attack occurs". For > > once, I know what a "man in the middle attack" refers to, but I'm not > sure everyone does. > - Section 5.2: "for both confidentiality and integrity protection". I > get the difference but that may be worth a little explanation as well. > - Section 7.1.1: same thing with "phishing" and "spoofing" although > probably known by more people. > - Section 8.2: "OCSP" stands for? > > As a side note, I am totally fine with the relative complexity created > > by the multiple definitions the spec already contains. Precision is > good! > > Thanks, > > Francois Daoust, > W3C Staff Contact, > Mobile Web Best Practices Working Group. Working Group Resolution (LC-2095): Thank you. We've added a reference to OCSP. The TLSv11 reference defines TLS in this context. We will not be putting additional details of those protocols in our spec. We hope the reader will either be familiar with them, or follow up with the references or generic web searches of the concepts. ----
Received on Friday, 9 January 2009 20:03:12 UTC