Re: Thoughts on trust ownership... from Mary Ellen Zurko on 2006-11-22 (public-wsc-wg@w3.org from November 2006)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 22 Nov 2006 11:54:33 -0500
To: "Stephen Farrell <stephen.farrell" <stephen.farrell@cs.tcd.ie>
Cc: "W3C Security (Public)" <public-wsc-wg@w3.org>
Message-ID: <OFBBFC88C0.0815F6DD-ON8525722E.005C4FF5-8525722E.005E1FB7@LocalDomain>

It's not clear to me that we'd know if they were successful within our 
timeline. But thanks for sending out the pointer. 

On Brad's question, the scope/goal different pointed out (in different 
ways) by Hal and Thomas is useful here. It's not our primary use case, but 
itt could be an important use case. I would expect it not to be a goal, 
but to be in scope. Particularly since there's a W3C workshop on web of 
services for enterprise computing:
http://www.w3.org/2006/10/wos-ec-cfp.html

The use cases could take at least two forms; a different kind of task/user 
at a classic web browser (IT admin doing something) or an infrastructure 
that allows IT admins to make web security context information available 
to users at a web user agent (browser or otherwise). 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Stephen Farrell <stephen.farrell@cs.tcd.ie> 
Sent by: public-wsc-wg-request@w3.org
11/20/2006 06:41 PM

To
Brad Porter <brad@tellme.com>
cc
"W3C Security (Public)" <public-wsc-wg@w3.org>
Subject
Re: Thoughts on trust ownership...

Don't know anything about widgets, but the IT admin angle also
reminds me of the new nea WG in the IETF, which is supposed to
be looking at things like patch level compliance (with some IT
admin policy) before/during network access.

Not sure they'll be very successful, but if they are, then wsc
might want to take account of that protocol too (e.g. when meeting
use cases where people use work PCs for consumer purposes).

S.

[1] http://www.ietf.org/html.charters/nea-charter.html

Brad Porter wrote:
> I was considering the unique security challenges of the Widgets 1.0 
> Working Draft <http://www.w3.org/TR/2006/WD-widgets-20061109/> 
> (chromeless windows that want all the capabilities of the web plus 
> more.)  I began to wonder if we should be looking to enable the IT 
> administrator as much or more than the individual.
> 
> As an IT administrator, you're forced to deal with users who place 
> different values on personal and information security, who have 
> different mental models for who they trust, and generally have less to 
> lose personally than the corporation as a whole.  Consequently, as much 
> as the responsibility for maintaining the information security policy 
> belongs to each individual at a company, in practice, doing that 
> consistently requires some central enforcement. 
> 
> Would we consider it in-scope or out-of-scope to deal with centrally 
> managing access and policy along side with (or in place of) making it 
> easier for the individual user to manage his/her security and privacy?
> 
> --Brad

Received on Wednesday, 22 November 2006 17:12:14 UTC