- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Tue, 28 Nov 2006 16:28:20 -0600
- To: <public-wsc-wg@w3.org>
Mary Ellen Zurko wrote: > What might be enough is to use this information with other > browser history to flag things like > 1) discontinuities (particularly downward) for a particular site, or > 2) categories and trends and recommendations (can we use the semantic > web to tag site types, then say things like "the financial sites you've > visited in the past all have tip-top security; this one claims to be > financial but has mediocre security; beware"). I suspect neither of these options are useful in practice in the web browser. We've gotten to a stage of Moore's law where top strength cryptography is feasible to deploy for everyone, not just the wealthy. There's no particular reason for the local T-shirt printing shop to use lower strength cryptography than does a national bank. I think it is feasible for browser distributors to simply make a conservative yes/no decision on what cryptography algorithms and key lengths are considered safe and disable any algorithms on the "no" list. So for case 1), so long as the downgrade in algorithm is still in the "yes" list, it is OK for the user to continue; otherwise not. It should not be the case that a vulnerable algorithm continues to exist on the "yes" list. Even if this were to occur, I don't know how a user should react to that scenario. For case 2), we shouldn't expect to find differences between the algorithms chosen by bank sites and those chosen by T-shirt printing sites. This approach requires a very public and deliberate decision making process from the browser distributor, so that site servers are upgraded as needed; however, I think it's a lot easier for the user to deal with. Tyler
Received on Tuesday, 28 November 2006 22:28:33 UTC