Introduction from Yngve Nysaeter Pettersen on 2006-11-29 (public-wsc-wg@w3.org from November 2006)

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Wed, 29 Nov 2006 15:09:20 +0100
To: public-wsc-wg@w3.org
Message-ID: <op.tjr6xufovqd7e2@killashandra-ii.oslo.opera.com>

Hello all,

I'm Yngve N. Pettersen, and I'm the lead developer at Opera Software in  
the networking and security area (HTTP, caching, cookies, TLS, encryption  
etc.), and I am also the head of our security group.

I have for some time followed standardization work in the IETF.

More recently I have been involved in the CA Browser forum Extended  
Validation effort, as well as some work within the IETF to solve a  
security problem with cookie domains, as well as a number of other  
protocol issues in TLS and following the work on IDNA.

While I have not worked much with UI (I like working under the hood better  
than polishing the chrome), I am aware of the issues involving the  
presentation of security related information and options to the user and  
the potential problems with making security related decisions for the  
user, in particular when those decisions do not match what other  
alternative products do in the same situation.

I recently posted a few articles about some of the issues, primarily  
related to handling of websites using weak encryption, mixed security, or  
certificates issued by unknown authorities, and also explore the possible  
ways browsers can handle these situations. If  you are interested, the  
most recent article is located at <URL:  
http://my.opera.com/yngve/blog/show.dml/461932 >.

One of the problems in the area may be showing to little information (in  
some cases) and too much (in other cases).

We probably need to find a better balance between what decisions the user  
agent can make on their own (for example, to automatically refuse or  
accept sites with questionable security information) and when the user  
agent must ask the user, and in both cases how it is presented. Currently  
it is possible that we ask the user too often.

Another question is what, if anything, the client can do to discourage the  
user from submitting sensitive information to unauthorized websites, even  
when they are not on a list of known frauds.

I hope that this group can help resolve some of these and other related  
questions.

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer		             Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Thursday, 30 November 2006 00:50:28 UTC