RE: Greetings from Hallam-Baker, Phillip on 2006-10-31 (public-wsc-wg@w3.org from October 2006)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 31 Oct 2006 09:28:14 -0800
To: "Timothy Hahn" <hahnt@us.ibm.com>, <public-wsc-wg@w3c.org>
Message-ID: <198A730C2044DE4A96749D13E167AD37E7DE7D@MOU1WNEXMB04.vcorp.ad.vrsn.com>

The term 'frustrated by the various "artifacts"' reminded me that there
is another important issue here, the insecure clutter that is getting
stuffed into browsers without thought for the security issues.
 
For example, favicons have been spreading quickly. But there is no bar
to having a favicon that looks like a padlock icon. It is pretty easy to
create a favicon that makes a page appear to use SSL. 
 
We need to have a clear distinction between control and data. Users
should be able to trust the browser to display content in the content
window and restrict the chrome area to data that is trustworthy.
 
For years people have been telling me that 'users want' flash
animations, etc. that can make whatever use of the user's screen they
choose. Now the same people tell me to use Firefox pretty much because
of what it does not allow. 
 
The control bar on my broswer belongs to me, it should not be possible
for a content provider to disable it.
 
We have a 'stop downloading' button. Why can't I click that to stop the
execution of Javascript &ct. on a page? 
 
 
Clearly it will take time to get from where we are to where we want to
be. But it would be nice if there was at least a clickbox that would
enable a single comprehensive set of browser configurations that is
secure and repeatable. Ad hoc constraints on javascript are creating as
much of a problem as the early spam filters that kicked out 10% false
positive. If the set of capabilities was predictable and detectable
content providers would be much better off.
 


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Timothy Hahn
	Sent: Tuesday, October 31, 2006 10:10 AM
	To: public-wsc-wg@w3c.org
	Subject: Greetings
	
	

	Hello! 
	
	My name is Tim Hahn and I am looking forward to working with
this group. 
	
	I have been somewhat frustrated by the various "artifacts" which
different HTTP clients/browsers use to convey whatever security-related
information has been sent from HTTP servers to which the browser is
connected.  The current state-of-the-art seems to be more annoying to
users than informative, and even for security professionals can be
confusing to interpret. 
	
	I have worked for IBM for 16 years as a developer, designer,
architect, and strategist.  I have been working on several of IBM's
directory and security-related product offerings for over 10 years,
dating back to Distributed Computing Environment, through LDAP directory
services, and currently on authentication, access control, and identity
management product offerings.  I have participated in several standards
bodies in the past including DMTF and IETF working groups. 
	
	I am looking forward to meeting all of you, either in person in
NYC or on the list. 
	
	Regards, 
	Tim Hahn
	
	Internet: hahnt@us.ibm.com
	Internal: Timothy Hahn/Durham/IBM@IBMUS
	phone: 919.224.1565     tie-line: 8/687.1565
	fax: 919.224.2530

Received on Tuesday, 31 October 2006 17:29:31 UTC