- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Wed, 18 Apr 2007 16:27:44 -0400
- To: Web Security Context WG <public-wsc-wg@w3.org>
- Message-ID: <OF19D1530C.D2D2950D-ON852572C1.0070033F-852572C1.00706A4E@LocalDomain>
Under either "New Security Information" or "Other Security Challenges", Al points out this is a future looking statement, and so it's out of scope. btw, I couldn't follow the contextual integrity link - you need to be subscribed to the economist: http://www.economist.com/science/displaystory.cfm?story_id=E1_RQRGDSN If anyone else goes there, let us know what it's about. Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect Web Security Context Issue Tracker <dean+cgi@w3.org> Sent by: public-wsc-wg-request@w3.org 04/15/2007 11:01 AM Please respond to Web Security Context WG <public-wsc-wg@w3.org> To public-wsc-wg@w3.org cc Subject ISSUE-44: beyond \'who\' (some day) (pubic comment) ISSUE-44: beyond 'who' (some day) (pubic comment) http://www.w3.org/2006/WSC/Group/track/issues/44 Raised by: Bill Doyle On product: Note: use cases etc. >From public comments raised by: Al Gilman Alfred.S.Gilman@ieee.org http://lists.w3.org/Archives/Public/public-usable- authentication/2007Apr/0000.html beyond 'who' (some day) where it says, in 4.3 Entity identification Recommending a presentation for these designators that helps the user recognize which entity they are currently conversing with, and when they are switching to a different entity, is a primary concern of this Working Group. please consider The likely shape of a better world of trust includes the terms of the engagement beyond just 'who.' Absolutely, the state of what works today is limited to "who" am I talking to. And DNS domains are about as scientific a 'who' as users ever resolve in their fuzzy brains, by way of entities that are not human individuals. On the other hand, there is still a lot of dissatisfaction from consumers about organizations taking information disclosed for a finite purpose and redistributing it beyond what the user understood as the purpose of that disclosure. So the group should be aware of contemporary work to model trust decisions in terms of contextual integrity where the parameteters of a context desiring integrity are the defining characteristics of shared tasks as well as who is in or out of the circle of the conversation. please consider attribute certificates in the picture, eventually (bearer is known to me and assertion/attribute is true about said bearer). User can provide a voucher for certified quality, not requiring disclosure of user's identity. Why? The parking meter needs to know you are a qualifying individual to use disabled parking spots, but it does not need to know exactly who you are. There are, in the best of all possible worlds, many correlates for this in the world of B2C transactions. So while a clear communication of "who is in the scene, and who am I conversing with?" is the name of the game for now, the total picture in the long term may use attribute certificates as well as identity certificates
Received on Wednesday, 18 April 2007 20:27:48 UTC