Re: ISSUE-45: full legal entity identification (is a must) (pubic comment) from Mary Ellen Zurko on 2007-04-18 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 18 Apr 2007 16:41:10 -0400
To: Web Security Context WG <public-wsc-wg@w3.org>
Message-ID: <OFCC291BF6.1DD9669A-ON852572C1.00708C1E-852572C1.0071A51B@LocalDomain>

Bill, this has the title of item 13 and the content of item 14. So it's 
two issues. 

On Al's item 13: 

New security information is out of scope. EV certificates are I think the 
only data in wsc-usecases in this space. So we're covered to the extent we 
can be, given our charter. 

For those of you not subscribed to our public comments list, here's the 
actual text of Al's 13:
        full legal entity identification (is a must)  
where it says, in 4.3 Entity Identification 
   designators that helps the user recognize which entity they are 
currently conversing with 
please consider 
If the user can't readily drill down and get a fully-qualified answer to 
"who do I sue?" you are wasting your breath.  The fact that the user 
could, in principle, start an independent, un-prompted browse through 
WhoIs does not meet this requirement. 
Why?  
Business runs on recourse.  The best commercial practice is not to get it 
right; but to refund on dissatisfaction.  You can't rewrite this aspect of 
the climate of values that bear on the small domain of transactions you 
are working on.


On Al's 14:

Confusion can be cleared up by referencing section 7 in goal 2.6. I 
propose we do that. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/15/2007 11:03 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


To
public-wsc-wg@w3.org
cc

Subject
ISSUE-45: full legal entity identification (is a must) (pubic comment)








ISSUE-45: full legal entity identification (is a must) (pubic comment)

http://www.w3.org/2006/WSC/Group/track/issues/45

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html

widely deployed baseline, yes; usage and presentation, yes 
where it says, in 5.4 New security information
Recommendations will only
   be made for the presentation of currently deployed security
   information.
please consider
You will, per goal 2.6, be making recommendations as to how to use the 
identified, widely deployed technologies; as well as how to present the 
information that results. You address this in the stated goal, but this 
statement appears to contradict that one.  Don't leave the reader 
confused; 
assert both usage and presentation here.
Why? 
The security information that is available will depend on appropriate use 
of 
the tech base.  Your recommendations need to spell out the technology 
utilization that will make necessary information available and not just 
how to 
present it when it's there.
please consider
We need your expertise applied to identifying "areas for future work" 
in addition to this scope.  I understand that you do not plan to design
presentation innovations predicated on model innovations.  That's
appropriate risk management.  But you need to publish the gaps in the
"currently deployed techbase" as well to foster migration to a higher
and better state of de_jure as well as de_facto Web security.

Received on Wednesday, 18 April 2007 20:41:12 UTC