RE: Suggestions for note resulting from a conversation with mez from Dan Schutzer on 2007-04-23 (public-wsc-wg@w3.org from April 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Mon, 23 Apr 2007 16:00:34 -0400
To: "'Stuart E. Schechter'" <ses@ll.mit.edu>, "'Web Security Context WG'" <public-wsc-wg@w3.org>
Cc: "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <00ae01c785e2$0f362be0$6500a8c0@dschutzer>

I tend to agree with your observations. However, there is one role a
password manager can play with respect to fighting impersonation. It would
be helpful if the password manager could do a better job of spotting a Spoof
site, than the human, and would prevent the entry of a password or other
sensitive information to such a site. This is especially powerful if the
user has come to rely on the password manager for signing and entering
information into any site.

Dan

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Stuart E. Schechter
Sent: Monday, April 23, 2007 3:44 PM
To: Web Security Context WG
Subject: Suggestions for note resulting from a conversation with mez


The introduction to the note should include a hyperlink to the charter.

In talking with MeZ, she  thinks 90% of what we're doing is fighting
impersonation attacks.  Fighting impersonation means making it easier to for
users to know what site they are communicating with, and reducing the number
of cases in which impersonation can cause harm (the number of
security-critical decisions that require users to verify the identity of the
site.)  If this were reflected in the note, the goals and scope would be
oodles more clear.  For example, "security information" could be transformed
into the much more descriptive "information used to authenticate the site".

Looking at the goals in Section 2 of the note, I don't see how password
managers, which reduce the likelihood that a user will enter a password into
an impersonation site, would fit into our goals.  MeZ tells me that she
believes there is a rough consensus that are inline with our goals.  Stuart
proposes a new goal between 2.5 and 2.6:

   Title:   "Reduce the number of scenarios in which users' security depends
on their ability to authenticating a site"
   Content: "No matter how well security information is presented, there
will always be users who, in some situations, will behave insecurely even in
the face of harsh warnings.  Thus, the working group will also recommend
ways to reduce the number of situations in which users' security will be
compromised if they fail to recognize an impersonation attack or other
security failure."

With regard to section 3.1 (Goals), I think it's very hard to make sense of
what's in scope and out of scope given that there are 20 use cases.  It
sounds like consensus is that average user's everyday activities in are in
scope, and that exceptional cases and expert use cases are out of scope (so
long as they attacker can not cause and exploit exceptional cases.)  Why
don't we just say something to that effect?

I think Section 7 documents "Security information available to the user
agent", and so this should be it's title.

In section 8, we jump to merits of the status quo without what the status
quo is.  Are we going to start by defining the status quo?  If so, the
status quo of what?  Perhaps "Current mechanisms for conveying site
authentication information to users?"

Received on Monday, 23 April 2007 20:00:58 UTC