Re: ISSUE-68: Note summary, goals, and scope should more clearly focus on problem to be solved---impersonation from Mary Ellen Zurko on 2007-04-25 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 25 Apr 2007 12:46:08 -0400
To: Web Security Context WG <public-wsc-wg@w3.org>
Cc: public-wsc-wg@w3.org
Message-ID: <OFA6115189.B2A98895-ON852572C8.005B2F90-852572C8.005C1C40@LocalDomain>

I'm not sure I agree with the very last step of logic in the last 
sentence. And I can't tell if that's because I don't agree with what I 
said on the phone (that 90% of what we're doing is fighting impersonation 
attacks), or that I don't agree with just that last step. Fighting 
impersonation attacks is, imo, the reason that there was enough interest 
in the WG for the membership of the W3C to support it. So it is a major 
thrust of what we are doing. There are two aspects of our charter and 
direction that work against that as the only goal however. One is the 
deliverable to render the presentation of security context information 
robust against spoofing attacks. That opens up the scope to consideration 
of any attack that can either remove security context information, or add 
it. The other item in the charter is that we are enabling users to make 
better trust decisions on the web. Even if I'm accurately certain of the 
identity of a web site, will I make a better trust decision if it's asking 
me to register my new password (or send an old one) in the network in the 
clear? 

Anyone else have thoughts on this tension (between "just" identity and 
richer security context information if/as driven by the charter)? 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/25/2007 10:37 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


To
public-wsc-wg@w3.org
cc

Subject
ISSUE-68: Note summary, goals, and scope should more clearly focus on 
problem to be solved---impersonation








ISSUE-68: Note summary, goals, and scope should more clearly focus on 
problem to be solved---impersonation

http://www.w3.org/2006/WSC/Group/track/issues/68

Raised by: Stuart Schechter
On product: Note: use cases etc.

In talking with MeZ, she  thinks 90% of what we're doing is fighting
impersonation attacks.  Fighting impersonation means making it easier to 
for
users to know what site they are communicating with, and reducing the 
number
of cases in which impersonation can cause harm (the number of
security-critical decisions that require users to verify the identity of 
the
site.)  If this were reflected in the note, the goals and scope would be
oodles more clear.  For example, "security information" could be 
transformed
into the much more descriptive "information used to authenticate the 
site".

Received on Wednesday, 25 April 2007 16:46:09 UTC