wsc-xit review notes from Doyle, Bill on 2007-12-27 (public-wsc-wg@w3.org from December 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Thu, 27 Dec 2007 13:06:50 -0500
To: <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801D364FA@IMCSRV5.MITRE.ORG>
 



	
	 

		.
		 
		4.2.2 whack-a-mole -  means many things in terms of
attacks (e.g. DDoS whack-a-mole ) do not believe WSC wants to say
"whack-a-mole refers to a web site" without clarifying in this document
whack-a-mole means xxx. 
		 
		Section 5
		 
		5.1 Would take out the text  -the alternative upgrade
mechanism [RFC2817] <http://www.w3.org/TR/wsc-xit/#ref-RFC2817>  is
used rarely, if at all , Think is it best to note expected usage of the
protocol. Seems to side track the actual issues.
		 
		The discussions could describe that TLS is a versioned
IETF protocol. It is an ongoing specification where latest version of
the protocol has the ability to be configured to accept a specific set
of ciphers considered "strong enough" for that version 
		 
		TLS  Strong algorithms
		Configuration settings can be used to drive cipher
settings (e.g the Apache setting SSLCipherSuite -all +HIGH)
		 
		 
		5.3  seems confusing. 
		 
		Needs discussion on what is considered weak / strong
TLS interaction. This paragraph could then describe how weak protection
may provide IA in passive attacks if strong tls is not achievable. The
more aggressive the attacker, the higher the IA bar needs to be.
		 
		5.3.2 may want to add corporate intranets to list
		 
		6.1.2 - possibly restructure the paragraph and organize
it, it is very difficult to read. Suggestions - strong and week TLS
could to be grouped - 
		During interactions with a TLS-secured Web page
<http://www.w3.org/TR/wsc-xit/#def-secure-Page>  for which the
top-level resource has been retrieved through a strongly TLS-protected
<http://www.w3.org/TR/wsc-xit/#strong-tls>  interaction  must follow
the following steps

		1. When the interaction is based off of a an augmented
assurance certificate <http://www.w3.org/TR/wsc-xit/#AAcert> , the
identity signal <http://www.w3.org/TR/wsc-xit/#def-identity-signal>
MUST include the Subject field's Organization attribute to inform the
user about the owner of the Web page
<http://www.w3.org/TR/wsc-xit/#def-Page> .

		2 When the interaction involves an atttested
certificate <http://www.w3.org/TR/wsc-xit/#def-attested-cert> , an
applicable domain name label retrieved from the subject's Common Name
attribute or from a subjectAltName extension MUST be displayed.

		3 When the interaction involves an extended validation
certificate <http://www.w3.org/TR/wsc-xit/#AAcert> ....
		 
		and then discuss weakly TLS protected sites 
		 
		 
		7.4   - couldn't get through this sentence -
		 
		Each hyperlink in the list provided when the user
selects the first option in the first message of the bootstrap
interaction MUST use the petname as the hypertext
		 
		8.3.1
		 
		
		Need to standardize the name of the secure portion of
the UI and all references to this secure area of the UI.
		 
		Web user agents MUST prevent web content from
obscuring, hiding, or disabling security UI.
		 
		User agent relies on many applications, does this
include modification of pluggins and helper apps?
		 
		Web user agents MUST NOT expose programming interfaces
which permit installation of software, or execution of privileged code
without user intervention.
Received on Thursday, 27 December 2007 18:07:00 UTC