Re: What we're trying to protect... from Stephen Farrell on 2007-02-12 (public-wsc-wg@w3.org from February 2007)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 12 Feb 2007 18:00:23 +0000
To: Brad Porter <brad@tellme.com>
CC: "W3C Security (Public)" <public-wsc-wg@w3.org>
Message-ID: <45D0AB37.2080408@cs.tcd.ie>

What I mean is that users and sites sometimes also have an
interest in data they send being kept confidential; a site may 
separately have a requirement that the data it sends be
kept confidential (at least while in transit).

Can't think of an important case where only confidentiality is
needed offhand, so I guess confid. is perhaps only required
in conjunction with some kind(s) of peer-entity-authentication.

Use case: medical worker accesses patient records. Regardless
of what authentication requirements are, there is a requirement
that we can basically only really meet by encrypting. And I
would guess that everyone involved would have this requirement,
the site, the medical worker and the patient (and regulators).

S.

Brad Porter wrote:
> Everything we're talking about thus far is browser making statements to 
> the user about a site.  So I'm not sure confidentiality applies, but 
> perhaps you can expand?
> 
> --Brad
> 
> Stephen Farrell wrote:
>>
>> Doesn't that ignore confidentiality requirements? (Although I like
>> the line of thinking.)
>>
>> Brad Porter wrote:
>>>
>>> In general, with the web, the goal of security is to transparently 
>>> protect the user.  Browsers that support sandboxing are trying to 
>>> transparently protect the user from malicious applications.   The 
>>> only two cases where the browser needs to make any assertions to the 
>>> user are the following:
>>>
>>> 1) Establishing the veracity of the information on a site
>>> 2) Establishing that you are submitting your information to the party 
>>> you intended
>>>
>>> I would argue that people are generally aware of the veracity of any 
>>> information on the web is questionable.  So the question becomes, are 
>>> we trying to make any statements about the veracity of information on 
>>> a site?  If not, then we can punt on #1 and focus instead on #2.
>>>
>>> Number two only occurs when submitting information and is a very 
>>> active instead of passive act.  (I'm intentionally ignoring 
>>> click-stream type data leaks as they could be handled by proper 
>>> sandbox restrictions.)  This suggests that for 98% of what people do, 
>>> they don't need any security indicators from the browser.  They only 
>>> need to verity the security when submitting their data.  This 
>>> suggests that presentation of security context information could be 
>>> late-binding instead of omnipresent and integrated into the task-flow 
>>> instead of passive, which might help address a number of the problems 
>>> with the current mechanisms.
>>>
>>> --Brad
>>>
>>>
>>
>

Received on Monday, 12 February 2007 17:59:29 UTC