- From: Robert Yonaitis <ryonaitis@hisoftware.com>
- Date: Thu, 5 Jul 2007 13:47:24 -0400
- To: "Serge Egelman" <egelman@cs.cmu.edu>
- Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Web Security Context WG" <public-wsc-wg@w3.org>
Serge, from that perspective on P3P I would agree with your statement. This is because the second statement is not a value judgment on P3P but simply on how to display the information and who can modify trusted indicators. It would be another thing if we were going to say that this additional data point could help in setting trust or not help. A different angle: I doubt that DHS will cease the use of P3P as a policy or security context because the WSC-wg has any position on it whatsoever. Cheers, rob -----Original Message----- From: Serge Egelman [mailto:egelman@cs.cmu.edu] Sent: Thursday, July 05, 2007 1:40 PM To: Robert Yonaitis Cc: Mary Ellen Zurko; Web Security Context WG Subject: Re: P3P, , Internet filters and WAI The problem with doing anything with P3P in this context is that the website sets their own policy. Thus, if we make some "secure" indicator in browser chrome, we're now allowing the website to modify this trusted indicator, which we already agreed is a bad way to go. serge Robert Yonaitis wrote: > Hello All: > > First P3P: I think if we ever consider a checklist or validation tool of a sort to validate the security context of a site then this indicator, in general, is a machine readable privacy policy which is a form (IMHO) of personal data security. "Machine Readable" is also huge the P3P file (or server headers) could be used to validate site information for security context as well. Being machine readable it would yet be another way to validate other security context. However - this again is a matter of how do we validate compliance or even if we want to be in that business. > > > Next WAI: The WAI mentions on this list, which I thought were important from day one ARE Important, however, I just think everything this group does or suggests should be accessible. It is 2007 :) This includes the note, recommendations, downloads, supporting information and presentations. Any company providing a user agent should provide an accessible solution. Following Canada and the EU logic: It is a human rights issue versus just a technology issue. Canada sees CLF as a Human Rights response addressing Accessibility, Languages and more. A good example would be the question of colour. Colour Specific could be Colour + Value specific and have alternatives. > > Because of this I think that stating developing to W3C Standards is the best way to go, as P3P and WAI are both valid groups with testable standards. (WCAG 1.0) why not include both of them as a best practice? > > Just my 2 cents on these two items. > > Cheers, > Rob > > -----Original Message----- > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman > Sent: Thursday, July 05, 2007 1:08 PM > To: Mary Ellen Zurko > Cc: Web Security Context WG > Subject: Re: ISSUE-92: P3P and Internet filters > > > I'm not entirely sure either; it would seem that this is out of scope. > If a site has P3P, that really isn't security context information. A > phishing site can just as easily post a P3P policy (hey, if they're > already breaking laws, why worry about FTC sanctions?). P3P is for > disclosing practices regarding personal information, it was never meant > for security. > > serge > > Mary Ellen Zurko wrote: >> I don't understand thsi topic. Can you give some examples? Or does >> someone else understand this and what the issues are? >> >> >> >> *Web Security Context Issue Tracker <dean+cgi@w3.org>* >> Sent by: public-wsc-wg-request@w3.org >> >> 07/02/2007 07:53 AM >> Please respond to >> Web Security Context WG <public-wsc-wg@w3.org> >> >> >> >> To >> public-wsc-wg@w3.org >> cc >> >> Subject >> ISSUE-92: P3P and Internet filters >> >> >> >> >> >> >> >> >> >> >> ISSUE-92: P3P and Internet filters >> >> http://www.w3.org/2006/WSC/Group/track/issues/92 >> >> Raised by: Bruno von Niman >> On product: Note: use cases etc. >> >> The activity should strive for compatibility and consistency with the >> W3C P3P >> specifications and compatibility with currently used Internet filters, >> in order >> to satisfy basic consumer requirements on reliability, accessibility, >> usability >> and security. >> As a piece of useful input, we recommend ANEC’s study of Internet >> filters (ANEC- >> R&T-2006-ICT-002), downloadable from www.anec.org. >> >> >> >> >> > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 5 July 2007 17:47:30 UTC