- From: Daniel Schutzer <dan.schutzer@fstc.org>
- Date: Thu, 5 Jul 2007 20:21:22 +0000
- To: "Serge Egelman" <egelman@cs.cmu.edu>,public-wsc-wg-request@w3.org,"Robert Yonaitis" <ryonaitis@hisoftware.com>
- Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>,"Web Security Context WG" <public-wsc-wg@w3.org>,"Dan Schutzer" <dan.schutzer@fstc.org>
I agree. I have worked with P3P. There are 2 major problems wrt adapting it to our work 1. P3P involves writing a policy wrt what info you are collecting, what you are using the info for, who you are sharing this info with and what they are using it for. This is not about security and would have to be subtantially expanded. A website could be collecting and safeguarding info securely and using it in a manner that violates a users privacy concerns. Conversely, a website could be respecting a users privacy concerns but not securely collecting and storing the info 2. Privacy is about intentions and depending upon how much you trust the web service provider is how much you believe the websites assertions regarding their handling of sensitive personal info. Security should be more measurable and not relliant on a website declaring that it is secure Dan Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Serge Egelman <egelman@cs.cmu.edu> Date: Thu, 05 Jul 2007 13:39:47 To:Robert Yonaitis <ryonaitis@hisoftware.com> Cc:Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, Web Security Context WG <public-wsc-wg@w3.org> Subject: Re: P3P, , Internet filters and WAI The problem with doing anything with P3P in this context is that the website sets their own policy. Thus, if we make some "secure" indicator in browser chrome, we're now allowing the website to modify this trusted indicator, which we already agreed is a bad way to go. serge Robert Yonaitis wrote: > Hello All: > > First P3P: I think if we ever consider a checklist or validation tool of a sort to validate the security context of a site then this indicator, in general, is a machine readable privacy policy which is a form (IMHO) of personal data security. "Machine Readable" is also huge the P3P file (or server headers) could be used to validate site information for security context as well. Being machine readable it would yet be another way to validate other security context. However - this again is a matter of how do we validate compliance or even if we want to be in that business. > > > Next WAI: The WAI mentions on this list, which I thought were important from day one ARE Important, however, I just think everything this group does or suggests should be accessible. It is 2007 :) This includes the note, recommendations, downloads, supporting information and presentations. Any company providing a user agent should provide an accessible solution. Following Canada and the EU logic: It is a human rights issue versus just a technology issue. Canada sees CLF as a Human Rights response addressing Accessibility, Languages and more. A good example would be the question of colour. Colour Specific could be Colour + Value specific and have alternatives. > > Because of this I think that stating developing to W3C Standards is the best way to go, as P3P and WAI are both valid groups with testable standards. (WCAG 1.0) why not include both of them as a best practice? > > Just my 2 cents on these two items. > > Cheers, > Rob > > -----Original Message----- > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman > Sent: Thursday, July 05, 2007 1:08 PM > To: Mary Ellen Zurko > Cc: Web Security Context WG > Subject: Re: ISSUE-92: P3P and Internet filters > > > I'm not entirely sure either; it would seem that this is out of scope. > If a site has P3P, that really isn't security context information. A > phishing site can just as easily post a P3P policy (hey, if they're > already breaking laws, why worry about FTC sanctions?). P3P is for > disclosing practices regarding personal information, it was never meant > for security. > > serge > > Mary Ellen Zurko wrote: >> I don't understand thsi topic. Can you give some examples? Or does >> someone else understand this and what the issues are? >> >> >> >> *Web Security Context Issue Tracker <dean+cgi@w3.org>* >> Sent by: public-wsc-wg-request@w3.org >> >> 07/02/2007 07:53 AM >> Please respond to >> Web Security Context WG <public-wsc-wg@w3.org> >> >> >> >> To >> public-wsc-wg@w3.org >> cc >> >> Subject >> ISSUE-92: P3P and Internet filters >> >> >> >> >> >> >> >> >> >> >> ISSUE-92: P3P and Internet filters >> >> http://www.w3.org/2006/WSC/Group/track/issues/92 >> >> Raised by: Bruno von Niman >> On product: Note: use cases etc. >> >> The activity should strive for compatibility and consistency with the >> W3C P3P >> specifications and compatibility with currently used Internet filters, >> in order >> to satisfy basic consumer requirements on reliability, accessibility, >> usability >> and security. >> As a piece of useful input, we recommend ANEC’s study of Internet >> filters (ANEC- >> R&T-2006-ICT-002), downloadable from www.anec.org. >> >> >> >> >> > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 5 July 2007 20:21:33 UTC