RE: P3P, , Internet filters and WAI

   Late Thursday afternoon (holiday week (US) :  Meant: Hello All. Cheers - rob

________________________________

From: public-wsc-wg-request@w3.org on behalf of Robert Yonaitis
Sent: Thu 7/5/2007 4:54 PM
To: dan.schutzer@fstc.org; Serge Egelman; public-wsc-wg-request@w3.org
Cc: Mary Ellen Zurko; Web Security Context WG; Dan Schutzer
Subject: RE: P3P, , Internet filters and WAI


Hello Al: To be clear, I agree with Serge's second statement again and I want to restate that the value I see is that it provides a "nice" secondary data point as to the site being referenced. either in the Link Rel, header, and/or P3P file. The more information available to detect phishing the better. I think the statement again that we support w3c technologies is great and whether tool makers wish to implement P3P is another thing. I think the value is machine readable validation and I think it is a "Nice to have" 
 
Cheers!
 
 

________________________________

From: Daniel Schutzer [mailto:dan.schutzer@fstc.org]
Sent: Thu 7/5/2007 4:21 PM
To: Serge Egelman; public-wsc-wg-request@w3.org; Robert Yonaitis
Cc: Mary Ellen Zurko; Web Security Context WG; Dan Schutzer
Subject: Re: P3P, , Internet filters and WAI



I agree. I have worked with P3P. There are 2 major problems wrt adapting it to our work

1. P3P involves writing a policy wrt what info you are collecting, what you are using the info for, who you are sharing this info with and what they are using it for. This is not about security and would have to be subtantially expanded. A website could be collecting and safeguarding info securely and using it in a manner that violates a users privacy concerns. Conversely, a website could be respecting a users privacy concerns but not securely collecting and storing the info

2. Privacy is about intentions and depending upon how much you trust the web service provider is how much you believe the websites assertions regarding their handling of sensitive personal info. Security should be more measurable and not relliant on a website declaring that it is secure


Dan
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Serge Egelman <egelman@cs.cmu.edu>

Date: Thu, 05 Jul 2007 13:39:47
To:Robert Yonaitis <ryonaitis@hisoftware.com>
Cc:Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>,       Web Security Context WG <public-wsc-wg@w3.org>
Subject: Re: P3P, , Internet filters and WAI



The problem with doing anything with P3P in this context is that the
website sets their own policy.  Thus, if we make some "secure" indicator
in browser chrome, we're now allowing the website to modify this trusted
indicator, which we already agreed is a bad way to go.

serge

Robert Yonaitis wrote:
> Hello All:
>
> First P3P: I think if we ever consider a checklist or validation tool of a sort to validate the security context of a site then this indicator, in general, is a machine readable privacy policy which is a form (IMHO) of personal data security. "Machine Readable" is also huge the P3P file (or server headers) could be used to validate site information for security context as well. Being machine readable it would yet be another way to validate other security context. However - this again is a matter of how do we validate compliance or even if we want to be in that business.
>
>
> Next WAI: The WAI mentions on this list, which I thought were important from day one ARE Important, however, I just think everything this group does or suggests should be accessible. It is 2007 :)  This includes the note, recommendations, downloads, supporting information and presentations. Any company providing a user agent should provide an accessible solution. Following Canada and the EU logic: It is a human rights issue versus just a technology issue. Canada sees CLF as a Human Rights response addressing Accessibility, Languages and more. A good example would be the question of colour. Colour Specific could be Colour + Value specific and have alternatives.
>
> Because of this I think that stating developing to W3C Standards is the best way to go, as P3P and WAI are both valid groups with testable standards. (WCAG 1.0) why not include both of them as a best practice?
>
> Just my 2 cents on these two items.
>
> Cheers,
> Rob
>
> -----Original Message-----
> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman
> Sent: Thursday, July 05, 2007 1:08 PM
> To: Mary Ellen Zurko
> Cc: Web Security Context WG
> Subject: Re: ISSUE-92: P3P and Internet filters
>
>
> I'm not entirely sure either; it would seem that this is out of scope.
> If a site has P3P, that really isn't security context information.  A
> phishing site can just as easily post a P3P policy (hey, if they're
> already breaking laws, why worry about FTC sanctions?).  P3P is for
> disclosing practices regarding personal information, it was never meant
> for security.
>
> serge
>
> Mary Ellen Zurko wrote:
>> I don't understand thsi topic. Can you give some examples? Or does
>> someone else understand this and what the issues are?
>>
>>
>>
>> *Web Security Context Issue Tracker <dean+cgi@w3.org>*
>> Sent by: public-wsc-wg-request@w3.org
>>
>> 07/02/2007 07:53 AM
>> Please respond to
>> Web Security Context WG <public-wsc-wg@w3.org>
>>
>>
>>     
>> To
>>      public-wsc-wg@w3.org
>> cc
>>     
>> Subject
>>      ISSUE-92: P3P and Internet filters
>>
>>
>>     
>>
>>
>>
>>
>>
>>
>>
>> ISSUE-92: P3P and Internet filters
>>
>> http://www.w3.org/2006/WSC/Group/track/issues/92

>>
>> Raised by: Bruno von Niman
>> On product: Note: use cases etc.
>>
>> The activity should strive for compatibility and consistency with the
>> W3C P3P
>> specifications and compatibility with currently used Internet filters,
>> in order
>> to satisfy basic consumer requirements on reliability, accessibility,
>> usability
>> and security.
>> As a piece of useful input, we recommend ANECâEUR(tm)s study of Internet
>> filters (ANEC-
>> R&T-2006-ICT-002), downloadable from www.anec.org.
>>
>>
>>
>>
>>
>

--
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/





The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above.  Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient.  If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  Thank you.





The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above.  Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient.  If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  Thank you.

Received on Thursday, 5 July 2007 21:09:15 UTC