- From: Thomas Roessler <tlr@w3.org>
- Date: Sat, 7 Jul 2007 00:35:14 +0200
- To: michael.mccormick@wellsfargo.com
- Cc: johnath@mozilla.com, public-wsc-wg@w3.org, Mary_Ellen_Zurko@notesdev.ibm.com
On 2007-07-06 17:19:12 -0500, michael.mccormick@wellsfargo.com wrote: > You raise good questions about a couple specific aspects of the > sample page scoring formula I offered, but please keep in mind it > was offered as an example. It definitely needs thorough risk > analysis, testing, and refinement. I would not oppose removing > the local host file element, for example, although it's something > we should discuss first as a group. My point wasn't about the specific aspects -- I meant these as examples of a more generic issue, namely, that such a scoring mechanism will ideally be whatever is best suited to recognize attacks. There is of course a part to that formula which is based on factors that cannot be triggered by the attacker (assuming, e.g., that an attacker can't produce an EV certificate with chosen information, seems safe). There is, however, another part that relies on information that can (and will) be tuned by the attacker. This part will need to be adapted as attacks evolve -- or might even turn out to be useless in the end of the day, or best used through an interactive service. > That said, I do feel WSC should offer a specific formula (while > opening the door wide to innovation from others) so I would > oppose "punting". There should be an industry standard default > scoring formula. The formula is the missing link between our > detailed page security info and our primary SCI. Leaving the concerns as to whether or not these kinds of advanced heuristics are actually in our scope aside for the moent, I'd say that the "tuned by the attacker" inputs better shouldn't show up in that formula. I'd suspect that it would then turn into a set of basic profiles of using existing security technology that lead to certain user communication. EV certificates and letterheads are actually examples of that approach. I wonder if a security score really has much to add over these kinds of approaches when you leave out the possibly attacker-chosen inputs... Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 6 July 2007 22:35:55 UTC