- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 18 Jul 2007 22:25:23 +0200
- To: Shawn Duffy <Shawn.Duffy@corp.aol.com>
- Cc: Web Security Context WG <public-wsc-wg@w3.org>, stephen.farrell@cs.tcd.ie, pbaker@verisign.com
On 2007-07-18 13:39:00 -0400, Shawn Duffy wrote: > Revisiting Past Decisions > - Missing 'Applicability', 'Examples', and 'Attack Resistance and > Limitations' > http://www.w3.org/2006/WSC/wiki/RecRevisitingPastDecisions Applicability This requirement is applicable to web user agents that enable interactive trust decisions by users. Examples An example of a non-conforming implementation is a web user agent that enables interactive trust decisions about accepting unknown PKI trust roots, yet does not give users an interface that enables them to understand whether these have an effect on their current security context, or does not enable them to revert these decisions. An example of a conforming implementation is a web user agent that displays a trust indicator different from the standard padlock when visiting a Web site that has shown a certificate from a PKI trust root that was accepted interactively, and makes a user interface available to revert the earlier trust decision. Attack Resistance and Limitations This requirement is enables users to revert interactive usage errors. Such errors might be induced by impersonation attacks in which a fictitious trust root is used. Implementing the requirement does not defend against the user reaching the attacker's site in this scenario. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 18 July 2007 20:25:31 UTC