Re: ACTION-253 - new recommendation proposal available for comment

Timothy Hahn wrote:
> 
> Hi all,
> 
> Per ACTION-253, I have provided a write-up of this proposal here: 
> http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/BrowserLockDown 
> 
> 
> I believe this completes the action.

As at the f2f: I really like this. I reckon all more clever UA
proposals will depend on this being done, or else be very brittle.

One comment and one question:

This seems to call for "flat" profiles where each one specifies
all 7000 settings (at least implicitly).

Did you think about composable profiles? E.g. where a named profile
could be developed for say, active content (call that
active-content-bad) and another profile for TLS settings (call
that strict-pki), and then those might be composed, with a
few additional settings into what some banking site would like
(call that bigbank-preferred).

Essentially this is the moral equivalent of:

    $ cat bigbank-preferred.h

    #include <active-content-bad.h>
    #include <strict-pki.h>
    #define MORESTUFF
    ...

I guess the benefit would be that we could learn from one another
more easily and have more commonality, the cost is added complexity
that might (almost certainly would) turn into additional
vulnerabilities (mainly down to deliberate or accidental overriding
of selections probably).

That was the comment:-)

The question: Is there any way we can easily have these profiles
be digitally signed? (Without inventing a new protocol.) As a user
I'd like to be able to get 'em from local sysadmins, pals, the
bank itself etc and not have to make a leap-of-faith each time.
Unfortunately I think that is a new protocol. (Could we bend p3p
to do this or something? Does p3p include signatures nowadays?)

S.

Received on Thursday, 7 June 2007 10:55:09 UTC