- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 07 Jun 2007 11:56:39 +0100
- To: Timothy Hahn <hahnt@us.ibm.com>
- Cc: public-wsc-wg@w3.org
Timothy Hahn wrote: > > Hi all, > > Per ACTION-253, I have provided a write-up of this proposal here: > http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/BrowserLockDown > > > I believe this completes the action. As at the f2f: I really like this. I reckon all more clever UA proposals will depend on this being done, or else be very brittle. One comment and one question: This seems to call for "flat" profiles where each one specifies all 7000 settings (at least implicitly). Did you think about composable profiles? E.g. where a named profile could be developed for say, active content (call that active-content-bad) and another profile for TLS settings (call that strict-pki), and then those might be composed, with a few additional settings into what some banking site would like (call that bigbank-preferred). Essentially this is the moral equivalent of: $ cat bigbank-preferred.h #include <active-content-bad.h> #include <strict-pki.h> #define MORESTUFF ... I guess the benefit would be that we could learn from one another more easily and have more commonality, the cost is added complexity that might (almost certainly would) turn into additional vulnerabilities (mainly down to deliberate or accidental overriding of selections probably). That was the comment:-) The question: Is there any way we can easily have these profiles be digitally signed? (Without inventing a new protocol.) As a user I'd like to be able to get 'em from local sysadmins, pals, the bank itself etc and not have to make a leap-of-faith each time. Unfortunately I think that is a new protocol. (Could we bend p3p to do this or something? Does p3p include signatures nowadays?) S.
Received on Thursday, 7 June 2007 10:55:09 UTC