Re: What Is A Secur ePage - Templateified from Mary Ellen Zurko on 2007-06-27 (public-wsc-wg@w3.org from June 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 27 Jun 2007 16:49:36 -0400
To: yngve@opera.com
Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <OFDB2FED45.6E9D5659-ON85257307.006691D4-85257307.00726754@LocalDomain>
HI Yngve,

"All login forms to a secure service MUST be served from a secure server, 
and MUST NOT not be included inside a page containing unsecure content. "

To give this review (and I think this will be true for others as well), 
the proposal needs some definition of "secure" before this line, or needs 
to use another term. I gave you this feedback before, and I think it's 
important (my defintiion of something important is that it is something 
that will draw comments due to  confusion or concern, and we can do 
something ahead of time to minimize those, and therefore minimize our 
overall overhead). So let me try another take on this problem. 

The Overview and Background presume that there is some primary Security 
Context Indicator (SCI). What exactly it is and what exactly it represents 
are not defined there; the status quo and some other potential inputs to 
the status quo (aka the padlock) are laid out. So is "secure" meant to 
refer to a particular state of the SCI? As I mentioned before (I think), I 
can't give this a proper review with the terminology the way it is, 
because it's too imprecise. And I imagine others will have the same 
problem. And I do not think it needs to be imprecise. I think you can 
defined a term up front that means "a user agent context where the sci 
shows the highest level of security" and then use that term in 
recommendations like this one. But I can't quite come up with it myself. 

Or maybe all you mean by "secure" is "using a secure form of transport, 
which is reflected in the primary SCI". Or maybe you mean "protected" as 
in "protected in transit with a cryptographic protocol that is reflected 
in the SCI". 


" Change from and unsecure to secure parts of a service SHOULD be done by 
direct links, and not redirects. If unsecure->secure redirects are needed 
then the redirect SHOULD be immediate, and not multistep. This lets the 
user know where he or she is headed before intiating the transition. "

This reasoning seems wrong to me. Users don't really know where they're 
going, and we're not encouraging the use of URLs to figure out where 
you're going and where you are, since they're not secure and usable SCIs. 

"Clients MUST display padlock/security information in a manner that 
clearly separates it from what the content controls."
This shold be rephrased as: 

"Clients MUST display any primary SCIs in a manner that clearly separates 
them from what the content controls."

"A client MUST NOT submit passwords from an unsecure page (even if the 
form is in a "secure" frame) to a secure server. Enhancement suggestion: 
Do not permit focus/input to the password forms field. "
There is a robust discussion on this on TAG (which I believe I'm meant to 
do something about). See this message and the replies: 
http://lists.w3.org/Archives/Public/www-tag/2007Jun/0130.html
This will give you a sense of the potential comments on this one. It would 
be good to do what we can to understand and minimize them. 

"The results of immediate (within 15-30 seconds?) automatic 
Meta/javascript redirects SHOULD NOT get a security level higher than the 
original document. "
Why not? I missed any explanation of this one. 

"A client SHOULD NOT display a padlock (or similar security indicator) if 
at least one of the resources required user interaction to accept the 
certificate of the server or other security protocol related problem, also 
if the user have specified that he should not be asked about that 
particular site certificate again. This does not apply to root 
certificates installed separately by the user. "

I disagree. I regularly work with certs not from a CA. I would deeply 
distrust any security indicator that did not claim that the IBM configured 
servers I work with are secure (because in fact I believe they are). That 
said, if there is something IBM can and should be doing to properly 
install our certificates on our many, many desktops, I would change my 
opinion. Your last sentence indicates there might be something. 






"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> 
Sent by: public-wsc-wg-request@w3.org
06/23/2007 07:44 PM

To
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
cc

Subject
What Is A Secur ePage - Templateified







<URL: http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#preview >

Hello all,

I have just modified my "What is a secure page?"-proposal so that it 
conforms (at least roughly) to the most recent template.

There may still be a couple of rough spots, and I combined the overview 
and background section from the template into a single section.

I added a couple of new proposals for EV, based on recent findings, as 
well as a comment about servers still using 512 bit RSA keys (the most 
recent I found are both banks).

Comments and suggestions?

-- 
Sincerely,
Yngve N. Pettersen
 
********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Wednesday, 27 June 2007 20:49:46 UTC