- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Wed, 27 Jun 2007 16:57:58 -0400
- To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, <yngve@opera.com>
- Cc: <public-wsc-wg@w3.org>
- Message-ID: <015301c7b8fd$d8c0a910$6500a8c0@dschutzer>
Secure server might be interpreted in the spirit of the SBM write up. A site that submits itself to special audit and security requirements _____ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Wednesday, June 27, 2007 4:50 PM To: yngve@opera.com Cc: public-wsc-wg@w3.org Subject: Re: What Is A Secur ePage - Templateified HI Yngve, "All login forms to a secure service MUST be served from a secure server, and MUST NOT not be included inside a page containing unsecure content. " To give this review (and I think this will be true for others as well), the proposal needs some definition of "secure" before this line, or needs to use another term. I gave you this feedback before, and I think it's important (my defintiion of something important is that it is something that will draw comments due to confusion or concern, and we can do something ahead of time to minimize those, and therefore minimize our overall overhead). So let me try another take on this problem. The Overview and Background presume that there is some primary Security Context Indicator (SCI). What exactly it is and what exactly it represents are not defined there; the status quo and some other potential inputs to the status quo (aka the padlock) are laid out. So is "secure" meant to refer to a particular state of the SCI? As I mentioned before (I think), I can't give this a proper review with the terminology the way it is, because it's too imprecise. And I imagine others will have the same problem. And I do not think it needs to be imprecise. I think you can defined a term up front that means "a user agent context where the sci shows the highest level of security" and then use that term in recommendations like this one. But I can't quite come up with it myself. Or maybe all you mean by "secure" is "using a secure form of transport, which is reflected in the primary SCI". Or maybe you mean "protected" as in "protected in transit with a cryptographic protocol that is reflected in the SCI". " Change from and unsecure to secure parts of a service SHOULD be done by direct links, and not redirects. If unsecure->secure redirects are needed then the redirect SHOULD be immediate, and not multistep. This lets the user know where he or she is headed before intiating the transition. " This reasoning seems wrong to me. Users don't really know where they're going, and we're not encouraging the use of URLs to figure out where you're going and where you are, since they're not secure and usable SCIs. "Clients MUST display padlock/security information in a manner that clearly separates it from what the content controls." This shold be rephrased as: "Clients MUST display any primary SCIs in a manner that clearly separates them from what the content controls." "A client MUST NOT submit passwords from an unsecure page (even if the form is in a "secure" frame) to a secure server. Enhancement suggestion: Do not permit focus/input to the password forms field. " There is a robust discussion on this on TAG (which I believe I'm meant to do something about). See this message and the replies: http://lists.w3.org/Archives/Public/www-tag/2007Jun/0130.html This will give you a sense of the potential comments on this one. It would be good to do what we can to understand and minimize them. "The results of immediate (within 15-30 seconds?) automatic Meta/javascript redirects SHOULD NOT get a security level higher than the original document. " Why not? I missed any explanation of this one. "A client SHOULD NOT display a padlock (or similar security indicator) if at least one of the resources required user interaction to accept the certificate of the server or other security protocol related problem, also if the user have specified that he should not be asked about that particular site certificate again. This does not apply to root certificates installed separately by the user. " I disagree. I regularly work with certs not from a CA. I would deeply distrust any security indicator that did not claim that the IBM configured servers I work with are secure (because in fact I believe they are). That said, if there is something IBM can and should be doing to properly install our certificates on our many, many desktops, I would change my opinion. Your last sentence indicates there might be something. "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Sent by: public-wsc-wg-request@w3.org 06/23/2007 07:44 PM To "public-wsc-wg@w3.org" <public-wsc-wg@w3.org> cc Subject What Is A Secur ePage - Templateified <URL: http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage#preview > Hello all, I have just modified my "What is a secure page?"-proposal so that it conforms (at least roughly) to the most recent template. There may still be a couple of rough spots, and I combined the overview and background section from the template into a single section. I added a couple of new proposals for EV, based on recent findings, as well as a comment about servers still using 512 bit RSA keys (the most recent I found are both banks). Comments and suggestions? -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Wednesday, 27 June 2007 20:58:36 UTC