- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Fri, 2 Mar 2007 14:13:09 -0500
- To: public-wsc-wg@w3.org
- Message-ID: <OF7A45AB3E.A6319FB1-ON85257292.004AA79A-85257292.00699316@LocalDomain>
I've done a better run through the wiki to find contributors to the Note. In addition to the text below for the Acknowledgements, include Bill Doyle, Maritza Johnson, Phill Hallam-Baker, Hal Lockhart and Brad Porter. Again, if I've missed anyone, let me know. (you people are way too modest) 7.6 is missing passwords submitted via basic authentication (since that doesn't use a form). I propose adding "submitted passwords" as the first or second bullet item. 9.1.2 should mention color blindness. I propose adding the following to the end of the first paragraph - "In addition, color only cues often do not work for users who are color blind." Does anyone know if there are any standards that point that out? For instance, do accessibility standards mention that? 9.2.3 might be a little subtle for folks who haven't been in our discussions. Or maybe it's even too subtle for me. At least part of what I think it should be talking about is that the URL also represents choices made by the site/service. That's not always the creator of the referring hyperlink, though perhaps it always is when its an attack (not when it's search results?). I propose changing the first sentence to "The current web page's URL is chosen in tandem by the creator of the referring hyperlink and the owner of the web site." I further propose adding to the end of the second paragraph " While the hostname has to be registered and cannot be directly redundant with existing hostnames, there are a number of tricks that can be played to make hostnames look like something that will fool users. See the Hostname section for additional discussion." 9.2.4 - sites can also redirect to an ssl protected url. I propose adding the following: "The web site itself can also choose to redirect access to an SSL protected URL." 10.1.11 - I propose substituting "web user agents" for "browsers". That's it from me; I've done a full review pass. Has anyone else? Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect ----- Forwarded by Mary Ellen Zurko/Westford/IBM on 03/02/2007 08:35 AM ----- Mary Ellen Zurko/Westford/IBM 02/20/2007 06:21 PM To cc Subject reviewing Note Comments on the Feb 16th draft (from the start through Section 6). The email list to send comments to needs to change to a list that's truly public. Thomas will specify. Does the Patent stuff stay? The link to the public list of any patent disclosures made in connection with this group is broken. First paragraph of overview. I'd like to see an extra sentence being more explicit about addressing both the usability and assurance of those mechanisms. I'd also like to see a ref/link to the charter in the overview as well, since certain restrictions come straight from it. I propose adding: "Those recommendations will address both the usability of those mechanisms and their robustness against spoofing attempts by web sites, as specified in the Web Security Context Working Group charter" I'd like us to add some text to the Goals section before beginning to list them. I propose: "This section outlines the goals that the working group will focus its efforts on." Section 2.4 - I propose removing the last line ("Presenting security information..."). I don't think the goal needs it, and it detracts from the goal. Section 4, "In Scope", I'd like to see a bit of introductory text. I propose: "This section outlines in broad form what aspects of web security experience, indicators and trust are within the scope of this working group." Section 4.2 - there is some redundancy there. I propose striking the third sentence as wholey redundant ("This range includes..."). And Chuck, here is a good place for you to make specific recommendations if you believe we are not adequately addressing the range of user agents in scope. They can at least be called out here. Section 6 - I'd like to have a bit more motivation and expectation framing for the use cases. I propose adding this text before the line that's there: "Use cases will ground and guide our recommendations." It seems an odd gap that 6.2 does not explicitly call out following a link provided by a person through some collaboration application, such as email, blogs, or other social networking. That case does not seem to be precisely covered by any of what is currently there. Assuming I am right, I propose the following rewording for the second sentence: "He might have followed a web link from a known site's web pages, from web application data provided by other users, or from a search engine." Section 6.3 - the implication that the user is fully aware of the implications of downloading software seems wrong to me. I propose striking the full final clause, starting with ", fully aware that...". We need an acknowlegements section. Here's the first draft of it. Please let me know who I've missed: Acknowledgments This note is based on based on input from Tyler Close, Thomas Roessler, Mary Ellen Zurko, and the members of the Web Security Context Working Group.
Received on Friday, 2 March 2007 19:13:20 UTC