ACTION-148 Discussion: The role of technology-specific security aids in our recommendations

Hello all,

As discussed on today's call, I have taken the action to initiate discussion of a proposed change to the note/recs to more explicitly include mention of auxiliary security technologies that may be relevant within the user's context.  If you are lazy, you may skip down to the ***, where I get to the point.  

The two that were discussed specifically in the call were:
 - SRP (ref: http://en.wikipedia.org/wiki/Secure_remote_password_protocol).
 - RSA-style 2-factor authentication (ref: http://en.wikipedia.org/wiki/Two_Factor_Authentication and for our purposes, particularly http://en.wikipedia.org/wiki/Two_Factor_Authentication#Other_types )

The question is, what role (if any) do these technologies play in our recommendations.

Section 5.1 (Out of scope: Protocols) and 5.4 (Out of scope: New security information) would seem to argue for a limited role.  We don't want to go down the path of investigating each of these protocols and making judgements based on their fitness.

I was initially inclined to approach this in terms of adding a subsection to section 7, but:

a) It would extremely difficult to make this list even remotely exhaustive.  Bolt-on web security augmentation is, I'm sure, a thriving multinational industry.

b) Much of it would not pass the preamble to section 7 ("This section provides an exhaustive list of security information *currently available* in web user agents." [emphasis added])  User agent support for SRP is (afaik) non-existent, and two-factor authentication, while widely deployed, is not available to the user agent in any consistent way.  There is not, e.g., a <link rel="application/2factorauth".../> standard markup.

*** 
My proposal therefore is to close the action with no change to the note or recommendations unless there are specific technologies in this category which are:

a) available to the user agent in some cross-platform way
b) already deployed

I am, of course, open to discussion on the matter.  :)

Cheers,

Johnathan

-- 
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Tuesday, 6 March 2007 18:55:11 UTC