- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Tue, 6 Mar 2007 11:01:16 -0800 (PST)
- To: W3C WSC Public <public-wsc-wg@w3.org>
Hello all, As discussed on today's call, I have taken the action to initiate discussion of a proposed change to the note/recs to more explicitly include mention of auxiliary security technologies that may be relevant within the user's context. If you are lazy, you may skip down to the ***, where I get to the point. The two that were discussed specifically in the call were: - SRP (ref: http://en.wikipedia.org/wiki/Secure_remote_password_protocol). - RSA-style 2-factor authentication (ref: http://en.wikipedia.org/wiki/Two_Factor_Authentication and for our purposes, particularly http://en.wikipedia.org/wiki/Two_Factor_Authentication#Other_types ) The question is, what role (if any) do these technologies play in our recommendations. Section 5.1 (Out of scope: Protocols) and 5.4 (Out of scope: New security information) would seem to argue for a limited role. We don't want to go down the path of investigating each of these protocols and making judgements based on their fitness. I was initially inclined to approach this in terms of adding a subsection to section 7, but: a) It would extremely difficult to make this list even remotely exhaustive. Bolt-on web security augmentation is, I'm sure, a thriving multinational industry. b) Much of it would not pass the preamble to section 7 ("This section provides an exhaustive list of security information *currently available* in web user agents." [emphasis added]) User agent support for SRP is (afaik) non-existent, and two-factor authentication, while widely deployed, is not available to the user agent in any consistent way. There is not, e.g., a <link rel="application/2factorauth".../> standard markup. *** My proposal therefore is to close the action with no change to the note or recommendations unless there are specific technologies in this category which are: a) available to the user agent in some cross-platform way b) already deployed I am, of course, open to discussion on the matter. :) Cheers, Johnathan -- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Tuesday, 6 March 2007 18:55:11 UTC