- From: Timothy Hahn <hahnt@us.ibm.com>
- Date: Tue, 13 Mar 2007 10:52:41 -0400
- To: W3C WSC Public <public-wsc-wg@w3.org>
- Message-ID: <OFD6D698B0.BE326B25-ON8525729D.00516BF4-8525729D.0051BA8B@us.ibm.com>
Mez, I like the additional wording you have proposed. Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Durham/IBM@IBMUS phone: 919.224.1565 tie-line: 8/687.1565 fax: 919.224.2530 "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> Sent by: public-wsc-wg-request@w3.org 03/13/07 09:03 AM To "Johnathan Nightingale <johnath" cc W3C WSC Public <public-wsc-wg@w3.org> Subject Re: ACTION-148 Discussion: The role of technology-specific security aids in our recommendations Your logic is impecable. However, I remain uncomfortable with the Note seeming to be silent on technologies that can reduce risk so that user understanding of security context is lessened (or eliminated). So I propose the following change to 2.6: Authoring and deployment techniques The Working Group will recommend authoring and deployment techniques that cause appropriate security information to be communicated to users. Techniques already available at authoring and deployment time which reduce the need for communication of security information to the user will be considered in the recommendations. Johnathan Nightingale <johnath@mozilla.com> Sent by: public-wsc-wg-request@w3.org 03/06/2007 02:01 PM To W3C WSC Public <public-wsc-wg@w3.org> cc Subject ACTION-148 Discussion: The role of technology-specific security aids in our recommendations Hello all, As discussed on today's call, I have taken the action to initiate discussion of a proposed change to the note/recs to more explicitly include mention of auxiliary security technologies that may be relevant within the user's context. If you are lazy, you may skip down to the ***, where I get to the point. The two that were discussed specifically in the call were: - SRP (ref: http://en.wikipedia.org/wiki/Secure_remote_password_protocol). - RSA-style 2-factor authentication (ref: http://en.wikipedia.org/wiki/Two_Factor_Authentication and for our purposes, particularly http://en.wikipedia.org/wiki/Two_Factor_Authentication#Other_types ) The question is, what role (if any) do these technologies play in our recommendations. Section 5.1 (Out of scope: Protocols) and 5.4 (Out of scope: New security information) would seem to argue for a limited role. We don't want to go down the path of investigating each of these protocols and making judgements based on their fitness. I was initially inclined to approach this in terms of adding a subsection to section 7, but: a) It would extremely difficult to make this list even remotely exhaustive. Bolt-on web security augmentation is, I'm sure, a thriving multinational industry. b) Much of it would not pass the preamble to section 7 ("This section provides an exhaustive list of security information *currently available* in web user agents." [emphasis added]) User agent support for SRP is (afaik) non-existent, and two-factor authentication, while widely deployed, is not available to the user agent in any consistent way. There is not, e.g., a <link rel="application/2factorauth".../> standard markup. *** My proposal therefore is to close the action with no change to the note or recommendations unless there are specific technologies in this category which are: a) available to the user agent in some cross-platform way b) already deployed I am, of course, open to discussion on the matter. :) Cheers, Johnathan -- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Tuesday, 13 March 2007 14:53:54 UTC