- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Tue, 13 Mar 2007 12:37:04 -0400
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: W3C WSC Public <public-wsc-wg@w3.org>
Suits me. And apologies for missing the meeting today, travel is
getting the better of me. :)
Does this close 148?
Cheers,
J
---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
On 13-Mar-07, at 9:03 AM, Mary Ellen Zurko wrote:
>
> Your logic is impecable.
>
> However, I remain uncomfortable with the Note seeming to be silent
> on technologies that can reduce risk so that user understanding of
> security context is lessened (or eliminated). So I propose the
> following change to 2.6:
>
> Authoring and deployment techniques
> The Working Group will recommend authoring and deployment
> techniques that cause appropriate security information to be
> communicated to users. Techniques already available at authoring
> and deployment time which reduce the need for communication of
> security information to the user will be considered in the
> recommendations.
>
>
>
>
> Johnathan Nightingale <johnath@mozilla.com>
> Sent by: public-wsc-wg-request@w3.org
> 03/06/2007 02:01 PM
>
> To
> W3C WSC Public <public-wsc-wg@w3.org>
> cc
> Subject
> ACTION-148 Discussion: The role of technology-specific security
> aids in our recommendations
>
>
>
>
>
>
> Hello all,
>
> As discussed on today's call, I have taken the action to initiate
> discussion of a proposed change to the note/recs to more explicitly
> include mention of auxiliary security technologies that may be
> relevant within the user's context. If you are lazy, you may skip
> down to the ***, where I get to the point.
>
> The two that were discussed specifically in the call were:
> - SRP (ref: http://en.wikipedia.org/wiki/
> Secure_remote_password_protocol).
> - RSA-style 2-factor authentication (ref: http://en.wikipedia.org/
> wiki/Two_Factor_Authentication and for our purposes, particularly
> http://en.wikipedia.org/wiki/Two_Factor_Authentication#Other_types )
>
> The question is, what role (if any) do these technologies play in
> our recommendations.
>
> Section 5.1 (Out of scope: Protocols) and 5.4 (Out of scope: New
> security information) would seem to argue for a limited role. We
> don't want to go down the path of investigating each of these
> protocols and making judgements based on their fitness.
>
> I was initially inclined to approach this in terms of adding a
> subsection to section 7, but:
>
> a) It would extremely difficult to make this list even remotely
> exhaustive. Bolt-on web security augmentation is, I'm sure, a
> thriving multinational industry.
>
> b) Much of it would not pass the preamble to section 7 ("This
> section provides an exhaustive list of security information
> *currently available* in web user agents." [emphasis added]) User
> agent support for SRP is (afaik) non-existent, and two-factor
> authentication, while widely deployed, is not available to the user
> agent in any consistent way. There is not, e.g., a <link
> rel="application/2factorauth".../> standard markup.
>
> ***
> My proposal therefore is to close the action with no change to the
> note or recommendations unless there are specific technologies in
> this category which are:
>
> a) available to the user agent in some cross-platform way
> b) already deployed
>
> I am, of course, open to discussion on the matter. :)
>
> Cheers,
>
> Johnathan
>
> --
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
>
Received on Tuesday, 13 March 2007 16:37:28 UTC