RE: ACTION-148 Discussion: The role of technology-specific security aids in our recommendations from Close, Tyler J. on 2007-03-16 (public-wsc-wg@w3.org from March 2007)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Fri, 16 Mar 2007 23:41:15 -0000
To: "W3C WSC Public" <public-wsc-wg@w3.org>
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF8C5A25@G3W0072.americas.hpqcorp.net>
I don't understand how the proposed edit to "Authoring and deployment
techniques" makes the Note no longer silent on the topic of SRP or
multi-factor authentication. For me, the proposed edit is too vague to
provide any additional information to the reader.

I also don't understand why the proposed text seems to widen the scope
of what the WG will do if we all agree with Johnathan's assessment that
we should not widen our scope to accomodate this topic.

Tyler

> -----Original Message-----
> From: public-wsc-wg-request@w3.org 
> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Johnathan 
> Nightingale
> Sent: Tuesday, March 13, 2007 9:37 AM
> To: Mary Ellen Zurko
> Cc: W3C WSC Public
> Subject: Re: ACTION-148 Discussion: The role of 
> technology-specific security aids in our recommendations
> 
> 
> Suits me.  And apologies for missing the meeting today, 
> travel is getting the better of me.  :)
> 
> Does this close 148?
> 
> Cheers,
> 
> J
> 
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
> 
> 
> 
> On 13-Mar-07, at 9:03 AM, Mary Ellen Zurko wrote:
> 
> >
> > Your logic is impecable.
> >
> > However, I remain uncomfortable with the Note seeming to be 
> silent on 
> > technologies that can reduce risk so that user understanding of 
> > security context is lessened (or eliminated).  So I propose the 
> > following change to 2.6:
> >
> > Authoring and deployment techniques
> > The Working Group will recommend authoring and deployment 
> techniques 
> > that cause appropriate security information to be communicated to 
> > users. Techniques already available at authoring and 
> deployment time 
> > which reduce the need for communication of security 
> information to the 
> > user will be considered in the recommendations.
> >
> >
> >
> >
> > Johnathan Nightingale <johnath@mozilla.com> Sent by: 
> > public-wsc-wg-request@w3.org
> > 03/06/2007 02:01 PM
> >
> > To
> > W3C WSC Public <public-wsc-wg@w3.org>
> > cc
> > Subject
> > ACTION-148 Discussion: The role of technology-specific security   
> > aids in our recommendations
> >
> >
> >
> >
> >
> >
> > Hello all,
> >
> > As discussed on today's call, I have taken the action to initiate 
> > discussion of a proposed change to the note/recs to more explicitly 
> > include mention of auxiliary security technologies that may be 
> > relevant within the user's context.  If you are lazy, you may skip 
> > down to the ***, where I get to the point.
> >
> > The two that were discussed specifically in the call were:
> > - SRP (ref: http://en.wikipedia.org/wiki/ 
> > Secure_remote_password_protocol).
> > - RSA-style 2-factor authentication (ref: http://en.wikipedia.org/ 
> > wiki/Two_Factor_Authentication and for our purposes, particularly 
> > http://en.wikipedia.org/wiki/Two_Factor_Authentication#Other_types )
> >
> > The question is, what role (if any) do these technologies 
> play in our 
> > recommendations.
> >
> > Section 5.1 (Out of scope: Protocols) and 5.4 (Out of scope: New 
> > security information) would seem to argue for a limited role.  We 
> > don't want to go down the path of investigating each of these 
> > protocols and making judgements based on their fitness.
> >
> > I was initially inclined to approach this in terms of adding a 
> > subsection to section 7, but:
> >
> > a) It would extremely difficult to make this list even remotely 
> > exhaustive.  Bolt-on web security augmentation is, I'm sure, a 
> > thriving multinational industry.
> >
> > b) Much of it would not pass the preamble to section 7 
> ("This section 
> > provides an exhaustive list of security information *currently 
> > available* in web user agents." [emphasis added])  User 
> agent support 
> > for SRP is (afaik) non-existent, and two-factor 
> authentication, while 
> > widely deployed, is not available to the user agent in any 
> consistent 
> > way.  There is not, e.g., a <link 
> rel="application/2factorauth".../> 
> > standard markup.
> >
> > ***
> > My proposal therefore is to close the action with no change to the  
> > note or recommendations unless there are specific technologies in  
> > this category which are:
> >
> > a) available to the user agent in some cross-platform way
> > b) already deployed
> >
> > I am, of course, open to discussion on the matter.  :)
> >
> > Cheers,
> >
> > Johnathan
> >
> > -- 
> > Johnathan Nightingale
> > Human Shield
> > johnath@mozilla.com
> >
> >
> >
> >
> 
> 
>
Received on Friday, 16 March 2007 23:41:46 UTC