Issue 12 - future proofing User Agent Security - Multi-vendor and Collaborative environments from Doyle, Bill on 2007-05-15 (public-wsc-wg@w3.org from May 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 15 May 2007 09:16:44 -0400
To: <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B580171D9DB@IMCSRV5.MITRE.ORG>

The level of security presented by the User Agent to the user must
protect user data through the entire data lifecycle. Pages rendered by
User Agents are increasingly components of multi-vendor processing
schemes and multi-protocol collaboration environments. If the User
Agent configures an HTTPs session to protect a user session, the user
has a level of expectation in regards to security and information
assurance. In the case of HTTPs the user expects that security goes
beyond the HTTPs session termination point and protects all use of the
data. For example if a user id / password is transmitted in an HTTPs
session the receiving server cannot forward this data in clear text. If
developers cannot secure user data throughout the data lifecycle, the
level of security presented to the user should be downgraded to the
lowest level of security provided.

Received on Tuesday, 15 May 2007 13:17:29 UTC