RE: ISSUE-38: no safe haven in presentation space (from public comments) from Doyle, Bill on 2007-05-22 (public-wsc-wg@w3.org from May 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 22 May 2007 11:28:10 -0400
To: "Close, Tyler J." <tyler.close@hp.com>, <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B580179BA25@IMCSRV5.MITRE.ORG>

 
I am not in favor of breaking it up, I feel that the text is already
implied in the note but needs to be stated in a clear concise message. 
 
I can see adding more strength and clarity to the text of "directly
addressing". We are not trying to fix the underlying IA mechanisms,
after all if correctly implemented and working the underlying security
services are very capable. Lack of consistency is one of the
reoccurring themes that has come up. The lack of consistency can be
very misleading to the user.
 
In term of the login ceremony, as I understand the WSC is looking at
the login ceremony in terms of consistency;  presentation, user
expectations - HTTPs means xxxx, user sees this represented as X.  The
web site is free to choose how they authenticate users and the
underlying mechanisms used. 
 
Bill D
 
 


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Close, Tyler J.
	Sent: Monday, May 21, 2007 6:39 PM
	To: public-wsc-wg@w3.org
	Subject: RE: ISSUE-38: no safe haven in presentation space
(from public comments)
	
	
	Mez's proposed text is:
	 
	
	5.n Other Security Challenges
	
	As stated in the charter, the mission of the Web Security
Context Working 
	Group is to specify a baseline set of security context
information that 
	should be accessible to Web users, and practices for the secure
and usable 
	presentation of this information, to enable users to come to a
better 
	understanding of the context that they are operating in when
making trust 
	decisions on the Web. While the work this group does may have a
positive 
	and beneficial effect on other security challenges on the web,
directly 
	addressing such challenges (including user authentication to
web sites, 
	single sign-on, and security models for active content on the
web) are out 
	of scope. 
	 
	I think it would be better to break this text up into different
sections. The first part of it seems like it might be part of the
introductory paragraph of the "Out of scope" section. The last part
lists a series of topics that should each be a sub-section of
"Out-of-scope". Just listing them, without further clarification, in an
"Other" section might be inviting confusion. The "user authentication
to web sites" item in particular seems tricky since we have decided
parts of the login ceremony are in scope, such as how the user enters
information into their user agent.
	 
	Tyler


________________________________

		From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
		Sent: Thursday, May 10, 2007 7:49 AM
		To: public-wsc-wg@w3.org
		Subject: ISSUE-38: no safe haven in presentation space
(from public comments)
		
		

		I declare concensus. Editors will make the change and
close the issue. 
		
	
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0219.html
		
		          Mez
		
		Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l
333-6389)
		Lotus/WPLC Security Strategy and Patent Innovation
Architect

Received on Tuesday, 22 May 2007 15:30:28 UTC