RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page from Timothy Hahn on 2007-11-26 (public-wsc-wg@w3.org from November 2007)

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Mon, 26 Nov 2007 13:04:37 -0500
To: "'Web Security Context Working Group WG'" <public-wsc-wg@w3.org>
Message-ID: <OF3C965536.61734BBD-ON8525739F.0061A612-8525739F.00634C73@us.ibm.com>

Hi all,

I included this item in the Requirements section as a means of forcing the 
point that there are different users, or even the same user (human), but 
acting/operating in different mind-sets which interact with a user agent. 
So, either separated by different people or by different times, a person 
should not be placed into a situation where they are asked to make a 
security-related decision when they are not in the mind-set of making such 
a decision.  To avoid this, I called for a usage mode that would not 
display (or allow modification) of such security settings.  The idea being 
that if the person is wanting to do such perusal and/or modification, then 
they should put themselves (and their user agent) into that mode first.

(An analogous type of notion is doing things with "sudo" rather than just 
running as "root".  This is not an exact fit, but it is similar.)

I was not advocating that a user never be able to view or modify 
security-related settings.  I was advocating that users not be forced, 
tempted, or encouraged to even look when they are not in the "usage mode" 
that is indicative of considering security items/settings.

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From:
"Dan Schutzer" <dan.schutzer@fstc.org>
To:
"'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Web Security 
Context Working Group WG'" <public-wsc-wg@w3.org>
Date:
11/26/2007 12:29 PM
Subject:
RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from 
updated  browser lock down wiki page



I would agree that a user should always be able to view and modify 
security-related configuration settings, but that if a user agent does 
their job correctly, it should not be necessary, especially for the user 
who would have trouble understanding the kind of detailed security 
configuration settings that one sees today in the Security tab
 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Mary Ellen Zurko
Sent: Monday, November 26, 2007 11:36 AM
To: Web Security Context Working Group WG
Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with information 
from updated browser lock down wiki page
 

"A user agent MUST support a mode of operation whereby the user is unable 
to view or modify the security-related configuration settings. "

It seems wrong to me that there is a mode where the user is unable to view 
the security related configuration settings. In every context I've ever 
been in, having some ability to get to more information if helpful. 

I would remove the "view or" part of this, unless I'm missing something.

Received on Monday, 26 November 2007 18:05:03 UTC