- From: Timothy Hahn <hahnt@us.ibm.com>
- Date: Mon, 26 Nov 2007 13:04:37 -0500
- To: "'Web Security Context Working Group WG'" <public-wsc-wg@w3.org>
- Message-ID: <OF3C965536.61734BBD-ON8525739F.0061A612-8525739F.00634C73@us.ibm.com>
Hi all, I included this item in the Requirements section as a means of forcing the point that there are different users, or even the same user (human), but acting/operating in different mind-sets which interact with a user agent. So, either separated by different people or by different times, a person should not be placed into a situation where they are asked to make a security-related decision when they are not in the mind-set of making such a decision. To avoid this, I called for a usage mode that would not display (or allow modification) of such security settings. The idea being that if the person is wanting to do such perusal and/or modification, then they should put themselves (and their user agent) into that mode first. (An analogous type of notion is doing things with "sudo" rather than just running as "root". This is not an exact fit, but it is similar.) I was not advocating that a user never be able to view or modify security-related settings. I was advocating that users not be forced, tempted, or encouraged to even look when they are not in the "usage mode" that is indicative of considering security items/settings. Regards, Tim Hahn IBM Distinguished Engineer Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Durham/IBM@IBMUS phone: 919.224.1565 tie-line: 8/687.1565 fax: 919.224.2530 From: "Dan Schutzer" <dan.schutzer@fstc.org> To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Web Security Context Working Group WG'" <public-wsc-wg@w3.org> Date: 11/26/2007 12:29 PM Subject: RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page I would agree that a user should always be able to view and modify security-related configuration settings, but that if a user agent does their job correctly, it should not be necessary, especially for the user who would have trouble understanding the kind of detailed security configuration settings that one sees today in the Security tab From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko Sent: Monday, November 26, 2007 11:36 AM To: Web Security Context Working Group WG Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page "A user agent MUST support a mode of operation whereby the user is unable to view or modify the security-related configuration settings. " It seems wrong to me that there is a mode where the user is unable to view the security related configuration settings. In every context I've ever been in, having some ability to get to more information if helpful. I would remove the "view or" part of this, unless I'm missing something.
Received on Monday, 26 November 2007 18:05:03 UTC