RE: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI

Johnathan,
 
Do you have a link to the attributes required by EV certs? 
 
Thx
B
 


________________________________

	From: Johnathan Nightingale [mailto:johnath@mozilla.com] 
	Sent: Wednesday, November 14, 2007 10:39 AM
	To: Doyle, Bill
	Cc: Mary Ellen Zurko; public-wsc-wg@w3.org
	Subject: Re: ACTION-318: Draft a new subsection to section 7
discussing the mixing of trusted/untrusted information in the UI
	
	
	I'd agree that this sounds like a Robustness (§8) topic too.
There is already an 8.2 though, so I would expect this to be 8.4. 

	I would also point out that we should be clear here, because
there are two kinds of mixing:

	 - Mixing web content some of which was obtained over SSL and
some of which was not
	 - Displaying unverified certificate fields alongside verified
fields, in certificate-based UI

	This action deals with the second one only, which is fine, but
it should be made clear that we are talking about certificate contents,
since "mixed content" usually refers to the first type.

	I'll also be interested to see how this phrasing ends up,
because I wouldn't want us writing a recommendation that, for instance,
makes browsers with a "View Certificate" button non-conforming since
that UI will show all the fields of the cert, verified alongside
unverified.  If we want to specify presentation even in cases like
that, we should be deliberate about it.

	Cheers,

	J
	

	On 14-Nov-07, at 10:04 AM, Doyle, Bill wrote:


		Section 8
		 
		Given the description of section 8 and 8.1 included
below
		 
		http://www.w3.org/TR/wsc-xit/#Robustness
		 
		8.1 Do not mix content and security indicators
<http://www.w3.org/TR/wsc-xit/#site-identifying> 
		 
		add
		 
		8.2 Do not mix secure an insecure content in UI ...
		    - blah - blah - Certificates include secure and
non-secured content, non-secured certificate content should not be
represented in secured areas of the UI
		 
		 
		 
		 
		 
		 
		
		

________________________________

			From: Mary Ellen Zurko
[mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
			Sent: Wednesday, November 14, 2007 9:47 AM
			To: Doyle, Bill
			Cc: public-wsc-wg@w3.org
			Subject: RE: ACTION-318: Draft a new subsection
to section 7 discussing the mixing of trusted/untrusted information in
the UI
			
			

			You're still not looking at the right document
Bill. Please read my EVERY word :-)
			
			http://www.w3.org/TR/wsc-xit/
<http://www.w3.org/TR/wsc-xit/> 
			
			          Mez
			
			Mary Ellen Zurko, STSM, IBM Lotus CTO Office
(t/l 333-6389)
			Lotus/WPLC Security Strategy and Patent
Innovation Architect
			
			
			
			
From: 	"Doyle, Bill" <wdoyle@mitre.org> 	
To: 	"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> 	
Cc: 	<public-wsc-wg@w3.org> 	
Date: 	11/14/2007 08:22 AM 	
Subject: 	RE: ACTION-318: Draft a new subsection to section 7
discussing the mixing  of trusted/untrusted information in the UI


________________________________




			could go under section 9 - problems with status
quo
			 
			Secured and non-secured content is mixed 
			 
			 
			
			
________________________________

			From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Mary Ellen Zurko
			Sent: Wednesday, November 14, 2007 7:50 AM
			To: Doyle, Bill
			Cc: public-wsc-wg@w3.org
			Subject: RE: ACTION-318: Draft a new subsection
to section 7 discussing the mixing of trusted/untrusted information in
the UI
			
			
			I believe the referernce is to wsc-xit, not
wsc-usecases. 
			
	
http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html
<http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html> 
			
			And I agree; section 7 doesn't look like the
right place to me. If it's about mixing trusted and untrusted info in
certs; maybe sections 4 or 8? Johnathan, Thomas, Tyler - you were all
on the discussion; any better recall? 
			
			         Mez
			
			Mary Ellen Zurko, STSM, IBM Lotus CTO Office
(t/l 333-6389)
			Lotus/WPLC Security Strategy and Patent
Innovation Architect
			
			
			
From: 	"Doyle, Bill" <wdoyle@mitre.org> 	
To: 	"Doyle, Bill" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>

Date: 	11/09/2007 03:48 PM 	
Subject: 	RE: ACTION-381: Draft a new subsection to section 7
discussing the mixing of trusted/untrusted information in the UI


			
			
________________________________

			
			
			
			Seems like UI issues and mixing of
trusted/untrusted information should go under this heading
			
			2.5 Reliable presentation of security
information
<http://www.w3.org/TR/2007/WD-wsc-usecases-20071101/#trusted-path> 
			
			
			
			
________________________________

			From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org
<mailto:public-wsc-wg-request@w3.org> ] On Behalf Of Doyle, Bill
			Sent: Friday, November 09, 2007 3:24 PM
			To: public-wsc-wg@w3.org
			Subject: ACTION-381: Draft a new subsection to
section 7 discussing the mixing of trusted/untrusted information in the
UI
			
			If I have this action right I am not sure if
this belongs in section 7 - The section is titled Security Information
Available to the User Agent
			
			Furthermore, section 7 has a heading titled
"defined by user agent" and UI is defined by user agent.  Is the WG
making a statement that this particular UI decision should not be left
up to browser developer community?
			
			I am thinking that section 7 is the inputs and
UI is an output, UI is the application or use of security information.
Do we need a new section?
			
			Cheers
			Bill D.
			
			
			
			
			
			
			
			


	
	---
	Johnathan Nightingale
	Human Shield
	johnath@mozilla.com

Received on Monday, 26 November 2007 21:20:24 UTC