Re: ACTION-318: Draft a new subsection to section 7 discussing the mixing of trusted/untrusted information in the UI from Johnathan Nightingale on 2007-11-26 (public-wsc-wg@w3.org from November 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Mon, 26 Nov 2007 18:28:33 -0500
To: "Doyle, Bill" <wdoyle@mitre.org>
Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
Message-Id: <4BA65712-097B-492B-B354-18FFC9421619@mozilla.com>
Hey Bill,

The guidelines specify the fields for which EV certificates make  
specific guarantees.

	http://cabforum.org/EV_Certificate_Guidelines.pdf

Cheers,

Johnathan

On 26-Nov-07, at 4:20 PM, Doyle, Bill wrote:

> Johnathan,
>
> Do you have a link to the attributes required by EV certs?
>
> Thx
> B
>
>
> From: Johnathan Nightingale [mailto:johnath@mozilla.com]
> Sent: Wednesday, November 14, 2007 10:39 AM
> To: Doyle, Bill
> Cc: Mary Ellen Zurko; public-wsc-wg@w3.org
> Subject: Re: ACTION-318: Draft a new subsection to section 7  
> discussing the mixing of trusted/untrusted information in the UI
>
> I'd agree that this sounds like a Robustness (§8) topic too.  There  
> is already an 8.2 though, so I would expect this to be 8.4.
>
> I would also point out that we should be clear here, because there  
> are two kinds of mixing:
>
>  - Mixing web content some of which was obtained over SSL and some  
> of which was not
>  - Displaying unverified certificate fields alongside verified  
> fields, in certificate-based UI
>
> This action deals with the second one only, which is fine, but it  
> should be made clear that we are talking about certificate contents,  
> since "mixed content" usually refers to the first type.
>
> I'll also be interested to see how this phrasing ends up, because I  
> wouldn't want us writing a recommendation that, for instance, makes  
> browsers with a "View Certificate" button non-conforming since that  
> UI will show all the fields of the cert, verified alongside  
> unverified.  If we want to specify presentation even in cases like  
> that, we should be deliberate about it.
>
> Cheers,
>
> J
>
> On 14-Nov-07, at 10:04 AM, Doyle, Bill wrote:
>
>> Section 8
>>
>> Given the description of section 8 and 8.1 included below
>>
>> http://www.w3.org/TR/wsc-xit/#Robustness
>>
>> 8.1 Do not mix content and security indicators
>>
>> add
>>
>> 8.2 Do not mix secure an insecure content in UI ...
>>     - blah - blah - Certificates include secure and non-secured  
>> content, non-secured certificate content should not be represented  
>> in secured areas of the UI
>>
>>
>>
>>
>>
>>
>>
>> From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com]
>> Sent: Wednesday, November 14, 2007 9:47 AM
>> To: Doyle, Bill
>> Cc: public-wsc-wg@w3.org
>> Subject: RE: ACTION-318: Draft a new subsection to section 7  
>> discussing the mixing of trusted/untrusted information in the UI
>>
>>
>> You're still not looking at the right document Bill. Please read my  
>> EVERY word :-)
>>
>> http://www.w3.org/TR/wsc-xit/
>>
>>           Mez
>>
>> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
>> Lotus/WPLC Security Strategy and Patent Innovation Architect
>>
>>
>>
>> From:	"Doyle, Bill" <wdoyle@mitre.org>
>> To:	"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
>> Cc:	<public-wsc-wg@w3.org>
>> Date:	11/14/2007 08:22 AM
>> Subject:	RE: ACTION-318: Draft a new subsection to section 7  
>> discussing the mixing  of trusted/untrusted information in the UI
>>
>>
>>
>>
>> could go under section 9 - problems with status quo
>>
>> Secured and non-secured content is mixed
>>
>>
>>
>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org 
>> ] On Behalf Of Mary Ellen Zurko
>> Sent: Wednesday, November 14, 2007 7:50 AM
>> To: Doyle, Bill
>> Cc: public-wsc-wg@w3.org
>> Subject: RE: ACTION-318: Draft a new subsection to section 7  
>> discussing the mixing of trusted/untrusted information in the UI
>>
>>
>> I believe the referernce is to wsc-xit, not wsc-usecases.
>>
>> http://lists.w3.org/Archives/Member/member-wsc-wg/2007Oct/0011.html
>>
>> And I agree; section 7 doesn't look like the right place to me. If  
>> it's about mixing trusted and untrusted info in certs; maybe  
>> sections 4 or 8? Johnathan, Thomas, Tyler - you were all on the  
>> discussion; any better recall?
>>
>>          Mez
>>
>> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
>> Lotus/WPLC Security Strategy and Patent Innovation Architect
>>
>>
>> From:	"Doyle, Bill" <wdoyle@mitre.org>
>> To:	"Doyle, Bill" <wdoyle@mitre.org>, <public-wsc-wg@w3.org>
>> Date:	11/09/2007 03:48 PM
>> Subject:	RE: ACTION-381: Draft a new subsection to section 7  
>> discussing the mixing of trusted/untrusted information in the UI
>>
>>
>>
>>
>>
>> Seems like UI issues and mixing of trusted/untrusted information  
>> should go under this heading
>>
>> 2.5 Reliable presentation of security information
>>
>>
>>
>> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org 
>> ] On Behalf Of Doyle, Bill
>> Sent: Friday, November 09, 2007 3:24 PM
>> To: public-wsc-wg@w3.org
>> Subject: ACTION-381: Draft a new subsection to section 7 discussing  
>> the mixing of trusted/untrusted information in the UI
>>
>> If I have this action right I am not sure if this belongs in  
>> section 7 - The section is titled Security Information Available to  
>> the User Agent
>>
>> Furthermore, section 7 has a heading titled "defined by user agent"  
>> and UI is defined by user agent.  Is the WG making a statement that  
>> this particular UI decision should not be left up to browser  
>> developer community?
>>
>> I am thinking that section 7 is the inputs and UI is an output, UI  
>> is the application or use of security information. Do we need a new  
>> section?
>>
>> Cheers
>> Bill D.
>>
>>
>>
>>
>>
>>
>>
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Monday, 26 November 2007 23:28:52 UTC