RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page from Timothy Hahn on 2007-11-28 (public-wsc-wg@w3.org from November 2007)

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Wed, 28 Nov 2007 10:35:30 -0500
To: "Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Message-ID: <OF8788ACED.4A43E715-ON852573A1.0054340C-852573A1.0055A561@us.ibm.com>
Hi all,

I would prefer SHOULD, but am willing to downgrade all the way to MAY.

What do others think?

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From:
"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
To:
"Timothy Hahn" <Timothy_Hahn%IBMUS@notesdev.ibm.com>
Cc:
"Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Date:
11/28/2007 07:40 AM
Subject:
RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from 
updated   browser lock down wiki page




I'm only seeing this as a "MAY".  Most of those situations, it's OK to 
have a command/icon that brings up additional security information. And 
user agent vendors may choose not to add features that allow them to sell 
into those scenarios. 

          Mez




From:
Timothy Hahn/Durham/IBM@IBMUS
To:
"Web Security Context Working Group WG" <public-wsc-wg@w3.org>
Date:
11/27/2007 01:43 PM
Subject:
RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from 
updated  browser lock down wiki page




Hi all, 

To be clear, the requirement does not state that the information is not 
available.  The requirement states that there is a "usage mode" where the 
information is not available.

Michael McCormick asked for real world examples where this would be 
valuable.  I have thought of a couple:
 - public access terminals (kiosks, user agents installed in libraries, 
and schools, etc.)
 - usage modes for pre-school children (they won't call a help desk, and 
their parents probably don't want them calling the help desk - other than 
calling their parent for help)
 - airline ticketing agent usage mode (they are not in the business of 
fixing security problems with their user agent.  A support staff for such 
terminals would likely have a "admin"/"management" path by which they 
could access, even remotely, the security information from the user agent 
system without  making the end user recite some security-complex 
information over the phone) 

And another example of this type of model: parental restrictions on 
television and video game systems.  You have to enter a "admin mode" in 
order to even view the settings, let alone change them. 

When a user (or the same user) is ready to deal with security-related 
information and settings, let them operate in such a usage mode that 
allows for such view and modification.

Regards, 
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530
 


From:
"Doyle, Bill" <wdoyle@mitre.org>
To:
"Ian Fette" <ifette@google.com>, "Dan Schutzer" <dan.schutzer@fstc.org>
Cc:
"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Web Security 
Context Working Group WG" <public-wsc-wg@w3.org>
Date:
11/26/2007 04:16 PM
Subject:
RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from 
updated browser lock down wiki page






Removing the ability to view security settings appears to be in
conflict with an issue that was brought up a long time ago and noted by
UAAG 1.0

http://www.w3.org/2006/WSC/track/issues/40




-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Ian Fette
Sent: Monday, November 26, 2007 12:40 PM
To: Dan Schutzer
Cc: Mary Ellen Zurko; Web Security Context Working Group WG
Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with information
from updated browser lock down wiki page


Yes, but then they call up their help desk / ISP / son / whomever, and
are asked "Is HTTPS over SOCKS checked or unchecked" and they say "I
don't see where that option is...".

I really don't see why the user should ever be prevented from at least
viewing the settings.

On Nov 26, 2007 9:16 AM, Dan Schutzer <dan.schutzer@fstc.org> wrote:
>
>
>
>
> I would agree that a user should always be able to view and modify
> security-related configuration settings, but that if a user agent
does their
> job correctly, it should not be necessary, especially for the user
who would
> have trouble understanding the kind of detailed security
configuration
> settings that one sees today in the Security tab
>
>
>
>  ________________________________
>
>
> From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On
> Behalf Of Mary Ellen Zurko
>  Sent: Monday, November 26, 2007 11:36 AM
>  To: Web Security Context Working Group WG
>  Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with
information
> from updated browser lock down wiki page
>
>
>
>
>
>  "A user agent MUST support a mode of operation whereby the user is
unable
> to view or modify the security-related configuration settings. "
>
>  It seems wrong to me that there is a mode where the user is unable
to view
> the security related configuration settings. In every context I've
ever been
> in, having some ability to get to more information if helpful.
>
>  I would remove the "view or" part of this, unless I'm missing
something.


 
[attachment "smime.p7s" deleted by Mary Ellen Zurko/Westford/IBM]
Received on Wednesday, 28 November 2007 15:35:48 UTC