- From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
- Date: Thu, 24 Apr 2008 23:18:38 +0200
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "Thomas Roessler <tlr" <tlr@w3.org>
- Cc: public-wsc-wg@w3.org
On Thu, 24 Apr 2008 22:56:38 +0200, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: >> > "Sensitive transactions also MUST be protected using the same level of > >> > protection." >> > I don't know how to give examples of something that is sensitive, and >> > something that isn't. Which seems important for understanding > conformance >> > to this one. >> >> I don't know who contributed this text and have no strong opinion >> about it. > > If nobody's got any clue, we should remove it. IMO examples would be online banking transactions, credit card transactions, one may also consider authoring email a sensitive transaction. I'd also say that anything that make assertions about the user's identity and authorization to perform, in particular, economic transactions, should be considered sensitive. A question to ask is what the solicited secret is meant to protect? If the secret is solited in a TLS protected it indicates that information and actions it protects are of value to the user and as a consequence to an attacker. If that wasn't the case, the secret or the protection wouldn't be as necessary. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Thursday, 24 April 2008 21:19:25 UTC