- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Fri, 25 Apr 2008 14:28:03 -0400
- To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
- Cc: public-wsc-wg@w3.org
Received on Friday, 25 April 2008 18:28:50 UTC
> On Thu, 24 Apr 2008 22:56:38 +0200, Mary Ellen Zurko > <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: > > >> > "Sensitive transactions also MUST be protected using the same level of > > > >> > protection." > >> > I don't know how to give examples of something that is sensitive, and > >> > something that isn't. Which seems important for understanding > > conformance > >> > to this one. > >> > >> I don't know who contributed this text and have no strong opinion > >> about it. > > > > If nobody's got any clue, we should remove it. > > > IMO examples would be online banking transactions, credit card > transactions, one may also consider authoring email a sensitive > transaction. I'd also say that anything that make assertions about the > user's identity and authorization to perform, in particular, economic > transactions, should be considered sensitive. What is an example of a transaction that is not sensitive? > > A question to ask is what the solicited secret is meant to protect? If the > secret is solited in a TLS protected it indicates that information and > actions it protects are of value to the user and as a consequence to an > attacker. If that wasn't the case, the secret or the protection wouldn't > be as necessary. So you are saying that any information that requires authentication for protection (for authorization) is a sensitive transaction. Does everyone buy into that?
Received on Friday, 25 April 2008 18:28:50 UTC