Re: Authoring practices on mixed content and unsafe redirects. from Yngve Nysaeter Pettersen on 2008-04-25 (public-wsc-wg@w3.org from April 2008)

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Fri, 25 Apr 2008 20:55:42 +0200
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: public-wsc-wg@w3.org
Message-ID: <op.t96j64m8vqd7e2@killashandra.oslo.opera.com>

On Fri, 25 Apr 2008 20:28:03 +0200, Mary Ellen Zurko  
<Mary_Ellen_Zurko@notesdev.ibm.com> wrote:

>> On Thu, 24 Apr 2008 22:56:38 +0200, Mary Ellen Zurko
>> <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
>>
>> >> > "Sensitive transactions also MUST be protected using the same level
> of
>> >
>> >> > protection."
>> >> > I don't know how to give examples of something that is sensitive,
> and
>> >> > something that isn't. Which seems important for understanding
>> > conformance
>> >> > to this one.
>> >>
>> >> I don't know who contributed this text and have no strong opinion
>> >> about it.
>> >
>> > If nobody's got any clue, we should remove it.
>>
>>
>> IMO examples would be online banking transactions, credit card
>> transactions, one may also consider authoring email a sensitive
>> transaction. I'd also say that anything that make assertions about the
>> user's identity and authorization to perform, in particular, economic
>> transactions, should be considered sensitive.
>
> What is an example of a transaction that is not sensitive?

   - Pages that greet you by name can probably be considered relatively  
benign,
   - Reading the newspaper is mostly non-sesnitive (although that may  
depend on what you read)
   - I am of two minds about looking at catalogues and adding items to a  
shopping cart, but willing to let it ride (at present) as long as the  
checkout is secure from step 1.
   - I am also of two minds about reading email, but sending is over the  
boundary

Amazon's one-click shopping is IMO a notch over the boundary to sensitive  
transaction, after all you are giving the shop not just the order to add  
an item to the shopping cart, you are also authorizing payment and  
shipping.



-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Friday, 25 April 2008 18:56:16 UTC