Re: obscuring SCI

Straw poll:

A) Web user agents MUST prevent web content from obscuring, hiding, or 
disabling user interfaces that display security context information 
without user interactions. 
B) Web user agents SHOULD prevent web content from obscuring, hiding, or 
disabling user interfaces that display security context information. 
C) Abstain

I vote B. I still don't like my rewording. 

We'll finish with this poll at the meeting this week. 




From:
Mary Ellen Zurko/Westford/IBM@Lotus
To:
public-wsc-wg@w3.org
Date:
10/30/2009 05:05 PM
Subject:
obscuring SCI
Sent by:
public-wsc-wg-request@w3.org



In his latest email, Adam Barth sent an excellent example of a browser 
that would claim compliance (Chrome) but provides a way for content to 
obscure SCI when the user interacts with that content (first picture): 
http://lists.w3.org/Archives/Public/public-wsc-wg/2009Oct/0024.html

The part of the spec that this might violate is 7.4.1, first paragraph: 
Web user agents MUST prevent web content from obscuring, hiding, or 
disabling user interfaces that display security context information. 

In the meeting, we discussed this. There were two schools of thought. One 
was the simple downgrade from MUST to SHOULD. Another was that the example 
was clearly not a usable security problem, so why, and was that something 
we could extend this part of the spec with. The notion was that because 
the user must interact a specific way with the content to make this 
happen, that the content could not do it on its own, it was still within 
the spirit of our intention, and we should find some way to say that 
instead. I volunteered to take a crack at it. So the second alternative 
would be to change the text in this fashion:

Web user agents MUST prevent web content from obscuring, hiding, or 
disabling user interfaces that display security context information 
without user interactions. 

I can't say I like this. But I can't come up with anything better. So 
thoughts? Better proposal? Or is SHOULD the best we can do?