W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 1996

RE: Draft WG charter -Reply

From: Steve Carter <srcarter@novell.com>
Date: Mon, 23 Sep 1996 15:54:07 -0600
Message-Id: <s246b2ca.062@novell.com>
To: ben@algroup.co.uk, yarong@microsoft.com, masinter@parc.xerox.com
Cc: ejw@ics.uci.edu, w3c-dist-auth@w3.org
I am already attending the pkix working group of the ietf and the Digital
Signature Initiative of the W3C. Security is critical and must be designed
in from the ground up or it never comes together. We have a number of
issues that we must be aware of:
1. The U.S. export restrictions
2. Non-U.S. import restrictions (particularly France at this time).
3. The size of the key allowed domestically and internationally.
4. The crypto algorithm used.
5. The use of the crypto algorithm, i.e., privacy vs. authentication
6. The lack of the public key infrastructure (PKI)

Several more come to mind, but these are the most important. Securing
documents during distributed authoring is not only a must, rather it is a
requirement of the group. We may not be actually solving the issue, but
the security requirements and protocol interaction must be spelled out for
us to be successful.

Steve Carter

>>> Yaron Goland <yarong@microsoft.com> 09/19/96 01:04pm >>>
Half addressing security is, in my opinion, even worse then not
it at all. The reason being that a half addressing leaves certain 
expectations that may or may not be accurate, that may or may not work,
that may or may not ever be realized. The logic is similar to why it is 
better to use no virus checker than a bad virus checker.

I have said before that we should have a dedicated security sub-group
on a 
separate schedule from the main group. I am willing to be a member. Is 
anyone else interested?


From:  Larry Masinter[SMTP:masinter@parc.xerox.com]
Sent:  Wednesday, September 18, 1996 3:14 PM
To:  ben@algroup.co.uk
Cc:  ejw@ics.uci.edu; w3c-dist-auth@w3.org
Subject:  Re: Draft WG charter

Personally, I think that the charter should be broad enough that we
might consider specific proposals for authorization models and access
permissions, even if we don't want to deep end on the topic.

No Internet standard can progress without at least touching on the
topic of security issues, and I don't think we can just ignore the
issue, without being clear about how such things will work in

Clearly, in order to meet the general needs, we can't rely on a
specific model ("ownership" and "file permissions"), but the protocol
might allow some registry of authentication models, and tunnel access
policy issues. After all, an access policy for a particular uploaded
item isn't so different from other kinds of random metadata (PICS
rating, MARC record, etc.) that one might want to send.

Received on Monday, 23 September 1996 18:20:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:08 UTC