RE: Draft WG charter -Reply from Steve Carter on 1996-09-23 (w3c-dist-auth@w3.org from July to September 1996)

From: Steve Carter <srcarter@novell.com>
Date: Mon, 23 Sep 1996 15:54:07 -0600
To: ben@algroup.co.uk, yarong@microsoft.com, masinter@parc.xerox.com
Cc: ejw@ics.uci.edu, w3c-dist-auth@w3.org
Message-Id: <s246b2ca.062@novell.com>

I am already attending the pkix working group of the ietf and the Digital
Signature Initiative of the W3C. Security is critical and must be designed
in from the ground up or it never comes together. We have a number of
issues that we must be aware of:
1. The U.S. export restrictions
2. Non-U.S. import restrictions (particularly France at this time).
3. The size of the key allowed domestically and internationally.
4. The crypto algorithm used.
5. The use of the crypto algorithm, i.e., privacy vs. authentication
6. The lack of the public key infrastructure (PKI)

Several more come to mind, but these are the most important. Securing
documents during distributed authoring is not only a must, rather it is a
requirement of the group. We may not be actually solving the issue, but
the security requirements and protocol interaction must be spelled out for
us to be successful.

-src
Steve Carter
Novell

>>> Yaron Goland <yarong@microsoft.com> 09/19/96 01:04pm >>>
Half addressing security is, in my opinion, even worse then not
addressing 
it at all. The reason being that a half addressing leaves certain 
expectations that may or may not be accurate, that may or may not work,
and 
that may or may not ever be realized. The logic is similar to why it is 
better to use no virus checker than a bad virus checker.

I have said before that we should have a dedicated security sub-group
on a 
separate schedule from the main group. I am willing to be a member. Is 
anyone else interested?

					Yaron

----------
From:  Larry Masinter[SMTP:masinter@parc.xerox.com]
Sent:  Wednesday, September 18, 1996 3:14 PM
To:  ben@algroup.co.uk
Cc:  ejw@ics.uci.edu; w3c-dist-auth@w3.org
Subject:  Re: Draft WG charter

Personally, I think that the charter should be broad enough that we
might consider specific proposals for authorization models and access
permissions, even if we don't want to deep end on the topic.

No Internet standard can progress without at least touching on the
topic of security issues, and I don't think we can just ignore the
issue, without being clear about how such things will work in
practice.

Clearly, in order to meet the general needs, we can't rely on a
specific model ("ownership" and "file permissions"), but the protocol
might allow some registry of authentication models, and tunnel access
policy issues. After all, an access policy for a particular uploaded
item isn't so different from other kinds of random metadata (PICS
rating, MARC record, etc.) that one might want to send.

Larry

Received on Monday, 23 September 1996 18:20:41 UTC