W3C home > Mailing lists > Public > www-tag@w3.org > April 2015

Question: secure third-party attestations about web sites ?

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 29 Apr 2015 08:41:34 -0700
Message-ID: <CAEnTvdCyqDqa+sfbm4m0qYY6RK5xLx6Ur2ryoPUu2OcJJvmzDQ@mail.gmail.com>
To: www-tag <www-tag@w3.org>

During some of the discussions about HTTPS, the point was raised that HTTPS
gives you only an assurance about the identity of the site and the privacy
of your communication with that site. It tells you nothing about the
security and privacy properties of the site itself.

It occurred to me that there are many third-party organizations, eTrust or
any of the anti-virus people for example, that do aim to give users
information about the security and privacy properties of sites (both
positive and negative). But there is, as far as I know, no secure mechanism
for these attestations to be presented to users: case-by-case policing of
abuse of those logos / marks is the only defense.

So my question is whether there is any ongoing work, or if it even makes
sense, for UAs to play a role in secure delivery of such third-party
attestations to users ? (I would expect it to be a long-term project - I'm
not thinking about quick-fixes here).

Thanks in advance,

Received on Wednesday, 29 April 2015 15:42:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:11 UTC