- From: Joseph Hui <jhui@digisle.net>
- Date: Thu, 2 May 2002 18:01:11 -0700
- To: "David Booth" <dbooth@w3.org>, <www-ws-arch@w3.org>
> -----Original Message----- > From: David Booth [mailto:dbooth@w3.org] > Sent: Thursday, May 02, 2002 12:40 PM > To: www-ws-arch@w3.org > Subject: D-AR006.9 - "baseline for trust models" > > >"D-AR006.9 The security framework document SHOULD recommend > a baseline for > >trust models." > > I think this needs clarification. I don't know what "a > baseline for trust > models" means. Trust models range from: username/password, to PGP-signed certificates, to CA-issued certificates, ... We may want to set a baseline somewhere, so WS providers and consumers will be well advised what they need to prepare themselves for in order to do business. E.g. right now you won't give out your credit card number to a (non-https) website that doesn't turn on that little lock at the corner of your browser, because you have implicitly adopted the trust model (executed by your browser on your behalf) that you don't trust merchants who don't bother to acquire a certificate (issued by a reputable CA). BTW, as with few others, the WG may want to deliberate whether this should be in or out of scope. So vote D if you aren't sure. Cheers, Joe Hui Exodus, a Cable & Wireless service
Received on Thursday, 2 May 2002 21:01:12 UTC