W3C Technology and Society Domain

Call For Participation

Toward a More Secure Web

W3C Workshop on Transparency and Usability of Web Authentication

15/16 March 2006 — New York City, USA

Background

W3C's Security Activities

This Workshop aims to identify steps W3C can take to improve Web Security from the user-facing end of the spectrum: Practical security online often fails because users can be induced to make decisions that jeopardize their security and privacy, based on a lack of working authentication of Web sites' identities (phishing). We will look at technologies that can support Web users to better assess the trustworthiness and identity of sites with which they deal.

Our goal is to complement W3C's past security work on basic XML Security specifications: XML Signature, XML Encryption, and XML Key Management. These specifications put in place fundamental building blocks for securing XML-based formats and Web Services protocols.

Effective Authentication Must Be Mutual and Usable

Online authentication as deployed today often focuses on authenticating the user to the web site operator, but neglects the need to effectively authenticate the web site's identity to the user. Ordinary users are not able to reliably identify the sites they deal with. In the worst cases, the necessary authentication is missing completely at critical points of the interaction. In the best case, service-side authentication relies on visually weak security indicators like the well-known padlock icon and on the user's typically limited ability to parse and compare a domain name to the expected one. The value of the security indicators presently available is often further reduced by attackers' ability to abuse rich Web clients' scripting capabilities to conceal these indicators (or the empty spots they leave), and replace them by fake renderings.

Attackers exploit this weakness in service-side Web authentication to obtain sensitive information or credentials that can then be used to impersonate users: Users are deceived about the identity of the sites they are visiting, and induced to make trust decisions based on their misled perceptions.

Web authentication, as it is currently deployed, offers little or no remedy to content providers: In-line security indicators are susceptible to spoofing and, ultimately, just add to attackers' tool boxes. Secure out-of-band trust indicators require the deployment of additional client-side software.

Workshop Goals and Scope

The aim of this Workshop is to gather browser developers, other IT vendors, users, researchers, and technologists in the areas of Web authentication and security usability, to discuss and provide recommendations to W3C regarding the best approaches for making implementable and deployable improvements to the usability of Web authentication. Areas of particular interest include:

At the workshop we also expect to consider the trade-offs between security improvements that continue to interoperate with currently deployed browsers, incremental improvements to the existing browser environment, and approaches that may involve more fundamental changes to the Web.

Deliverables

This Workshop will help the W3C community determine what steps it can take in this area, including the possible scope of W3C Recommendations.

Position papers received for the Workshop will be posted publicly on the Web.

In addition, minutes and reports from the discussions, as well as a final document summarizing the outcome of the Workshop and the suggested future actions, will be posted publicly. Conversations and results are public.

Requirements for Participation

Position Papers

Position papers are the basis for discussions at the Workshop. Accepted papers will be made available to the public from the Workshop Page. Submitting a position paper comprises a default recognition of these terms for publication.

Papers should explain the participant's interest in the Workshop, and should contribute to the Workshop's goals as outlined above.

All papers should be 1 to 5 pages. Allowed formats are (valid) HTML/XHTML, PDF, or plain text. Papers in any other formats will be returned with a request for correct formatting.

The Program Committee may ask the authors of particularly salient position papers to explicitly present their position at the workshop to foster discussion. Presenters will be asked to make the slides of the presentation available on the workshop home page in HTML, PDF, or plain text. Position papers must be submitted via email to <team-usable-authentication-submit@w3.org> no later than 25 January 2006. Early submissions are appreciated.

Workshop Organization

Workshop Chairs

Program Committee

At this time, the program committee is still being assembled. The list so far:

Schedule

The Workshop program will run from 8:30 am to 6 pm on both days.

Venue

The workshop will be held in a conference facility in New York City, likely in the Mid-town or Lower Manhattan areas.

Details will be included in the acceptance notification, and will be published on the Workshop Page.

Important Dates

Date Event
15 December 2005 Call for Participation issued
25 January 2006 Deadline for position papers
15 February 2006 Acceptance notification; beginning of registration period
22 February 2006 Release of workshop program
1 March 2006 Deadline for registration
15 March 2006 Workshop Begins (8:30 am)
16 March 2006 Workshop Ends (6pm)

$Date: 2006/01/13 16:50:01 $
Thomas Roessler