ISSUE-38

no safe haven in presentation space (from public comments)

State:
CLOSED
Product:
wsc-usecases
Raised by:
Bill Doyle
Opened on:
2007-04-15
Description:
From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html

no safe haven in presentation space
where it says, in 2.5 Reliable presentation of security information
The Working Group will recommend presentation techniques that
mitigate deceptive imitation, or hiding, of the user agent\'s
presentation of security information.
where it says, in 2.7 Best practices for other media
The Working Group will provide best practice guidelines for
other media to follow so as not to undermine the presentation of
security information on the web.
please consider
This part of the strategy seems particularly weak. Techniques to ascertain
the actual presentation of [e.g. DOM objects] is sought by the WAI.
Techniques to query the delivery context are under development by the Device
Independence [now Ubiquitous Web Applications] Working Group. You should
think of querying the delivery context for evidence of spoofing \'security
indicating\' presentation as one of the tools in your deployment strategy.
Likewise, making it easy for the user to exercise a faint twitch of skepticism
with what seems to them a lightweight gesture, but raises the sensitivity of
security-information-filtering -- that is a closed-loop, mixed-initiative way
to move the performance curve of security failures vs. user nuisance. Also,
you should consider introducing practices which are not widely used now but
are up and running and working in practice. What if the user gets a page with
some protected content and some that was transmitted in unprotected HTTP. The
user doesn\'t know what in the page is of what category. Suppose at this point
they could by a flick of the hotkey send the challenge \"can you send me that
offer in a signed document?\" This relies on PKI that is somewhere in the SSL
stack, and the server won\'t have to bear the burden all the time. When a user
is at all concerned, the ethical merchant could want to invest the extra
cycles for the cryptography. In other words, readily achievable changes in
technology deployment should not be altogether off the table.
Why?
It seems unlikely that you can limit yourselves to currently-widely adopted
technology and not find that any presentation-property syndrome that you
select (whether of placement, coloration or language) is vulnerable to highly
effective spoofing attacks. Likewise the appeal to other media to stay out of
your protected zone is not likely to be successful unless a duly constituted
panel representing all stakeholders decides the allocated reserved
presentations.


Related Actions Items:
No related actions
Related emails:
  1. RE: ISSUE-38: no safe haven in presentation space (from publiccomments) (from tyler.close@hp.com on 2007-08-08)
  2. RE: ISSUE-38: no safe haven in presentation space (from publiccomments) (from wdoyle@mitre.org on 2007-07-30)
  3. Meeting record: WSC WG weekly 2007-07-18 (from tlr@w3.org on 2007-07-26)
  4. Re: Agenda: WSC WG distributed meeting, Wednesday, 2007-07-25 (from tlr@w3.org on 2007-07-24)
  5. Re: ISSUE-38: no safe haven in presentation space (from public comments) (from tlr@w3.org on 2007-07-19)
  6. Draft Minutes for Jul 18 Meeting (from johnath@mozilla.com on 2007-07-18)
  7. Agenda: WSC WG distributed meeting 2007-07-18 (from tlr@w3.org on 2007-07-17)
  8. Re: Agenda: WSC WG distributed meeting 2007-07-18 (from tlr@w3.org on 2007-07-17)
  9. Re: ISSUE-38: no safe haven in presentation space (from public comments) (from tlr@w3.org on 2007-07-11)
  10. RE: ISSUE-38: no safe haven in presentation space (from public comments) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-06-15)
  11. RE: ISSUE-38: no safe haven in presentation space (from public comments) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-05-23)
  12. RE: ISSUE-38: no safe haven in presentation space (from public comments) (from wdoyle@mitre.org on 2007-05-22)
  13. RE: ISSUE-38: no safe haven in presentation space (from public comments) (from tyler.close@hp.com on 2007-05-21)
  14. ISSUE-38: no safe haven in presentation space (from public comments) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-05-10)
  15. Re: ISSUE-38: no safe haven in presentation space (from public comments) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-04-18)
  16. ISSUE-38: no safe haven in presentation space (from public comments) (from dean+cgi@w3.org on 2007-04-15)

Related notes:

No additional notes.

Display change log ATOM feed

Mary Ellen Zurko <mzurko@us.ibm.com>, Chair, Thomas Roessler <tlr@w3.org>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 38.html,v 1.1 2010/10/11 09:35:16 dom Exp $