This section now appears in the draft Note Out of scope section.
(A sub-section of the NoteIndex) [Mez drafted the original list; other contributions welcome.]
This page lists specific technical artifacts, like protocols or software components, that will not be the subject of any Working Group documents.
Out of scope
- Non-web user agents. User agents that never use the network, or if they do, only use non-web protocols.
- Email-specific processing. In particular, rich client email applications.
- Uses of non-web protocols (such as ftp, smtp, pop3) that cannot affect the web security context.
- Recommendations directly addressing changes or use of the computing base that the web user agent runs on. Techniques that are robust in the face of some amount of computing base penetration are desirable, all things being equal, but will not be the focus of the effort, and are not preferable to more usable approaches that assume the computing based is trusted.
- Future looking web user agent/protocol use cases. The WG will use scenarios based on existing user agents, protocols, and security context. Recommendations may generalize to future deployment scenarios, but they will not be the focus of the work.
- Automated/non-human user agents, e.g. as used on the "client" side of a proxy.
- Security and privacy threats which come from the exposure of information from one user to another on a system which is sequentially used by more than one individual, such as at a kiosk.
The Working Group will only create recommendations on the presentation of security context information and not on how that information must be acted upon. Recommended presentation techniques should facilitate and encourage safe browsing by users, but must not prevent the user from interacting with a web resource, even if an attack is suspected.
New security context information
The Working Group will neither create nor extend any protocol or data format, nor create recommendations for protocols or data formats that are not yet widely deployed. Recommendations will only be made for the presentation of currently deployed security context information.
Content based detection
Techniques commonly used by intrusion detection systems, virus checkers and spam filters to detect illegitimate requests based on their content are out of scope for this Working Group. These techniques include comparing the served URLs, graphics or markup to known legitimate sites, or to known attacks. The heuristics used in these tools are a moving target and so not a suitable subject for standardization. The Working Group will not recommend any checks on the content served by web sites.
Malware-infected systems (proposed, not final)
When a computer has been infected by malware, it is possible for the network stack or local trust systems to become compromised. The Working Group will not consider these cases when making recommendations, and will assume that the user agent has a trusted connection to the platform's networking stack.