RE: ISSUE-132: Update Section 10.1 of wsc-xit with information from updated browser lock down wiki page from michael.mccormick@wellsfargo.com on 2007-11-26 (public-wsc-wg@w3.org from November 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Mon, 26 Nov 2007 14:50:51 -0600
To: <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164D867DAC@msgswbmnmsp17.wellsfargo.com>

Can you provide a real-world example where this usage mode would be
valuable?  Even for a locked down browser in an enterprise or public
kiosk it seems to me the user should be allowed to view security
settings.  (In fact I wouldn't be willing to use a public UA unless I
could do so.)

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Timothy Hahn
Sent: Monday, November 26, 2007 12:05 PM
To: 'Web Security Context Working Group WG'
Subject: RE: ISSUE-132: Update Section 10.1 of wsc-xit with information
from updated browser lock down wiki page



Hi all, 

I included this item in the Requirements section as a means of forcing
the point that there are different users, or even the same user (human),
but acting/operating in different mind-sets which interact with a user
agent.  So, either separated by different people or by different times,
a person should not be placed into a situation where they are asked to
make a security-related decision when they are not in the mind-set of
making such a decision.  To avoid this, I called for a usage mode that
would not display (or allow modification) of such security settings.
The idea being that if the person is wanting to do such perusal and/or
modification, then they should put themselves (and their user agent)
into that mode first. 

(An analogous type of notion is doing things with "sudo" rather than
just running as "root".  This is not an exact fit, but it is similar.) 

I was not advocating that a user never be able to view or modify
security-related settings.  I was advocating that users not be forced,
tempted, or encouraged to even look when they are not in the "usage
mode" that is indicative of considering security items/settings. 

Regards, 
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From: 	"Dan Schutzer" <dan.schutzer@fstc.org> 

To: 	"'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Web
Security Context Working Group WG'" <public-wsc-wg@w3.org> 

Date: 	11/26/2007 12:29 PM 

Subject: 	RE: ISSUE-132: Update Section 10.1 of wsc-xit with
information from updated  browser lock down wiki page

  _____  




I would agree that a user should always be able to view and modify
security-related configuration settings, but that if a user agent does
their job correctly, it should not be necessary, especially for the user
who would have trouble understanding the kind of detailed security
configuration settings that one sees today in the Security tab 
  

  _____  


From: public-wsc-wg-request@w3.org [
<mailto:public-wsc-wg-request@w3.org>
mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
Sent: Monday, November 26, 2007 11:36 AM
To: Web Security Context Working Group WG
Subject: Re: ISSUE-132: Update Section 10.1 of wsc-xit with information
from updated browser lock down wiki page 
  

"A user agent MUST support a mode of operation whereby the user is
unable to view or modify the security-related configuration settings. "

It seems wrong to me that there is a mode where the user is unable to
view the security related configuration settings. In every context I've
ever been in, having some ability to get to more information if helpful.


I would remove the "view or" part of this, unless I'm missing something.

Received on Monday, 26 November 2007 20:52:02 UTC