Re: ISSUE-44: beyond \'who\' (some day) (pubic comment) from Mary Ellen Zurko on 2007-04-18 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 18 Apr 2007 16:27:44 -0400
To: Web Security Context WG <public-wsc-wg@w3.org>
Message-ID: <OF19D1530C.D2D2950D-ON852572C1.0070033F-852572C1.00706A4E@LocalDomain>

Under either "New Security Information" or "Other Security Challenges", Al 
points out this is a future looking statement, and so it's out of scope.

btw, I couldn't follow the contextual integrity link - you need to be 
subscribed to the economist: 
http://www.economist.com/science/displaystory.cfm?story_id=E1_RQRGDSN

If anyone else goes there, let us know what it's about. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/15/2007 11:01 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


To
public-wsc-wg@w3.org
cc

Subject
ISSUE-44: beyond \'who\' (some day) (pubic comment)








ISSUE-44: beyond 'who' (some day) (pubic comment)

http://www.w3.org/2006/WSC/Group/track/issues/44

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html


beyond 'who' (some day) 
where it says, in 4.3 Entity identification
Recommending a presentation for these
   designators that helps the user recognize which entity they are
   currently conversing with, and when they are switching to a
   different entity, is a primary concern of this Working Group.
please consider
The likely shape of a better world of trust includes the terms of the 
engagement beyond just 'who.'  Absolutely, the state of what works today 
is 
limited to "who" am I talking to.
And DNS domains are about as scientific a 'who' as users ever resolve in 
their 
fuzzy brains, by way of entities that are not human individuals.
On the other hand, there is still a lot of dissatisfaction from consumers 
about organizations taking information disclosed for a finite purpose and 
redistributing it beyond what the user understood as the purpose of that 
disclosure.  So the group should be aware of contemporary work to model 
trust 
decisions in terms of contextual integrity where the parameteters of a 
context 
desiring integrity are the defining characteristics of shared tasks as 
well as 
who is in or out of the circle of the conversation.

please consider
attribute certificates in the picture, eventually (bearer is known to me 
and 
assertion/attribute is true about said bearer).  User can provide a 
voucher 
for certified quality, not requiring disclosure of user's identity.
Why? 
The parking meter needs to know you are a qualifying individual to use 
disabled parking spots, but it does not need to know exactly who you are. 
There are, in the best of all possible worlds, many correlates for this in 
the 
world of B2C transactions.  So while a clear communication of "who is in 
the 
scene, and who am I conversing with?" is the name of the game for now, the 

total picture in the long term may use attribute certificates as well as 
identity certificates

Received on Wednesday, 18 April 2007 20:27:48 UTC