RE: ISSUE-38: no safe haven in presentation space (from public comments)

On the "not breaking it up" part, I (not surprisingly) agree with Bill. 
The idea is to communicate effectively with humans, who are necessarily 
lossey devices, coming with their own preconceived notions, buttressed by 
confirmation bias. Reiteration and different grouping help. 

I'd be happy to have part of this reiterated to augment the intro to "Out 
of Scope" (which is totally in line with the goal of getting this document 
to communicate better to humans). You want to take a crack at a proposal 
on that Tyler (or just do it and point us all to it)? 

Like Bill, I agree that the example list can be cleaned up, and perhaps 
turned into a series of references within the document. I'd like to ask 
either Bill or Tyler to try that iteration, since I know that "strength 
and clarity" (love that phrase Bill) is not my very strongest suit. But if 
you both decline, I'll take another crack at it. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




"Doyle, Bill" <wdoyle@mitre.org> 
Sent by: public-wsc-wg-request@w3.org
05/22/2007 11:28 AM

To
"Close, Tyler J." <tyler.close@hp.com>, <public-wsc-wg@w3.org>
cc

Subject
RE: ISSUE-38: no safe haven in presentation space (from public comments)






 
I am not in favor of breaking it up, I feel that the text is already 
implied in the note but needs to be stated in a clear concise message. 
 
I can see adding more strength and clarity to the text of "directly 
addressing". We are not trying to fix the underlying IA mechanisms, after 
all if correctly implemented and working the underlying security services 
are very capable. Lack of consistency is one of the reoccurring themes 
that has come up. The lack of consistency can be very misleading to the 
user.
 
In term of the login ceremony, as I understand the WSC is looking at the 
login ceremony in terms of consistency;  presentation, user expectations - 
HTTPs means xxxx, user sees this represented as X.  The web site is free 
to choose how they authenticate users and the underlying mechanisms used. 
 
Bill D
 
 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Close, Tyler J.
Sent: Monday, May 21, 2007 6:39 PM
To: public-wsc-wg@w3.org
Subject: RE: ISSUE-38: no safe haven in presentation space (from public 
comments)

Mez's proposed text is:
 
5.n Other Security Challenges

As stated in the charter, the mission of the Web Security Context Working 
Group is to specify a baseline set of security context information that 
should be accessible to Web users, and practices for the secure and usable 

presentation of this information, to enable users to come to a better 
understanding of the context that they are operating in when making trust 
decisions on the Web. While the work this group does may have a positive 
and beneficial effect on other security challenges on the web, directly 
addressing such challenges (including user authentication to web sites, 
single sign-on, and security models for active content on the web) are out 

of scope. 
 
I think it would be better to break this text up into different sections. 
The first part of it seems like it might be part of the introductory 
paragraph of the "Out of scope" section. The last part lists a series of 
topics that should each be a sub-section of "Out-of-scope". Just listing 
them, without further clarification, in an "Other" section might be 
inviting confusion. The "user authentication to web sites" item in 
particular seems tricky since we have decided parts of the login ceremony 
are in scope, such as how the user enters information into their user 
agent.
 
Tyler

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Mary Ellen Zurko
Sent: Thursday, May 10, 2007 7:49 AM
To: public-wsc-wg@w3.org
Subject: ISSUE-38: no safe haven in presentation space (from public 
comments)


I declare concensus. Editors will make the change and close the issue. 

http://lists.w3.org/Archives/Public/public-wsc-wg/2007Apr/0219.html

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Received on Wednesday, 23 May 2007 13:07:25 UTC