ACTION-148 Discussion: The role of technology-specific security aids in our recommendations from Johnathan Nightingale on 2007-03-06 (public-wsc-wg@w3.org from March 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Tue, 6 Mar 2007 11:01:16 -0800 (PST)
To: W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <32940121.40211173207676417.JavaMail.root@cm-mail01.mozilla.org>

Hello all,

As discussed on today's call, I have taken the action to initiate discussion of a proposed change to the note/recs to more explicitly include mention of auxiliary security technologies that may be relevant within the user's context. If you are lazy, you may skip down to the ***, where I get to the point.

The two that were discussed specifically in the call were:
- SRP (ref: http://en.wikipedia.org/wiki/Secure_remote_password_protocol).
- RSA-style 2-factor authentication (ref: http://en.wikipedia.org/wiki/Two_Factor_Authentication and for our purposes, particularly http://en.wikipedia.org/wiki/Two_Factor_Authentication#Other_types )

The question is, what role (if any) do these technologies play in our recommendations.

Section 5.1 (Out of scope: Protocols) and 5.4 (Out of scope: New security information) would seem to argue for a limited role. We don't want to go down the path of investigating each of these protocols and making judgements based on their fitness.

I was initially inclined to approach this in terms of adding a subsection to section 7, but:

a) It would extremely difficult to make this list even remotely exhaustive. Bolt-on web security augmentation is, I'm sure, a thriving multinational industry.

b) Much of it would not pass the preamble to section 7 ("This section provides an exhaustive list of security information *currently available* in web user agents." [emphasis added]) User agent support for SRP is (afaik) non-existent, and two-factor authentication, while widely deployed, is not available to the user agent in any consistent way. There is not, e.g., a <link rel="application/2factorauth".../> standard markup.

***
My proposal therefore is to close the action with no change to the note or recommendations unless there are specific technologies in this category which are:

a) available to the user agent in some cross-platform way
b) already deployed

I am, of course, open to discussion on the matter. :)

Cheers,

Johnathan

--
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Tuesday, 6 March 2007 18:55:11 UTC