- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Thu, 12 Apr 2007 15:16:27 -0400
- To: "Chuck Wade" <Chuck@Interisle.net>, <public-wsc-wg@w3.org>
Received on Thursday, 12 April 2007 19:14:16 UTC
Chuck, This is the text that I asked to be added to "Available Security Context" section of the note. We needed something, this still has its issues. B Web Server / Application Security The Web Server and User Agent must negotiate a configuration that is mutually acceptable as noted in the User Agent section. Application security adds additional safe guards in addition to transport layer security (HTTPs). Application security can provide additional security context in order to maintain session security or enhance web server security to ensure that user data is private and secure from both external and internal attacks. Connection Security * User Agent / Web Server config - connection (e.g. HTTP protocol used in a secure mode) * Acceptable Ciphers negotiated * Certificate Authentication (verify the client cert) Hosted Application Security * Authentication Robustness * Additional fields/services used by the web server to verify the users authenticity * Password customization * Tokens, Biometrics
Received on Thursday, 12 April 2007 19:14:16 UTC