Re: ACTION-208: "Site Identifying Images in Chrome" display recommendation from Mary Ellen Zurko on 2007-06-08 (public-wsc-wg@w3.org from June 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 8 Jun 2007 08:23:00 -0400
To: "<michael.mccormick" <michael.mccormick@wellsfargo.com>
Cc: public-wsc-wg@w3.org
Message-ID: <OF0F02545A.6DA11297-ON852572F4.0042C9F2-852572F4.00440993@LocalDomain>

"This recommendation addresses the use of site identifying images (e.g., 
logos) in web agent chrome. Specific implementations addressed are 
favicons and certificate logos. The use of site identifying images within 
content (not in chrome) is out of scope. "
Not out of scope for the WG. And indeed, the "what is a secure page" 
proposal deals with it. So those two aspects of these proposals should be 
aligned (merged up in the editor's draft). 

"For these reasons, favicon use on web sites requiring user trust should 
be considered a security anti-pattern. Favicons undermine the web security 
context display in two ways. First, they appear to provide security 
context but in reality do not. Second, they blur the distinction between 
chrome and content. "
I think there's a more general statement hiding here. You give all the 
reasons that favicons are a problem. So that anything that had those 
attributes would be a problem. That more general recommendation should 
also be a part of this one. 

I do think there might be Disruptions in this proposal. The Disruptions 
section is supposed to be for disruptions caused by the proposal. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




<michael.mccormick@wellsfargo.com> 
Sent by: public-wsc-wg-request@w3.org
05/19/2007 03:00 AM

To
<public-wsc-wg@w3.org>
cc

Subject
ACTION-208: "Site Identifying Images in Chrome" display recommendation






I drafted a display recommendation (using the template) that can be found 
at http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/FavIcon 
in satisfaction of my action item, which I propose can now be closed.

Michael McCormick, CISSP 
Lead Architect, Information Security Technology 
Wells Fargo Bank 
255 Second Avenue South 
MAC N9301-01J 
Minneapolis MN 55479 
(僴      612-667-9227 (desk)             7       612-667-7037 (fax) 
(       612-590-1437 (cell)             J       
michael.mccormick@wellsfargo.com (AIM) 
2       612-621-1318 (pager)            *       
michael.mccormick@wellsfargo.com 
¨THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS 
FARGO" 
This message may contain confidential and/or privileged information.  If 
you are not the addressee or authorized to receive this for the addressee, 
you must not use, copy, disclose, or take any action based on this message 
or any information herein.  If you have received this message in error, 
please advise the sender immediately by reply e-mail and delete this 
message.  Thank you for your cooperation.

Received on Friday, 8 June 2007 12:23:20 UTC