Search This Blog

Friday, March 12, 2010

W3C Last Call Review for Web Security Context: User Interface Guidelines

Thomas Roessler and Anil Saldhana (eds), W3C Technical Report

Members of the W3C Web Security Context Working Group have published a
Last Call Working Draft for "Web Security Context: User Interface
Guidelines." The specification defines guidelines and requirements for
the presentation and communication of Web security context information
to end-users. Publication of this Last Call Working Draft follows the
22-December-2009 Candidate Recommendation of this specification; changes
are based on implementer feedback. A diff document details those changes.
The purpose of this Last Call is to solicit community comment on these
specific changes. The Working Group anticipates to request transition
to Proposed Recommendation once this final Last Call is successfully

"The Working Group aims to demonstrate and test the WG's recommendations
on usable and robust communication of security context information
through implementations within the framework of one or more web user
agents. The most likely web user agents to serve as platforms for such
implementations are web browsers. To demonstrate that recommendations
are sufficiently general and interoperable, we expect implementation
in the context of at least two web user agents. We are targetting three
types of testing of our recommendations: functional testing, robustness
testing, and usability testing... All test development and testing is
iterative. The recommendations may need to be modified on the basis of
all three types of testing... Functional testing against the sample code
and appropriate deployment configurations will verify that the
recommendations can be translated to web user agent code, with no
functional ill effects on the rest of the web user agent. Robustness
testing will verify that the recommendations are robust against spoofing
attacks. Usability testing will verify that the recommendations provide
usable display of security context information...."

Overview: "Web user agents are now used to engage in a great variety and
number of commercial and personal activities. Though the medium for
these activities has changed, the potential for fraud has not. This
Working Group is chartered to recommend user interfaces that help users
make trust decisions on the Web. In-scope categories of technology and
information include: (1) Web interactions: user interactions on the Web,
using the HTTP and HTTPS protocols, where Web interactions involve other
application-level protocols, including, e.g., SOAP or FTP; (2) User
agents: a user agent is software to access Web content, including desktop
graphical browsers, text browsers, voice browsers, mobile phones,
multimedia players, plug-ins, and some software assistive technologies
used in conjunction with browsers such as screen readers, screen
magnifiers, and voice recognition software; (3) Entity identification,
where a web browsing session is like a conversation, where the user
converses with various entities, some known, and others newly encountered,
and each resource the user interacts with is identified by a URI. (4)
Third-party recommendation; (5) Historical browsing information...

The goal of this Working Group is to enable users to come to a better
understanding of the context that they are operating in when making
trust decisions on the Web; e.g., giving up passwords or other sensitive
information to possibly malicious sites... Current Web user agents
communicate only a small portion of available security context information
to users in a way that is easily perceived and understood. Other context
information that might be available to user agents and possibly helpful
to users is either not presented, or presented in a way that is not
understood by users, and hence useless or confusing. This information
ranges from logotypes and company names and addresses that might be
present in PKI certificates, to the user agent's memory of past
activities..." more detail

No comments: