On 2006-05-22 13:53:00 -0400, Sam Hartman wrote: > I think we are in broad agreement that the interesting work > in this space must involve the UI and is not principally a > protocol problem.
I very much agree. Incidentally, you may want have a look at the report from the March W3C workshop: http://www.w3.org/2005/Security/usability-ws/report We (W3C) are currently thinking about how to best charter work that would specify some browser user interface components that would have to be outside the control of web sites, and could be used to make sure that users know (as opposed to look at on their screens) where they are going to send their confidential information. Another element that we took as important from the workshop in NYC is to enable user agents to reliably recognize HTML forms that are used for authentication. This ability would enable user agents to manage credentials on behalf of the user. It would also enable user agents to *not* submit credentials using HTTP POST (even when entered through HTML forms), but instead grab them and use them for whatever HTTP-level authentication mechanism is used. User agents could also do intelligent things in the UI to make sure that users understand what they are doing here. PS: I'm currently at WWW 2006 in Edinburgh. If any of you guys want to chat more about this, please feel free to drop me a line, so we can meet up somewhere. Regards, -- Thomas Roessler, W3C <[EMAIL PROTECTED]> _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
