SOUPS 2007 Discussion Sessions
July 20, 2007 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2007/program.html#discuss
Have notes from your discussion session that you’d like to share w/ those that attended one of the other ones? Post them here!
UW2SP: Usable Web 2.0 Security & Privacy
Moderator: Larry Koved (IBM T.J. Watson Research Center)
The goal of this discussion session is to establish new collaborations in topics related to usable security for Web 2.0 security and privacy.
Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less?
Moderators: Mary Ellen Zurko (IBM) and Maritza Johnson (Columbia University)
This discussion session will consider the relationship between standards and standardization, and usable security and privacy, including where we are today, and where the usable security and privacy community would like to see that relationship go in the future.
One Laptop Per Child Security
Moderator: Ivan Krstic
A paper on Bitfrost, the One Laptop per Child security architecture, is being presented later at SOUPS. Usability was a crucial concern in the system’s design, and we believe Bitfrost will resist many security problems seen with today’s computers. In this discussion session, however, we wish to focus on problems that Bitfrost doesn’t solve. This includes both problems whose solutions were too hard to design or implement and problems that simply don’t have clear solutions, ranging anywhere from child-friendly authentication schemes to comprehensive browser security.
July 20th, 2007 at 07:19
While few people have a clear understanding of what Web 2.0 is, it appears to be a set of technologies that enable easy Web application development. Our discussion covered general Web 2.0 issues as well as issues specific to security, privacy, usability, and their intersection. Ten issues arose as key issues to address for Web 2.0:
- ownership rights for composite applications
Who owns an application composed of parts of others’ applications?
- authorization passing
How do we store and transmit policy with the data it covers?
- access control for Web 2.0 applications
Can users be given fine-grained access control over their data?
- What business models set up incentives for assuring security/privacy?
- Tracking evolution of your application
How can you find out what others do with your Web 2.0 application?
- making end-user programming easier
- delegation & making it understandable to users
If you can write an application in 5 minutes, but it takes days to get permission to publish it, what good is that? A good mechanism for managers to delegate authority to publish is needed. Also need ability to make “self-making” policy, i.e., policy that dictates what policy will apply to newly created content.
- tracking content ownership
While some discussion participants did not care for DRM solutions, they recognized a need to sometimes attach ownership information to published content.
- minimizing data sharing while allowing sharing where desired
For example, does Facebook really need the content posted on its site? Couldn’t it just know where data is stored and with whom it is to be shared? It could be more like an information broker than a provider.
- revocation
Once data is published, can it be revoked? Certainly, this would be desirable.
Jason Hong called for refining a list like this and publishing a list of the top 10 challenges for assuring usable Web 2.0 security and privacy.
Larry Koved, who was leading the discussion, closed it by showing the list of issues that came out of the Web 2.0 Security and Privacy workshop at Oakland.