The W3C is calling for position papers on Web authentication, the process of verifying that a Web user is really who he or she claims to be, from Web security experts, software developers, browser manufacturers, and even their customers.
The papers will be presented at a workshop, scheduled to hit New York City March 15 and 16, which is expected to focus on ways browser vendors and e-commerce service providers can work together to improve security.
The W3C argued that the Web must be a safer place where users can do anything from basic browsing to complex transactions.
"Gaps in practical security on the Web make all users easy targets for fraud. Despite broad availability of security technologies, the Web community (browser developers, Web site operators, users) lack agreement on how to help avoid the most basic types of fraud," the W3C said.
Standards bodies have specifications and standards to keep Web users from conducting fraudulent Web services transactions.
For example, the Liberty Alliance and OASIS have created federation protocols to allow companies to safely conduct business over the Web.
But no one has really addressed the Web's security foundation, which is where vulnerabilities start, W3C spokesperson Janet Daly said. Web security today depends on Transport Layer Security (TLS), an IETF protocol that is wrapped around HTTP (define) transactions to authenticate endpoints and ensure private communications.
Current perpetrators get around the technically solid TLS security layer because the protocol implementations don't let users know what kind of security is in place, and with whom they are communicating.
So attackers can bypass these security mechanisms without users noticing.