The organization has called for position papers from enterprise security experts, commercial application development teams, browser manufacturers and their customers that focus on near-term improvements to the usability and transparency of web authentication.
The workshop, dubbed "Towards a More Secure Web -- W3C Workshop on Transparency and Usability of Web Authentication," is due to take place in New York City on March 15 and 16 and is hosted by Citigroup.
Gaps in practical security on the web make all users easy targets for fraud, warned W3C.
"Despite broad availability of security technologies, the web community (browser developers, website operators, users) lack agreement on how to help avoid the most basic types of fraud," the organization said. "For example, web users often cannot tell whether a web site is really what it claims to be. All users deserve web security that is convenient to use, and easy to understand."
The W3C noted that web security today critically depends on Transport Layer Security (TLS), an IETF protocol that is wrapped around HTTP transactions to provide endpoint authentication and communications privacy. However, it admits "ongoing phishing attacks demonstrate that these security measures fail in practice: While the currently available mechanisms are technically solid, implementations often don't succeed in making users aware what kind of security is actually in place, and with whom they really communicate. As a result, attackers can bypass these security mechanisms without users noticing."
In order to solve this problem, the World Wide Web Consortium calls for diverse communities to come together and consider "setting new thresholds for both security and usability".
The Workshop targets communities and commercial sectors critical to a more secure web environment for users. The workshop is chaired by Daniel Schutzer, Citigroup representative, and Thomas Roessler of the W3C. The program committee includes representation from America Online (AOL), Apple Computer, Bar-Ilan University, Carnegie Mellon University, the Center for Democracy and Technology (CDT), Columbia University, Comodo, Financial Services Technology Consortium (FSTC), Graz University of Technology, Microsoft, Mozilla, Ruhr-Universitat Bochum, (SIZ), Sun Microsystems, KDE project, New York University, Opera and VeriSign.
"This Workshop aims to concretely identify a range of issues faced by those who wish to use the web as a secure environment for tasks ranging from basic browsing to the most specialized application. In particular, the participants will look at ways to help address the current threats on the web that are caused by the present lack of comprehensible and transparent web authentication," the W3C stated.
The Workshop is expected to focus on near-term improvements that can be realized in browsers. Experiences and use cases from the financial services industry are expected to inform the discussion.
Position papers are invited for submission by email before Jan. 25, 2006.