Let's just stay with the British 'realise' and 'authorise', as we've been back and forth with this a few times. Some errata for draft-9 of the USH: ---------------------------------------------------------------------- The precaution commonly taken against password eavesdropping by larger institutions, such as corporations, is to use one-time password systems. Until recently, this has been far too complicated and expensive for home systems and small businesses. However, an increasing number of products allow this to be done without fancy hardware, using cryptographic techniques. An example of such a technique is Secure Shell [SSH], which is both freely and commercially available for a variety of platforms. Many products (including SSH-based ones) also allow data to be encrypted before it is passed over the network. The problem with this paragraph is that implies that SSH is a OTP system. I think that it should read: The precaution commonly taken against password eavesdropping by larger institutions, such as corporations, is to use one-time password systems. Until recently, it has been far too complicated and expensive for home systems and small businesses to employ secure log in systems. However, an increasing number of products allow this to be done without fancy hardware, using cryptographic techniques. An example of such a technique is Secure Shell [SSH], which is both freely and commercially available for a variety of platforms. Many products (including SSH-based ones) also allow data to be encrypted before it is passed over the network. ---------------------------------------------------------------------- If the system has a mixed purpose, say recreation, correspondence and some home accounting, perhaps you will hazard some downloading of software. You unavoidably take some risk of acquiring stuff which is not exactly what it seems to be. It may be worthwhile installing privacy software on a computer if it is shared by multiple users. That way, a friend of a roommate won't have access to your private data, and so on. These paragraphs need a break between them. ---------------------------------------------------------------------- issues through on-line security forums. See [SSH] for a list of references. [SSH] should be [RFC2196]. ---------------------------------------------------------------------- One- time passwords make a sniffed password useless to the intruder, sniffed should be stolen. 'to the intruder' should be 'to steal'. ---------------------------------------------------------------------- ActiveX Microsoft's system that allows webpages to run (active) application code from a websource on the client system, bypassing various controls. Omit this section - it has proprietary language, is incorrect, too complicated and not necessary. ---------------------------------------------------------------------- Email Bombs A denial-of-service attack caused by too many Email being received by a server to the stage where the server runs out of resources. Besides containing a typographical error ('too many Email') I don't think we need this item at all. This is not discussed in the rest of the text and adds nothing to the discussion of email really. ---------------------------------------------------------------------- Email Security Software Software like PGP provides security functionalities like encryption (and decryption) to enable the end-user to protect messages and documents prior to sending them over a possibly insecure network. This section might be rewritten as: Software which provides security through digital signatures, encryption (and decryption) to enable the end-user to protect messages and documents prior to sending them over a possibly insecure network. PGP is an example of such software. ---------------------------------------------------------------------- Certificate A certificate is used to verify digital signatures. Say, an Email message contains a digital signature which says "I am from Bob". To verify this, Bob's key will have to be used to check it. Without getting Bob's key, recipients may, instead, rely on certificates (which certify that the key actually belongs to Bob) to verify the source of the message. This is not clear at all. How about Certificates are data which is used to verify digital signatures. A certificate is only as trustworthy as the agency which issued it. Certificates are used to verify a particular signed item, such as an Email message or a web page. The digital signature, the item and the certificate are all processed by a mathematical program. It is then possible to say, if the signature is valid, that "According to the agency which issued the certificate, the signer was (some name)." ---------------------------------------------------------------------- PPP (Point to Point Protocol) PPP is the mechanism which most end-users establish between their PC and their Internet service provider, that effectively provides the PC with a "host" status (level with other servers on the network), enabling them to make further Internet connections (eg. Email, chat etc) I suggest the definition be: PPP is the mechanism which most end-users establish a network connection between their PC and their Internet service provider. Once connected, the PC is able to transmit and receive data to any other system on the network. ---------------------------------------------------------------------- Anyone who can gain physical access to your computer can almost certainly break into it. Therefore, be cautions regarding who you allow access to your machine. If physically securing your machine is not The formatting on this paragraph got messed up in the process of preparing draft 09. ---------------------------------------------------------------------- It is very important to test your computer if you have been using freeware, other peoples' used floppy disks to transfer files, and so on. We had agreed that we wouldn't use 'freeware' here. Instead, say "if you have been using shared software of dubious origin, other people's used floppy disks..." ---------------------------------------------------------------------- Typographic errors rules are for users with respect to physical secruity, data ^^^^^^^^ Should be security. The process of transfering files between two computer systems ^^^^^^^^^^^ Should be transferring. his or her account ID (ie. username) and password. If this ^^^^^^^^ username and password and then your data over the network without ^^^^^^^^ These accounts may be set up with a predefined (username and) ^^^^^^^^ Should be user name not username in all cases. password to allow anyone access and aare often put there to make ^^^^ Should be are. present and pristene states. Thus, it is necessary for some work ^^^^^^^^ Should be pristine. it is alright to reveal secrets to technicians. Site visits may ^^^^^^^ Should be all right. The chracters that are displayed when logging into a system to ask ^^^^^^^^^ Should be characters. may be shared by roomates who are friends but prefer to keep their ^^^^^^^^ Should be room mates, right? These term is used to describe attackers, ^^^^^ Should be This.