W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Comment on Note

From: Bob Pinheiro <bob.pinheiro@fstc.org>
Date: Wed, 04 Apr 2007 05:44:39 -0700
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
Message-ID: <E1HZ4rp-0005Yy-Ot@lisa.w3.org>

Section 10.2 (Learning from Past Efforts) states that "A growing body of research
documents presentation techniques that have not proved effective in providing
usable security."  Section 10.3 (Implementation and Testing), which discusses the
types of testing that the Working Group will undertake, states that "Usability
testing will verify that the recommendations provide usable display of security
context information."

Given the past experiences cited in 10.2, it is not inconceivable that when the
recommendations undergo usability testing, some will fall short of whatever
criteria is set for "acceptable" usability.  This suggests that the process of
developing recommendations may need to be iterative; that is, the recommendations
may need to be modified on the basis of the usability testing.  

It is also likely to be true that any of the recommendations for presentation
techniques or security context information made by the Working Group will either
be ignored or misunderstood by some number of Internet users, or will otherwise
be subject to successful attacks.    I understand that the actual usability
testing that can be performed by the Working Group will depend on available
resources to perform the testing.  However, it may turn out that for some of the
use case scenarios discussed in Section 6.5, the Working Group will have no
recommendations for the presentation of security information that is determined
to be adequately "usable."  Such results may suggest that for those use cases, it
may be more appropriate to think in terms of "safe browsing" alternatives.  That
is, in some cases, it may be unreasonable to expect that users will recognize
certain security context information that will prevent them from falling victim
to fraud.  In those cases, it may be more appropriate to consider an alternative
that invokes a browser specially configured for "safe browsing", which would
allow access only to certain websites satisfying some set of criteria or
characteristics.  



Received on Wednesday, 4 April 2007 12:49:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT