W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2007

Re: Browser security warning

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 4 Jan 2007 18:46:51 -0500
Cc: public-wsc-wg@w3.org
Message-ID: <OFF2FFA7BD.3FDCAD24-ON85257259.00800BC3-85257259.0082AA8E@LocalDomain>
To: ses@ll.mit.edu
> > The main point is that naively differentiating between a "secure"
> > state (padlock) and an insecure one (no padlock) isn't very effective.
> > I don't believe that changing from that binary approach to an N-ary
> > one, where the N options map to TLS state-machine states will be any
> > more effective. We need a subtler mix...
>    I agree that the padlock isn't effective.  I'm also against an N-ary
> approach.  Having sites with self-signed certs appear with an HTTPS in 
> address bar adds a new category users have to understand.
>    I'm for having only one level of security (not the current two
> states)---you either reach the site in the address bar at the security 
> the site has deemed appropriate, or you don't reach it at all.

Interesting. I keep thinking part of the problem is trying to define all 
of security, instead of the parts that matter (protection from prying 
eyes, figuring out who you're talking to). Those don't strike me as 
categories too subtle for humans, since there are obvious human analogs 
(in a sealed envelope vs with a signature, for example). 

Received on Thursday, 4 January 2007 23:47:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:13 UTC