RE: use cases? (Re: Browser security warning) from michael.mccormick@wellsfargo.com on 2007-01-08 (public-wsc-wg@w3.org from January 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Mon, 8 Jan 2007 15:21:58 -0600
To: <tlr@w3.org>
Cc: <public-wsc-wg@w3.org>
Message-ID: <8A794A6D6932D146B2949441ECFC9D680287137D@msgswbmnmsp17.wellsfargo.com>

I don't have time to write full blown use cases by tomorrow but here are
some short stories:

A. Can eavesdroppers read my session?
Scenario:
Alice enters her credit card number on Bob's Plumbing web site, then
wonders if computers or people at her ISP (Carol's Cheap Internet Co.)
will be able to read it in transit.

B. Is the web site really the one I requested?
Scenario:
Alice clicks a link to Bob's Plumbing and the site comes us, but when it
asks for her credit card number she can't help wondering if this web
site really belongs to the same Bob's Plumbing she shopped at in the
past.

C. Have the web pages I'm seeing been tampered with?
Scenario:
Alice notices the Bob's Plumbing home page looks different than before,
and wonders if someone might have hacked in and made changes.

D. Is the web site reputable?
Scenario:
When Alice visited Bob's Plumbing online for the first time she wasn't
sure if the web site really belonged to a reputable merchant who could
be trusted with her credit card number.

>Michael McCormick, CISSP
>Lead Architect, Information Security
>
>This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein.  If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.

-----Original Message-----
From: Thomas Roessler [mailto:tlr@w3.org] 
Sent: Monday, January 08, 2007 8:01 AM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org
Subject: use cases? (Re: Browser security warning)

On 2006-12-27 23:56:39 -0600, michael.mccormick@wellsfargo.com wrote:

> To make matters worse, those things

... meaning security properties that TLS can deliver ...

> don't align perfectly to the questions an average user wants
> answered:
> A. Can eavesdroppers read my session?
> B. Is the web site really the one I requested?
> C. Have the web pages I'm seeing been tampered with?
> D. Is the web site reputable?
> Etc.

These strike me as excellent seeds for some short stories that we might
wish to capture in the use case part of the note.  Could you think of
writing up short and simple use cases that exhibit and illustrate these
concepts -- preferably for tomorrow? ;-)

Thanks,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Monday, 8 January 2007 21:21:53 UTC