RE: PIIEditorBar

And this is a good example of having specific use cases within a proposal.

I'm not sure how to prioritize use cases. Use cases around PII changing 
struck me as having the biggest potential for highlighting problems or 
downsides with this approach. So that would be one way to prioritize. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




"Close, Tyler J." <tyler.close@hp.com> 
06/13/2007 01:57 PM

To
"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
cc
<public-wsc-wg@w3.org>
Subject
RE: PIIEditorBar






Hi Mez,
 
Yes, there are a lot of other use cases I need to write up for the PII bar 
proposal and handling of changes to PII strings is an important subset. 
I'll take your comment as an indication that I should write these ones up 
next. If you, or others, could indicate what other use-cases should be 
higher on the priority list, that would help me.
 
Thanks,
Tyler

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Mary Ellen Zurko
Sent: Friday, June 08, 2007 6:04 AM
To: Close, Tyler J.
Cc: public-wsc-wg@w3.org
Subject: PIIEditorBar


"The core conceptual change is augmenting the form filler with a record of 
what web site a stored text string was given to and providing the user 
with ready access to this record during a data entry task. "
One potential issue with this proposal is the security of storing PII. At 
some point that should be addressed. For example, in the cannonical 
security issues section, there might be short discussion on techniques 
used by password storage/management features and extensions to protect 
passwords in web user agents. 

When this is fully rephrased in conformance language, I'd like to see the 
petname/history part pulled out as one good practice (representing to 
users when they've been somewhere before). 

"For robustness against spoofing, the PII bar should be displayed using a 
theme customized to the user. "
There's a more general recommendation hiding here too, which I hope is 
pulled out when it's rephrased for conformance. 

"To encourage such treatment, the interface is designed such that it is 
easier to provide information to a web site using the PII bar than it is 
for the user to enter information into a web page directly. When using the 
PII bar, the user need not remember the exact sequence of characters in a 
PII string, nor type them in; rather, the string is selected from a menu."
The scenarios you haven't dealt with, that may raise issues, are when 
change happens to the validity of the PII strings. When the credit card 
number changes. Or expiration date. When the password has changed (I hit a 
lot of these every few months because of how my employer manages 
passwords). The stored password is no longer valid (right; it's been 
changed; must update it here too.) 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect



"Close, Tyler J." <tyler.close@hp.com> 
Sent by: public-wsc-wg-request@w3.org 
05/21/2007 07:15 PM


To
<public-wsc-wg@w3.org> 
cc

Subject
RE: Editing process for Recommendations








Hi Mez,
 
I'm also going to add my PII Editor bar proposal to our draft 
recommendations. See:
 
http://www.w3.org/2006/WSC/wiki/PersonallyIdentifiableInformationEditorBar
 
Shawn and I spoke last week about splitting up editing tasks. I'm taking 
care of finishing up the Note and he's going to get started on the 
recommendations. I think he's going to setup a skeleton draft and move the 
display recommendations from the wiki into the draft. I'll then add my PII 
Editor bar content. I'm hoping all this gets done this week, so that 
everyone can print a copy to take on the airplane with them.
 
Tyler

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Mary Ellen Zurko
Sent: Monday, May 21, 2007 12:41 PM
To: Close, Tyler J.
Cc: sduffy@aol.net; public-wsc-wg@w3.org
Subject: Re: Editing process for Recommendations


We're past May 18th. How are we doing? It seems we have three proposals 
that have been put in template format. Will those be forming the basis of 
our first public working draft recommendations? 

         Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect


"Close, Tyler J." <tyler.close@hp.com> 
Sent by: public-wsc-wg-request@w3.org 
04/27/2007 06:40 PM


To
<public-wsc-wg@w3.org> 
cc

Subject
Editing process for Recommendations











The calendar will soon turn to May and so if we're to do anything other
than drink Guinness while in Dublin for the next F2F, we will need some
draft recommendations.

I think each draft recommendation should be written up by the primary WG
members who will be developing the proposal. This division of labor
ensures each proposal is described by those most knowledgeable about it,
and that we've got a champion for each proposal who will help drive the
testing and implementation work that must be done.

To get some consistency among the proposal descriptions, I think we
should develop a template. The template would specify some required
sections for each proposal. For example, we could require a section that
enumerates the use-cases addressed by the proposal, or the security
information items relied upon, or the usability principles that are
leveraged, etc. We should develop this template over the course of the
next week.

I'd need to get finished text for each of the proposals by May 18th. By
finished text, I mean the exact text that should appear in the
recommendation document, but not necessarily in the W3C XML format. For
those unfamiliar with this XML language, I could go through and add the
syntax for the sections, paragraphs and lists. Look at our Note to see
the available structural elements. Shawn and I could then merge these
proposals into a document by the 23rd so that we all have a week to read
and think about the proposals before meeting in Dublin.

Tyler 

Received on Thursday, 14 June 2007 15:44:04 UTC