RE: Page Security Score proposal from michael.mccormick@wellsfargo.com on 2007-06-18 (public-wsc-wg@w3.org from June 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Mon, 18 Jun 2007 14:05:46 -0500
To: <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <8A794A6D6932D146B2949441ECFC9D68040A9FA9@msgswbmnmsp17.wellsfargo.com>
Mez et al,
 
One reason I advocate a numeric score is that it enables the agent to
boil a large complex set of secondary security context & trust
indicators down to a simple analog gauge-style primary indicator
(speedometer, color, thermometer, etc.)  As Tim Hahn eloquently
explained, this type of UI is something that's familiar and intuitive to
end users, and it can have value even if they don't know the particulars
behind the mapping.  Indeed, I feel that detailed secondary SCIs will
never be usable to the average user.
 
The reason I advocate a standard scoring formula is that it would give
all these primary SCIs the same underlying semantics regardless of how
they look or which agent / version is in use.  I believe this kind of
consistency would be very valuable to end users.
 
I also suspect the process of developing a weighted scoring formula will
prove a useful exercise for the web security community, because it
forces us to sort through the many pieces of Page Security Info we've
identified and evaluate their relative importance and interactions.  Of
course any straw man formula (including mine) should be tested with real
users & web sites, and fine tuned as needed.
 
I think there's room for more than one standard.  WSC should put a stake
in the ground to bootstrap the adoption process, while encouraging
innovation from others who may have ideas for improving scoring
algorithms.  I like the page score plug-in concept Stephen Farrell
suggested.
 
Mike

  _____  

From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Friday, June 15, 2007 9:17 AM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org
Subject: Re: Page Security Score proposal



Thanks Mike. This proposal touches on several other areas. So I'm trying
to wrap my head around the basic question "Why a numeric score?". Since
you rightly reference PageInfo, it isn't only about making what the
inputs are explicit. 

I believe we're likely to achieve concensus that there should be some
primary SCI display (there are accessibility and device
size/characteristics to be accounted for orthogonally, as well as the
multicultural aspect raised by Bruno/ANEC; I assume those and do not
explicitly address them here). To the extent there is a primary SCI
display, it will have to have some sort of levels or gradations (on/off,
3 levels as in "what is a secure page", 4 levels as this proposal
suggests, 99 levels/gradations as this proposal also suggests). No one
seems to be proposing something with no levels as a primary SCI (that is
currently relegated to secondary SCI in PageInfo, and rightly so in my
opinion). We discussed the issue of medium/high risk situations that are
pure display (no input) during one of the lightening discussions I led,
and there seemed to be concensus that there would be pure display use
cases of medium/high risk data, which also points towards concensus
around a primary SCI display. Now would be the time for any participant
to indicate that we did not have concensus on the need for
recommendations around a primary display of SCI which reflects some
level or gradation of security that is meant to be usable for trust
decisions. 

Goal #vocabulary (2.3) says we will "recommend a set of terms,
indicators and metaphors for consistent presentation of security
information to users, across all web user agents. For each of these
items, the Working Group will describe the intended user interpretation
..." That does argue for us standardizing on the indicators and what
they mean to the user. So the gap in my mind between numeric score and
our goals is, what is the intended user interpretation (user meaning) of
the levels/gradations of the score? 

Taking it from the other direction, here are some intended user
interpretations I could imagine might help with trust decisions on the
web. (Side comment, we got any research or other data on what user
interpretations would actually be useful to users? Audian, is that
something that you could do as a low cost usability test?)

1. We don't know enough/anything about the trustabillity. It's new
territory, you haven't been there before, the other wonky security
things don't show anything especially amazing or especially suspicious.
Proceed as you would in a new neighborhood. 

2. There's something fishy about this site. Don't trust it with anything
you really care about. Don't use anything it says in any situation that
involves something you consider risky. 

3. This site is trustworthy for commerce. You can safely give it your
name, address, phone number, and whatever financial information seems
appropriate to you in trustworthy commerce (credit card, password, ssn,
mother's maiden name,....). 

4. This is a site you've been to before and you've got some history with
it. What we show you reminds me of what that history is (a petname, the
most meaningful parts of the domain name, etc.), so that you can
remember what you trust this site for and use it for that (again). 

5. This is a site someone you trust has said is trusted for some
context. Here are displays for both those concepts; it should help you
figure out what you can safely do here. 

Some other user interpreations I could imagine we might like, but I
can't see how they'd fly. 

6. This site is using all the best cryptography and PKI. But there is no
additional semantic meaning we can give to it. Trust it for something,
maybe. After all, they must have invested x$ in a certificate from some
CA.

7. This site is part of your place of business. Trust it with everyone
work related (I personally really want this one, but don't see a way to
do it beyond 4 and 5 above). 

8. This site allows all kinds of crazy bad security things to happen
like XSS and CSRF and the social networking/web 2.0 hack du jour. Run
away fast (I don't see how to make this one happen beyond 1 and 2). 

If you buy the premise that the levels have to be meaningful to the
user, then I don't see how scores can map to user meaningful levels with
"no surprises". I do see how combinations of security context
information could. Either way, we also have the problem that security
context information marches on, and there will be new ones, and new
values, and new attacks. As Mike points out, that will mean the need for
updates/iterations on the mappings of SCi to SCI displays. 




<michael.mccormick@wellsfargo.com> 

06/09/2007 01:17 AM

To
<Mary_Ellen_Zurko@notesdev.ibm.com> 
cc
<public-wsc-wg@w3.org> 
Subject
Page Security Score proposal

	




I converted this recommendation to the correct template; see
http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScore
<http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScor
e> .  Thanks, Mike


  _____  

From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Wednesday, June 06, 2007 6:51 AM
To: McCormick, Mike
Subject: RE: lightening discussion
Received on Monday, 18 June 2007 19:06:25 UTC