Re: Documenting the status quo from Mary Ellen Zurko on 2007-03-13 (public-wsc-wg@w3.org from March 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Tue, 13 Mar 2007 18:11:43 -0400
To: "AlavilliPraveen" <AlavilliPraveen@AOL.COM>
Cc: public-wsc-wg@w3.org
Message-ID: <OF678DB2E5.434D18A8-ON8525729D.0079DFE0-8525729D.0079EC32@LocalDomain>
Great updates Praveen. I started a space in the wiki for this goal:

http://www.w3.org/2006/WSC/wiki/DocumentStatusQuo

Please fold this in, and edit at will!

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




AlavilliPraveen@AOL.COM (Praveen Alavilli) 
Sent by: public-wsc-wg-request@w3.org
03/13/2007 12:12 PM

To
public-wsc-wg@w3.org
cc

Subject
Re: Documenting the status quo







some comments in-line [Praveen] ...

Mary Ellen Zurko wrote:
> 
> One goal in our Note reads:
> 
> *2.1 Document the status quo*
> 
> The Working Group will catalog existing presentation of security 
> information and corresponding user interpretations reported in user 
studies.
> 
> Assuming the group agrees, that means it is something the group is 
> willing to work on.
> 
> We have a start on security information itself in "Available Security 
> Information" of the Note (currently section 7). Which of those are part 
> of existing presentation of security information (in web user agents)? 
> My runthrough is below.
> 
> On the corresponding user interpretations reported in user studies, I'm 
> looking for a volunteer to go through our SharedBookmarks and indicate 
> which of those have corresponding user interpretations reported in user 
> studies (and of course to add more references in that area, if they know 

> of any). Anyone willing to get that aspect going?
> 
> ++++++++++++++++++++++++++++++++++++++++++++
> 
> HTTP-Auth handshake - for the browser I use, the hostname appears in the 

> title area of a dialog box, and the realm as the first line of that 
> dialog box (prompting me for username and password). Also, if I have 
> saved my username and password in by browsers password saving feature, 
> my username is filled in, and some indication of the password as well. 
> (this latter should probably be reflected somewhere in section 7, 
> perhaps under "provided by user").
> 
> cookies - I can't think of anything that proactively presents anything 
> about cookies as any indicator of a continuing relationship with a site 
> (or anything else). I believe I could configure my browser to 
> proactively show me cookie information. I no longer do that.

[Praveen]

The P3P Policy (http://www.w3.org/P3P/) does provide some information 
about what data is being stored in the cookies and how it's used. 
Several user-agents (IE6.0/7.0 atleast)  already provide visual 
indicators about these and also provide ways for the user's to 
accept/deny cookies automatically (without showing cookie information in 
annoying popups).


> 
> Has the page completed loading?- the browser I use has a progress 
> indicator at the bottom representing something about the percentage 
> loading (I'm not sure exactly what each bar is meant to mean, but I hope 

> it only fills when it's totally done loading), and an icon in the top 
> right hand corner that "waves" a bit while the loading is occuring (I 
> got to spend a lot of time staring at both of these lately participating 

> in the "flash crowd" to try to get BAM tickets for the McKellan Lear).
> 

[Praveen]

With the new Web2.0 applications (most of them sending requests 
asynchronously), the progress indicator doesn't anymore mean that the 
page is still loading. It's just some data the web site/app is trying to 
load to provide better user-experience to the user.



> referring page - I don't know of any displays of it
> redirection path - ditto

[Praveen]

Some mentioned on the call today that the back ( & forward) buttons 
provide this info. I don't think that's always true. They only display 
the url (page title if available) if the request returns a HTTP response 
status code 200. If the response code is 302/301 for example - the most 
commonly used mechanism to redirect a user-agent from one url to 
another, the original Page/Url requested is no longer stored in the 
browser's history - and hence not displayed in the back/forward button 
list.

Today all user-agents, with their default settings (which most users 
disable anyway), only display warnings to the user when the redirects 
are from Secure (SSL) to insecure (non-ssl) urls and vice versa. But 
there are no such warnings when a user is being redirected automatically 
from one site (domain) to another. Not sure if it really helps or not in 
all cases but might be helpful against url spoofing.

In the federated single sign on use cases, where users are redirected 
from one site to another for authentication and single sign on, this 
might be useful for the user to identify his own Identity Provider.


> content-type - ditto
> 
> target URI for a hyperlink or form submission - for hyperlinks, a mouse 
> hover over shows the URL in a status area in both the browser and rich 
> client I use. The browser I use doesn't seem to show it anywhere for 
> form submission.
> 
> presence of dynamic content - my browser will prompt me if it's ActiveX 
> and I haven't agree to always trust the certificate for stuff like that. 

> There seem to be a number of ways I could configure it to prompt me for 
> various types of dynamic content.
> 
> Does the content come from multiple domains? - I know of no way I'm 
> currently told about this.
> 
> Was the content transmitted using SSL? - for the main page, the URL will 

> begin with https if it was. I guess that the lock icon will appear as 
> well. If some content is secured this way and some not, there's this 
> extra prompt before display. I hear some browsers also change the color 
> of the URL display.
> 
> SSL server certificate chain 
> <http://www.w3.org/2006/WSC/drafts/note/#pkix>- for most, I think it 
> only tells me when things go wrong. Here's what Mozilla does: 
> http://www.w3.org/2006/WSC/wiki/NoteMozillaCertificateValidationErrors. 
> George couldn't suck it up and post the KDE errors, and no one seems to 
> be able to say what IE does. I can also double click on the lock icon, 
> and get that information (and so much more).
> certificate authority
> distinguished name 
> public key
> validity timeframe
> 
> extended validation - in IE, it will turn the URL green 
> http://www.cabforum.org/certificates.html
> 
> Ciphersuite
> public key algorithm and key length
> symmetric key algorithm and key length
> message digest algorithm
> CRL
> OSCP <http://www.w3.org/2006/WSC/drafts/note/#ocsp>
> For all these, if it's not covered in the Mozilla (and other  browser) 
> docs, I don't know. Someone will need to find references or do writeups.
> 
> server hostname - somebody said there was a browser that re displayed 
> the hostname somewhere.
> server IP address - I don't know of anything
> localhost versus intranet versus internet - I believe my browser 
> displays a picture and text in the lower right hand corner.
> DNSSEC <http://www.w3.org/2006/WSC/drafts/note/#dnssec>- I have no idea
> 
> installed certificate authorities - I can bring up a dialog to see them, 

> though it's not clear to me how they're differentiated from ones I've 
> added myself. Different categories? Different tabs? Geez, I suppose I 
> should really know this...
> installed search engines - I've got a button that brings it up
> default window layout - not sure what should go here. Chrome commentary?
> default bookmarks - I've long forgotten if there were some; I would have 

> removed them
> default configuration - not sure what aspects to talk about here
> 
> submitted form values - I don't have anything here
> bookmarks - they are in lists I can bring up, either as a menu or as 
> part of the window real estate
> browsing history - there are pulldown lists for back, forward, and the 
> url display
> installed client certificates - I imagine there's a dialog I can find 
> those in.
> installed server certificates - There's a dialog I can find those in.
> How was the URL entered? - no representations of that, afaik
> typed into address bar
> pasted into address bar
> clicked hyperlink
> command from another application
> user's understanding of his task - hmmmm......
> user agent customization - nothing coming to mind
> 
> reputation service - Michael M produced the best writeup I know on that 
> http://lists.w3.org/Archives/Public/public-wsc-wg/2007Feb/0081.html
> hyperlinks on visited web pages - not sure what we're getting at here; 
>  perhaps more future looking.
> introductions from friends
> search engine results - I search, I see them. I've heard it referred to 
> as the "ten blue links" paradigm.
>
Received on Tuesday, 13 March 2007 22:11:52 UTC