RE: Documenting the status quo from Doyle, Bill on 2007-03-19 (public-wsc-wg@w3.org from March 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Mon, 19 Mar 2007 09:41:40 -0400
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "AlavilliPraveen" <AlavilliPraveen@AOL.COM>
Cc: <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801561A13@IMCSRV5.MITRE.ORG>
Documenting Status Quo - Started to add structure to the page and began
to incorporate the comments discussed and those  that I have seen.  The
document is still a bit fragmented - ok quite a bit fragmented, will
try to have it in a sane state by Tuesday.
 
Bill D.
 
 


________________________________

	From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
	Sent: Tuesday, March 13, 2007 6:12 PM
	To: AlavilliPraveen
	Cc: public-wsc-wg@w3.org
	Subject: Re: Documenting the status quo
	
	

	Great updates Praveen. I started a space in the wiki for this
goal:
	
	http://www.w3.org/2006/WSC/wiki/DocumentStatusQuo
	
	Please fold this in, and edit at will!
	
	          Mez
	
	Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l
333-6389)
	Lotus/WPLC Security Strategy and Patent Innovation Architect
	
	
	
	
AlavilliPraveen@AOL.COM (Praveen Alavilli) 
Sent by: public-wsc-wg-request@w3.org 

03/13/2007 12:12 PM

To
public-wsc-wg@w3.org 
cc
Subject
Re: Documenting the status quo

	




	
	some comments in-line [Praveen] ...
	
	Mary Ellen Zurko wrote:
	> 
	> One goal in our Note reads:
	> 
	> *2.1 Document the status quo*
	> 
	> The Working Group will catalog existing presentation of
security 
	> information and corresponding user interpretations reported
in user studies.
	> 
	> Assuming the group agrees, that means it is something the
group is 
	> willing to work on.
	> 
	> We have a start on security information itself in "Available
Security 
	> Information" of the Note (currently section 7). Which of
those are part 
	> of existing presentation of security information (in web user
agents)? 
	> My runthrough is below.
	> 
	> On the corresponding user interpretations reported in user
studies, I'm 
	> looking for a volunteer to go through our SharedBookmarks and
indicate 
	> which of those have corresponding user interpretations
reported in user 
	> studies (and of course to add more references in that area,
if they know 
	> of any). Anyone willing to get that aspect going?
	> 
	> ++++++++++++++++++++++++++++++++++++++++++++
	> 
	> HTTP-Auth handshake - for the browser I use, the hostname
appears in the 
	> title area of a dialog box, and the realm as the first line
of that 
	> dialog box (prompting me for username and password). Also, if
I have 
	> saved my username and password in by browsers password saving
feature, 
	> my username is filled in, and some indication of the password
as well. 
	> (this latter should probably be reflected somewhere in
section 7, 
	> perhaps under "provided by user").
	> 
	> cookies - I can't think of anything that proactively presents
anything 
	> about cookies as any indicator of a continuing relationship
with a site 
	> (or anything else). I believe I could configure my browser to

	> proactively show me cookie information. I no longer do that.
	
	[Praveen]
	
	The P3P Policy (http://www.w3.org/P3P/) does provide some
information 
	about what data is being stored in the cookies and how it's
used. 
	Several user-agents (IE6.0/7.0 atleast)  already provide visual

	indicators about these and also provide ways for the user's to 
	accept/deny cookies automatically (without showing cookie
information in 
	annoying popups).
	
	
	> 
	> Has the page completed loading?- the browser I use has a
progress 
	> indicator at the bottom representing something about the
percentage 
	> loading (I'm not sure exactly what each bar is meant to mean,
but I hope 
	> it only fills when it's totally done loading), and an icon in
the top 
	> right hand corner that "waves" a bit while the loading is
occuring (I 
	> got to spend a lot of time staring at both of these lately
participating 
	> in the "flash crowd" to try to get BAM tickets for the
McKellan Lear).
	> 
	
	[Praveen]
	
	With the new Web2.0 applications (most of them sending requests

	asynchronously), the progress indicator doesn't anymore mean
that the 
	page is still loading. It's just some data the web site/app is
trying to 
	load to provide better user-experience to the user.
	
	
	
	> referring page - I don't know of any displays of it
	> redirection path - ditto
	
	[Praveen]
	
	Some mentioned on the call today that the back ( & forward)
buttons 
	provide this info. I don't think that's always true. They only
display 
	the url (page title if available) if the request returns a HTTP
response 
	status code 200. If the response code is 302/301 for example -
the most 
	commonly used mechanism to redirect a user-agent from one url
to 
	another, the original Page/Url requested is no longer stored in
the 
	browser's history - and hence not displayed in the back/forward
button list.
	
	Today all user-agents, with their default settings (which most
users 
	disable anyway), only display warnings to the user when the
redirects 
	are from Secure (SSL) to insecure (non-ssl) urls and vice
versa. But 
	there are no such warnings when a user is being redirected
automatically 
	from one site (domain) to another. Not sure if it really helps
or not in 
	all cases but might be helpful against url spoofing.
	
	In the federated single sign on use cases, where users are
redirected 
	from one site to another for authentication and single sign on,
this 
	might be useful for the user to identify his own Identity
Provider.
	
	
	> content-type - ditto
	> 
	> target URI for a hyperlink or form submission - for
hyperlinks, a mouse 
	> hover over shows the URL in a status area in both the browser
and rich 
	> client I use. The browser I use doesn't seem to show it
anywhere for 
	> form submission.
	> 
	> presence of dynamic content - my browser will prompt me if
it's ActiveX 
	> and I haven't agree to always trust the certificate for stuff
like that. 
	> There seem to be a number of ways I could configure it to
prompt me for 
	> various types of dynamic content.
	> 
	> Does the content come from multiple domains? - I know of no
way I'm 
	> currently told about this.
	> 
	> Was the content transmitted using SSL? - for the main page,
the URL will 
	> begin with https if it was. I guess that the lock icon will
appear as 
	> well. If some content is secured this way and some not,
there's this 
	> extra prompt before display. I hear some browsers also change
the color 
	> of the URL display.
	> 
	> SSL server certificate chain 
	> <http://www.w3.org/2006/WSC/drafts/note/#pkix>- for most, I
think it 
	> only tells me when things go wrong. Here's what Mozilla does:

	>
http://www.w3.org/2006/WSC/wiki/NoteMozillaCertificateValidationErrors.

	> George couldn't suck it up and post the KDE errors, and no
one seems to 
	> be able to say what IE does. I can also double click on the
lock icon, 
	> and get that information (and so much more).
	> certificate authority
	> distinguished name  
	> public key
	> validity timeframe
	> 
	> extended validation - in IE, it will turn the URL green 
	> http://www.cabforum.org/certificates.html
	> 
	> Ciphersuite
	> public key algorithm and key length
	> symmetric key algorithm and key length
	> message digest algorithm
	> CRL
	> OSCP <http://www.w3.org/2006/WSC/drafts/note/#ocsp>
	> For all these, if it's not covered in the Mozilla (and other
browser) 
	> docs, I don't know. Someone will need to find references or
do writeups.
	> 
	> server hostname - somebody said there was a browser that re
displayed 
	> the hostname somewhere.
	> server IP address - I don't know of anything
	> localhost versus intranet versus internet - I believe my
browser 
	> displays a picture and text in the lower right hand corner.
	> DNSSEC <http://www.w3.org/2006/WSC/drafts/note/#dnssec>- I
have no idea
	> 
	> installed certificate authorities - I can bring up a dialog
to see them, 
	> though it's not clear to me how they're differentiated from
ones I've 
	> added myself. Different categories? Different tabs? Geez, I
suppose I 
	> should really know this...
	> installed search engines - I've got a button that brings it
up
	> default window layout - not sure what should go here. Chrome
commentary?
	> default bookmarks - I've long forgotten if there were some; I
would have 
	> removed them
	> default configuration - not sure what aspects to talk about
here
	> 
	> submitted form values - I don't have anything here
	> bookmarks - they are in lists I can bring up, either as a
menu or as 
	> part of the window real estate
	> browsing history - there are pulldown lists for back,
forward, and the 
	> url display
	> installed client certificates - I imagine there's a dialog I
can find 
	> those in.
	> installed server certificates - There's a dialog I can find
those in.
	> How was the URL entered? - no representations of that, afaik
	> typed into address bar
	> pasted into address bar
	> clicked hyperlink
	> command from another application
	> user's understanding of his task - hmmmm......
	> user agent customization - nothing coming to mind
	> 
	> reputation service - Michael M produced the best writeup I
know on that 
	>
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Feb/0081.html
	> hyperlinks on visited web pages - not sure what we're getting
at here; 
	>  perhaps more future looking.
	> introductions from friends
	> search engine results - I search, I see them. I've heard it
referred to 
	> as the "ten blue links" paradigm.
	>
Received on Monday, 19 March 2007 13:41:59 UTC