- From: Dan Schutzer <dan.schutzer@fstc.org>
- Date: Wed, 2 May 2007 06:28:35 -0400
- To: "'Serge Egelman'" <egelman@cs.cmu.edu>, "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: "'Web Security Context WG'" <public-wsc-wg@w3.org>
These are good points -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman Sent: Tuesday, May 01, 2007 11:03 PM To: Mary Ellen Zurko Cc: Web Security Context WG Subject: Re: ISSUE-69: New goal--Reduce the number of scenarios in which users\' security depends upon authenticating sites This actually reminds me of something I've been thinking about for a few weeks now: there are certain situations where the user needs to make a decision. I think it would be interesting to create a taxonomy of situations where user decisions are required. Of all the ones I can currently think of, they all appear to fit under "policy decision." For instance, setting access permissions, determining whether the destination site really matches the destination intended, etc. Maybe this should be an action item? serge Mary Ellen Zurko wrote: > > I like the idea of having a goal in this space. I'd like to propose an > alternative wording that is more in line with the wording of our > charter. So I'm sure Stuart will like it less, because it is more > abstract and opaque. > > Title: "Reduce the number of scenarios in which users need to make > trust decisions." > Content: "No matter how well security context information is > presented, there > will always be users who, in some situations, will behave insecurely even in > the face of harsh warnings. Thus, the working group will also recommend > ways to reduce the number of situations in which users need to make > trust decisions." > > > > Mez > > Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) > Lotus/WPLC Security Strategy and Patent Innovation Architect > > > > *Web Security Context Issue Tracker <dean+cgi@w3.org>* > Sent by: public-wsc-wg-request@w3.org > > 04/25/2007 10:38 AM > Please respond to > Web Security Context WG <public-wsc-wg@w3.org> > > > > To > public-wsc-wg@w3.org > cc > > Subject > ISSUE-69: New goal--Reduce the number of scenarios in which users\' > security depends upon authenticating sites > > > > > > > > > > > ISSUE-69: New goal--Reduce the number of scenarios in which users' > security depends upon authenticating sites > > http://www.w3.org/2006/WSC/Group/track/issues/69 > > Raised by: Stuart Schechter > On product: Note: use cases etc. > > Looking at the goals in Section 2 of the note, I don't see how password > managers, which reduce the likelihood that a user will enter a password into > an impersonation site, would fit into our goals. MeZ tells me that she > believes there is a rough consensus that are inline with our goals. Stuart > proposes a new goal between 2.5 and 2.6: > > Title: "Reduce the number of scenarios in which users' security depends > on their ability to authenticating a site" > Content: "No matter how well security information is presented, there > will always be users who, in some situations, will behave insecurely even in > the face of harsh warnings. Thus, the working group will also recommend > ways to reduce the number of situations in which users' security will be > compromised if they fail to recognize an impersonation attack or other > security failure." > > > > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Wednesday, 2 May 2007 10:29:21 UTC