W3C home > Mailing lists > Public > public-wsc-wg@w3.org > May 2007

Re: ISSUE-69: New goal--Reduce the number of scenarios in which users\' security depends upon authenticating sites

From: Shawn Duffy <sduffy@aol.net>
Date: Wed, 02 May 2007 07:34:15 -0400
Message-ID: <46387737.7040903@aol.net>
To: Serge Egelman <egelman@cs.cmu.edu>
CC: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, Web Security Context WG <public-wsc-wg@w3.org>

Agreed.  It would seem to make sense that, in order to reduce the
scenarios where users have to make trust decisions, we should identify
all the scenarios in which they are currently making those decisions.

Shawn

Serge Egelman wrote:
> This actually reminds me of something I've been thinking about for a few
> weeks now:  there are certain situations where the user needs to make a
> decision.  I think it would be interesting to create a taxonomy of
> situations where user decisions are required.  Of all the ones I can
> currently think of, they all appear to fit under "policy decision."  For
> instance, setting access permissions, determining whether the
> destination site really matches the destination intended, etc.
> 
> Maybe this should be an action item?
> 
> serge
> 
> Mary Ellen Zurko wrote:
>> I like the idea of having a goal in this space. I'd like to propose an
>> alternative wording that is more in line with the wording of our
>> charter. So I'm sure Stuart will like it less, because it is more
>> abstract and opaque.
>>
>>    Title:   "Reduce the number of scenarios in which users need to make
>> trust decisions."
>>    Content: "No matter how well security context information is
>> presented, there
>> will always be users who, in some situations, will behave insecurely even in
>> the face of harsh warnings.  Thus, the working group will also recommend
>> ways to reduce the number of situations in which users need to make
>> trust decisions."
>>
>>
>>
>>           Mez
>>
>> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
>> Lotus/WPLC Security Strategy and Patent Innovation Architect
>>
>>
>>
>> *Web Security Context Issue Tracker <dean+cgi@w3.org>*
>> Sent by: public-wsc-wg-request@w3.org
>>
>> 04/25/2007 10:38 AM
>> Please respond to
>> Web Security Context WG <public-wsc-wg@w3.org>
>>
>>
>> 	
>> To
>> 	public-wsc-wg@w3.org
>> cc
>> 	
>> Subject
>> 	ISSUE-69: New goal--Reduce the number of scenarios in which users\'
>> security depends upon authenticating sites
>>
>>
>> 	
>>
>>
>>
>>
>>
>>
>>
>> ISSUE-69: New goal--Reduce the number of scenarios in which users'
>> security depends upon authenticating sites
>>
>> http://www.w3.org/2006/WSC/Group/track/issues/69
>>
>> Raised by: Stuart Schechter
>> On product: Note: use cases etc.
>>
>> Looking at the goals in Section 2 of the note, I don't see how password
>> managers, which reduce the likelihood that a user will enter a password into
>> an impersonation site, would fit into our goals.  MeZ tells me that she
>> believes there is a rough consensus that are inline with our goals.  Stuart
>> proposes a new goal between 2.5 and 2.6:
>>
>>   Title:   "Reduce the number of scenarios in which users' security depends
>> on their ability to authenticating a site"
>>   Content: "No matter how well security information is presented, there
>> will always be users who, in some situations, will behave insecurely even in
>> the face of harsh warnings.  Thus, the working group will also recommend
>> ways to reduce the number of situations in which users' security will be
>> compromised if they fail to recognize an impersonation attack or other
>> security failure."
>>
>>
>>
>>
>>
> 
Received on Wednesday, 2 May 2007 11:34:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:47 GMT