- From: Ian Fette <ifette@google.com>
- Date: Tue, 13 Nov 2007 10:36:46 -0800
- To: "Johnathan Nightingale" <johnath@mozilla.com>
- Cc: "W3C WSC Public" <public-wsc-wg@w3.org>
- Message-ID: <bbeaa26f0711131036s267c30f5i92f9a79d1513893f@mail.gmail.com>
Reply inline On Nov 13, 2007 10:21 AM, Johnathan Nightingale <johnath@mozilla.com> wrote: > On 13-Nov-07, at 12:14 PM, Ian Fette wrote: > > As for "testing them in a perfect world" - I have no idea why this is a > good experiment to run, because we know that we will never be operating in a > perfect world. I'm not saying we should test in a world with zero adoption, > but rather I'm saying that we should try to figure out (guess) what * > reasonable* adoption is, and test in that world. We already know that > there are some sites that are not adopting EV because of the cost model. I'm > sure someone is more knowledgeable about the specifics than I, but my > understanding is that, for instance, Google could not buy one EV certificate > for google.com and use it across all of our numerous servers, rather we > would have to pay some increased (large) fee based on number of servers. > (Also, does EV support wildcard certs?). Given that, you can come up with a > list of companies for which EV would be very expensive and likely not > adopted (eBay?), and test with the assumption that those sites won't adopt. > What does that do to the overall model? > > > FWIW, and I appreciate that it's a tangent, but I don't know of any > restrictions in the EV guidelines that result in what you're describing. > IIRC, EV certs do not allow for wildcards, but neither do they constrain > themselves to single servers in the way you suggest, unless you mean single > domain names? ebay, to use your example, already presents an EV cert on > their sign-in page ( https://signin.ebay.com/ ) > I don't know if this is a result of EV guidelines, or CAs just wanting to squeeze companies for as much money as they can, but from a cursory look at different CAs they all seem to want to charge more money for use on more servers. >From GeoTrust: "By default, this certificate is licensed for one server. If this certificate will be used on additional servers, please select the total number of servers for which this certificate will be used. The price per each additional server is the same as the price for the the initial server. If you need to install this on more than 100 servers, please contact<http://www.geotrust.com/support/index.asp>us." >From VeriSign: "VeriSign's licensing policy allows licensed certificates to be shared in the following configurations: - Redundant server backups - Server load balancing - SSL accelerators" Not entirely clear to me what VeriSign's policy means in practice, i.e. is a large number of data centers considered server load balancing? For some reason, I seem to recall that it would have cost significantly more than $1500 to EV-ify Google. Anyhow, we're rapidly approaching a tangent... > I agree though, that it would be misleading to imagine a world where every > site had an EV certificate. I think the last adoption numbers I saw were > ~3000 EV certs visible on the public internet, and while the growth rate is > something like 15%/month, growing quickly from 0 doesn't mean much. > There's # of certs, and then there's a weighting by traffic of each site. I.e. if Mom & Pop Inc of Little Rock, AR get an EV-cert, it doesn't really increase adoption in my mind. If Big Corp Inc with millions of page views per day adopts, that's a big plus. > > Finally, I'm extremely concerned about the attitude of "Well, it works in > lab studies, so let's mandate it, vendors be damned." I understand the > desire not to be seen as being beholden to the desires of browser > manufacturers, but on the other hand, I have a very real desire not to be > seen as floating around in la-la land, disconnected from reality. If > something is going to cause people not to adopt a product, a vendor is not > going to implement it, regardless of any mandates from W3C. There is a very > real risk of steering ourselves towards irrelevancy. Without getting into > too many politics, that's why WHATWG was formed, and provides a good bit of > background for the current HTML5 *realpolitik*. I don't want to see us go > the way of XForms 2. > > > I don't want to speak for Serge here, but I suspect the reason Serge is > talking about testing a "perfect world" scenario is because he fully expects > to find them ineffective even then, at which point one can hardly argue that > they would do better under more "adverse" circumstances. So I don't think > he's arguing at all for "it works in lab studies, so let's mandate it" but > rather the reverse: "It doesn't even work with the deck stacked, so we had > better not recommend it in the real world." > I worry a lot about "It performs X in lab studies" being interpreted as "It will perform X in the field." I think the short lab studies are fine to help us pick out some issues that we need to rethink, but for measuring adoption / usability, longer studies are necessary. > > Cheers, > > J > > > > My $0.02 x 3 (== £0.03) > > On Nov 13, 2007 8:51 AM, Dan Schutzer < dan.schutzer@fstc.org> wrote: > > > agreed > > > > -----Original Message----- > > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > > On > > Behalf Of Serge Egelman > > Sent: Tuesday, November 13, 2007 11:23 AM > > To: Hallam-Baker, Phillip > > Cc: Ian Fette; W3C WSC Public > > Subject: Re: ACTION-335 logotypes and ISSUE-96 discussion > > > > > > This is irrelevant for our purposes. If we test them and find that in a > > perfect world they don't work, then this is moot. If we test them and > > find that they're effective, then we make a recommendation, and it's out > > of our hands. At that point the application vendors aren't in > > compliance. > > > > serge > > > > Hallam-Baker, Phillip wrote: > > > I have never had the slightest difficulty selling the idea of > > logotypes > > > to customers. The problem is purely on the application side. The logos > > > have no value unless they are displayed. > > > > > > So we risk a chicken and egg situation where the application side > > people > > > refuse to do anything about implementation until they are assured that > > > there will be 100% adoption by the site owners which is not going to > > > happen until there are applications to present the logos. > > > > > > Someone has to make the first move, we cannot gate the scope of what > > we > > > will consider by requiring an assurance of total adoption by any > > market > > > participant. > > > > > > > > ------------------------------------------------------------------------ > > > *From:* public-wsc-wg-request@w3.org on behalf of Ian Fette > > > *Sent:* Fri 09/11/2007 4:49 PM > > > *To:* W3C WSC Public > > > *Subject:* ACTION-335 logotypes and ISSUE-96 discussion > > > > > > This action (ACTION-335) was to provide discussion topics for > > ISSUE-96. > > > I only really have one point, and I will try to state it more clearly > > > than at the meeting. > > > > > > To me, the effectiveness of any of the logotype proposals (or the EV > > > proposals, for that matter) depends greatly upon the adoption of these > > > technologies by sites. We can do really cool flashy things when we get > > > an EV cert, or an EV-cert with a logo, but right now the only two > > sites > > > I can find using an EV cert are PayPal and VeriSign. Therefore, I > > wonder > > > how habituated people would become in practice, if they never (or > > > rarely) saw the EV/logotype interface stuff in use. > > > > > > My proposal is that any usability testing of the EV and/or logotype > > > things in the spec not only reflect how users would behave in a land > > > where everyone is using EV-certs and life is happy, but rather also > > test > > > a more realistic case. That is, look at what the adoption is presently > > > and/or what we can reasonably expect it to be at time of last call, > > and > > > do usability testing in an environment that reflects that adoption > > rate > > > - i.e. some percentage of sites using EV certs, some percentage also > > > using logos, and another percentage still using "normal" SSL certs. My > > > worry is that we may be thinking "EV certs will solve X,Y, and Z", but > > > > > that may only be the case if users are used to seeing them on the > > > majority of sites, and should that not end up being the case, we need > > to > > > look at the usability and benefit in that scenario as well. > > > > > > I think this is what the ACTION wanted, i.e. for me to state this > > point > > > more explicitly. I am going to therefore assume that my work on this > > > action is complete, unless I hear otherwise. > > > > > > -Ian > > > > -- > > /* > > PhD Candidate > > Vice President for External Affairs, Graduate Student Assembly > > Carnegie Mellon University > > > > Legislative Concerns Chair > > National Association of Graduate-Professional Students > > */ > > > > > > > > --- > Johnathan Nightingale > Human Shield > johnath@mozilla.com > > > >
Received on Tuesday, 13 November 2007 18:37:07 UTC