ACTION-301: Usability review of Identity Signal from Johnathan Nightingale on 2007-10-16 (public-wsc-wg@w3.org from October 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Tue, 16 Oct 2007 11:50:22 -0400
To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
Message-Id: <04E3F665-C886-4A69-8D68-0AA618CB8055@mozilla.com>

Hey folks,

At the face to face, I took an action to respond to the usability  
evaluation first cut proposals around Identity Signal.  The  
shockingly unreadable direct link is here:  http://www.w3.org/2006/ 
WSC/wiki/RecommendationUsabilityEvaluationFirstCut#head- 
df6c58f37e7d146819d7962f8ccb91ed947d4dc1

I think the first cut work is an excellent analysis.  I think that,  
in particular, unknowns #1 & #2 would be interesting questions to  
which to have answers, in terms of considering the merits of the  
proposal.

The "Testing" section notes that the goal of the identity signal is  
not to prevent spoofing attacks, and I wanted to reinforce this  
point.  It would be difficult to justify recommending this proposal  
as, e.g., an anti-phishing measure.  There are ample studies in our  
bookmarks that illustrate that even when the chrome is much more good/ 
bad declarative than what IdentitySignal envisions, the results are  
mediocre at best.  It therefore wouldn't make much sense to test this  
in an anti-phishing context.

I wrote this recommendation because we're Web Security Context, not  
Web Security Countermeasures - it feels to me that we ought to be  
recommending things that enrich the context web users have available  
for making trust decisions online, even if they are not responses to  
specific threats.  The current context is pretty sparse for non- 
technical users, and this is an attempt to enrich it by standardizing  
and encouraging a practice that multiple browser authors are now  
coming around to: communicating verified identity information to users.

I appreciate that "help users understand the identity of sites they  
interact with" is a harder testing problem than "prevent phishing  
attacks" and I don't actually have a good methodology suggestion.  An  
ethnographic/in-the-wild study of Firefox 3 users a year after  
release, when they've had time to develop/modify their browsing  
habits would be nice, but is hardly a reasonable suggestion in the  
context of this group.

As I say, other than clarifying that point which was already made in  
some form, I think the analysis is spot-on.

Cheers,

J

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Tuesday, 16 October 2007 15:51:01 UTC