Re: ACTION-389: Error levels? from Thomas Roessler on 2008-02-29 (public-wsc-wg@w3.org from February 2008)

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 29 Feb 2008 17:07:22 +0100
To: Serge Egelman <egelman@cs.cmu.edu>
Cc: W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <20080229160722.GF12512@iCoaster.does-not-exist.org>
Thanks Serge.  I've taken a stab at your material and just committed
a totally new section 6 to the editor's draft.  I've made some
changes: Material that's common to all has moved into 6.4.1; I've
tried to do the usual "for visual user agents" dance; I've tried to
abstract from the English language ("word meaning danger" and
phrasings like that; also, I replaced the "no more than 12 words" by
a more fuzzy "must be brief").

Note that there is not even a definitive strawman yet when what
should occur; I'll do that when I'm through editing chapter 5.

   Web Security Context: Experience, Indicators, and Trust
   Editor's Draft 29 February 2008
   $Revision: 1.171 $ $Date: 2008/02/29 15:58:12 $

   http://www.w3.org/2006/WSC/drafts/rec/#error-handling
  
Here's the current text; editor's notes formatted as quoted text:

   6.4 Error handling and signalling
   
>   Please refer to the following entries in the Working Group's wiki
>   for background information: CertErr

   6.4.1 Common Error Interaction Requirements
   
   Error signalling that occurs as part of primary chrome SHOULD be
   phrased consisely when using natural language.
   
   Primary chrome error messages MUST NOT include technical jargon.
   They SHOULD NOT refer the user to enter the destination site that
   caused the error, e.g., to provide feedback or obtain assistance.
   For error messages that interrupt the user's flow of interaction,
   user agents SHOULD enable the user to easily return to the user
   agent state prior to initiation of the last user interaction that
   led to the error signal.
   
   For advanced users, error interactions SHOULD have an option for
   advanced users to request a detailed description of the condition
   that caused the interaction to occur.

   6.4.2 Notifications and Status Indicators
   
   Notifications and status indicators are used when the browser cannot
   accurately determine a security risk based on the current security
   context information available. These indicators SHOULD also be used
   for situations in which the risk level mayv ary based on user
   preference.
   
   For visual user agents, notifications and status indicators MUST be
   displayed in the user agent's persistent primary chrome. These
   indicators MUST NOT force user interaction (e.g., forcing the user
   to click a button to continue the primary task). They MUST include a
   succinct textual description of their meaning.
   
   Notifications and Status Indicators MUST be used to signal the
   following situations:
   
>   link back to section 5
   
   Notifications and Status Indicators SHOULD be used to signal the
   following situations:
   
>   link back to section 5

   6.4.3 Warning/Caution Messages
   
   Warning / Caution messages MUST be used when the system has good
   reason to believe that the user may be at risk based on the current
   security context information, but a determination cannot positively
   be made. These warnings SHULD be used if the likelihood of danger is
   present, but cannot be confirmed.
   
   Warning / Caution messages MUST interrupt the user's current task,
   such that the user must acknowledge the message.
   
   For user agents with a visual user interface, headings of these
   warnings MUST include words meaning "caution" or "warning". The
   headings of these warnings MUST be the locus of attention.
   
   Warning / Caution messages MUST provide the user with distinct
   options how to proceed (i.e., these messages MUST NOT lead to a
   situation in which the only option presented to the user is to
   dismiss the warning and continue). The options presented on these
   warnings MUST be descriptive to the point that their meanings can be
   understood in the absence of any other information contained in the
   warning interaction. These warnings SHOULD include one recommended
   option, and a succinct text component denoting which option is
   recommended. In the absence of a recommended option, the warning
   MUST present the user with a method of finding out more information
   (e.g., a hyperlink, secondary window, etc) if the options cannot be
   understood.
   
   Warning / Caution messages MUST be used to signal the following
   situations:
   
>   Link back to section 5. Examples from Serge were OCSP server
>   unresponsive, phishing heuristics triggered, CRL can't beloaded.
   
   Warning / Caution messages SHOULD be used to signal the following
   situations:
   
>   Link back to section 5.


   6.4.4 Danger Messages
   
   Danger Messages MUST be used when there is a positively identified
   danger to the user (i.e., not merely a risk).
   
   The interactions communicating these messages MUST be designed such
   that the user's task is interrupted.
   
   For visual user agents, these interactions MUST be presented in a
   way that makes it impossible for the user to view or interact with
   the destination web site that caused the danger situation to occur.
   The headings of these warnings MUST include a word meaning "danger."
   The heading MUST be the locus of attention.
   
   Danger Message signalling MUST be used in the following situations:
   
>   Link back to section 5; Serge suggests blacklisted downloads,
>   revoked certs, etc.
   
   Danger Message signalling SHOULD be used in the following situations:
   
>   Link back to section 5.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>






On 2008-02-18 08:50:48 -0800, Serge Egelman wrote:
> From: Serge Egelman <egelman@cs.cmu.edu>
> To: W3C WSC Public <public-wsc-wg@w3.org>
> Date: Mon, 18 Feb 2008 08:50:48 -0800
> Subject: Re: ACTION-389: Error levels?
> List-Id: <public-wsc-wg.w3.org>
> X-Spam-Level: 
> X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
> 	milter-greylist-2.0.2 (jabba.geek.haus [192.168.11.20]); Mon, 18 Feb 2008
> 	11:50:59 -0500 (EST)
> Archived-At: <http://www.w3.org/mid/47B9B768.901@cs.cmu.edu>
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.6
> 
>
> Here's the proposed text (I know it could use some work, but this is a first 
> pass), though I'm not sure which section to put it in:
>
> Browser security indicators MUST fall into one of the following categories:
>
> 1) Notifications/Status Indicators
>   a) WHAT: warnings/indicators that are displayed in the browser's 
> persistent primary chrome. These indicators MUST NOT force user interaction 
> (e.g. forcing the user to click a button to continue the primary task).  
> They MUST be located in the browser's chrome and include a succinct textual 
> description of their meaning.
> b) WHEN: the browser cannot accurately determine a security risk based on 
> the current security context information available.  These indicators SHOULD 
> also be used for situations where the risk level may vary based on user 
> preference.
>
> 2) Warning/Caution Messages
>   a) WHEN: these MUST be used when the system has good reason to believe 
> that the user may be at risk based on the current security context 
> information, but a determination cannot positively be made (e.g. CRL cannot 
> be located, OCSP server unresponsive, phishing heuristics triggered).  These 
> warnings SHOULD be used if the likelihood of danger is present, but cannot 
> be confirmed.
>   b) WHAT: these warnings MUST be designed to interrupt the user's current 
> task, such that the user must acknowledge the warning.  The headings of 
> these warnings MUST include the words "warning" or "caution," and they MUST 
> NOT include technical jargon, or be longer than a dozen words.  The headings 
> of these warnings MUST be the locus of attention, and the warning SHOULD 
> have an option for advanced users to request a detailed description of the 
> warning condition.  These warnings MUST provide the users with options on 
> how to proceed (i.e. the warnings MUST NOT use a single option to dismiss 
> the warnings and continue).  The options presented on these warnings MUST be 
> descriptive to the point that their meanings can be understood in the 
> absence of any other information contained in the warning.  These warnings 
> SHOULD include one recommended option, and a succinct text component 
> denoting which option is recommended.  In the absence of a recommended 
> option, the warning MUST present the user with a method of finding out more 
> information (e.g. hyperlink, secondary window, etc.) if the options cannot 
> be understood.
>
> 3) Danger Messages
>   a) WHAT: These warnings MUST be designed such that the user's task is 
> interrupted, and the user is unable to view or interact with the destination 
> website.  The headings of these warnings MUST include the word "danger," and 
> they MUST NOT include technical jargon, or be longer than a dozen words.  
> The heading MUST be the locus of attention, and the warning SHOULD have an 
> option for advanced users to request a detailed description of the warning 
> condition.
>   b) WHEN: these MUST be used when there is a positively identified danger 
> to the user (i.e. not merely risk).  Examples include websites or software 
> downloads that have been blacklisted (i.e. positively identified), revoked 
> certificates, etc.
>
>
> -- 
> /*
> PhD Candidate
> Carnegie Mellon University
>
> "Whoever said there's no such thing as a free lunch was never a grad 
> student."
>
> All views contained in this message, either expressed or implied, are the 
> views of my employer, and not my own.
> */
>
>
Received on Friday, 29 February 2008 16:07:40 UTC