W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

RE: Is the padlock a page security score?

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 10 Jan 2008 12:31:44 -0600
Message-ID: <9D471E876696BE4DA103E939AE64164DB43301@msgswbmnmsp17.wellsfargo.com>
To: <ifette@google.com>, <Anil.Saldhana@redhat.com>
Cc: <hahnt@us.ibm.com>, <public-wsc-wg@w3.org>, <Mary_Ellen_Zurko@notesdev.ibm.com>
I would ask the same question about a binary indicator.  The padlock
does not mean it's safe to enter a credit card.

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Thursday, January 10, 2008 12:26 PM
To: Anil Saldhana
Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org;
Mary_Ellen_Zurko@notesdev.ibm.com
Subject: Re: Is the padlock a page security score?


I still don't understand what anything beyond a binary result is
supposed to tell a user. I'm on a site with "Medium" security - what
does that mean? Does that mean that I should give them my credit card or
not? 


On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com>
wrote:



	Maybe there is an opportunity to associate "High/Medium/Low" or
	"Strong/Medium/Low" based on page security score with the
padlock.
	

	michael.mccormick@wellsfargo.com wrote:
	> Sure, I agree the padlock is a binary representation of a
boolean security
	> score formula based on a single security variable (SSL on main
page).  A
	> degenerate case IMHO - but still technically a page security
score. 
	>
	> A security score algorithm should take into account most (if
not all) of the
	> variables we enumerated under "What is a Secure Page?"
Perhaps the note
	> should state that explicitly.  Then padlocks wouldn't qualify.

	>
	>   _____
	>
	> From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On
	> Behalf Of Timothy Hahn 
	> Sent: Thursday, January 10, 2008 10:40 AM
	> To: public-wsc-wg@w3.org
	> Subject: Re: Is the padlock a page security score?
	>
	>
	>
	> Mez, 
	>
	> I'll toss in my view that the padlock is an example of a page
security
	> score.  In most user agents, this seems to be pretty much
"binary" (on or
	> off) though I think we've heard from some folks that there are
some 
	> "embellishments" on their display of the icon which would
provide more
	> gradations based on information received.
	>
	> On the bright side of such a visible item - it is relatively
easy to 
	> describe and for people to grasp the meaning of.
	>
	> On the down side of the padlock -  ... well, we've had lots of
that
	> discussion on this list already - see the archives.
	>
	> Regards, 
	> Tim Hahn
	> IBM Distinguished Engineer
	>
	> Internet: hahnt@us.ibm.com
	> Internal: Timothy Hahn/Durham/IBM@IBMUS
	> phone: 919.224.1565     tie-line: 8/687.1565 
	> fax: 919.224.2530
	>
	>
	>
	>
	> From:         "Mary Ellen Zurko"
<Mary_Ellen_Zurko@notesdev.ibm.com>
	>
	> To:   public-wsc-wg@w3.org
	>
	> Date:         01/10/2008 11:10 AM
	>
	> Subject:      Is the padlock a page security score?
	>
	>   _____
	>
	>
	>
	>
	>
	> If not, why not?
	>
	>          Mez
	>
	>
	>
	>
	>
	
	
	--
	Anil Saldhana
	Project/Technical Lead,
	JBoss Security & Identity Management 
	JBoss, A division of Red Hat Inc.
	http://labs.jboss.com/portal/jbosssecurity/
	
	
Received on Thursday, 10 January 2008 18:33:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC