- From: Ian Fette <ifette@google.com>
- Date: Thu, 10 Jan 2008 10:37:12 -0800
- To: michael.mccormick@wellsfargo.com
- Cc: Anil.Saldhana@redhat.com, hahnt@us.ibm.com, public-wsc-wg@w3.org, Mary_Ellen_Zurko@notesdev.ibm.com
- Message-ID: <bbeaa26f0801101037w43f2347dydc756254694119c@mail.gmail.com>
No, but quite frankly neither does any of the information we've talked about in the page security scoring. The reality is that you have no idea if when you post the form it just sends stuff off to orders@somesite.com via email, if it's stored in a MySQL database with the default root password, if it's a shared server where root is not locked down - all of this worries me much more than whether it's EV-SSL, using DNSSEC, etc. The reality is that Visa and MasterCard have guidelines for how merchants should handle customer data, and that's about the only thing that I would really care about as a customer. However, I have no way of verifying that said guidelines are being followed, but I have very little risk anyways because I can just call US Bank and tell them that someone is making fraudulent charges against my Northwest WorldPerks Visa Signature card and they're going to take care of me. So, I guess my point is that I really don't understand the end goal here. I thought we wanted to get to the point where someone could determine whether or not it was safe to make an e-commerce transaction at a site, but frankly I don't really know that I find the information we have to be sufficient to actually answer that in a satisfactory manner. -Ian On Jan 10, 2008 10:31 AM, <michael.mccormick@wellsfargo.com> wrote: > I would ask the same question about a binary indicator. The padlock does > not mean it's safe to enter a credit card. > > ------------------------------ > *From:* Ian Fette [mailto:ifette@google.com] > *Sent:* Thursday, January 10, 2008 12:26 PM > *To:* Anil Saldhana > *Cc:* McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; > Mary_Ellen_Zurko@notesdev.ibm.com > > *Subject:* Re: Is the padlock a page security score? > > I still don't understand what anything beyond a binary result is supposed > to tell a user. I'm on a site with "Medium" security - what does that mean? > Does that mean that I should give them my credit card or not? > > On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote: > > > > > Maybe there is an opportunity to associate "High/Medium/Low" or > > "Strong/Medium/Low" based on page security score with the padlock. > > > > michael.mccormick@wellsfargo.com wrote: > > > Sure, I agree the padlock is a binary representation of a boolean > > security > > > score formula based on a single security variable (SSL on main page). > > A > > > degenerate case IMHO - but still technically a page security score. > > > > > > A security score algorithm should take into account most (if not all) > > of the > > > variables we enumerated under "What is a Secure Page?" Perhaps the > > note > > > should state that explicitly. Then padlocks wouldn't qualify. > > > > > > _____ > > > > > > From: public-wsc-wg-request@w3.org [mailto: > > public-wsc-wg-request@w3.org] On > > > Behalf Of Timothy Hahn > > > Sent: Thursday, January 10, 2008 10:40 AM > > > To: public-wsc-wg@w3.org > > > Subject: Re: Is the padlock a page security score? > > > > > > > > > > > > Mez, > > > > > > I'll toss in my view that the padlock is an example of a page security > > > score. In most user agents, this seems to be pretty much "binary" (on > > or > > > off) though I think we've heard from some folks that there are some > > > "embellishments" on their display of the icon which would provide more > > > gradations based on information received. > > > > > > On the bright side of such a visible item - it is relatively easy to > > > describe and for people to grasp the meaning of. > > > > > > On the down side of the padlock - ... well, we've had lots of that > > > discussion on this list already - see the archives. > > > > > > Regards, > > > Tim Hahn > > > IBM Distinguished Engineer > > > > > > Internet: hahnt@us.ibm.com > > > Internal: Timothy Hahn/Durham/IBM@IBMUS > > > phone: 919.224.1565 tie-line: 8/687.1565 > > > fax: 919.224.2530 > > > > > > > > > > > > > > > From: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> > > > > > > To: public-wsc-wg@w3.org > > > > > > Date: 01/10/2008 11:10 AM > > > > > > Subject: Is the padlock a page security score? > > > > > > _____ > > > > > > > > > > > > > > > > > > If not, why not? > > > > > > Mez > > > > > > > > > > > > > > > > > > > -- > > Anil Saldhana > > Project/Technical Lead, > > JBoss Security & Identity Management > > JBoss, A division of Red Hat Inc. > > http://labs.jboss.com/portal/jbosssecurity/ > > > > >
Received on Thursday, 10 January 2008 18:37:25 UTC