- From: Ian Fette <ifette@google.com>
- Date: Thu, 10 Jan 2008 11:16:49 -0800
- To: "Dan Schutzer" <dan.schutzer@fstc.org>
- Cc: michael.mccormick@wellsfargo.com, hahnt@us.ibm.com, public-wsc-wg@w3.org
- Message-ID: <bbeaa26f0801101116n3545c38yf0d470bcdc1bbf5d@mail.gmail.com>
There's also something reasonable you can do when you hear it's going to rain. You can take an umbrella. There's very little you can do when you get a 70 as a security score. You want to use Facebook, there's not really anything you can do to mitigate the fact that it comes up with a 70. Just like you're not going to cancel your vacation because it's raining, you're not going to cancel your purchase online (or your match.com subscription) because it got a 70. You're going to look for some way to mitigate the rain / 70, realize there's not anything you can do, and curse out your browser for cluttering your UI with information that doesn't help you. :( On Jan 10, 2008 11:10 AM, Dan Schutzer <dan.schutzer@fstc.org> wrote: > With the weather we often hear words like "the chance of precipitation is > x%" to indicate the lack of perfect forecastability > > > ------------------------------ > > *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > *On Behalf Of *michael.mccormick@wellsfargo.com > *Sent:* Thursday, January 10, 2008 2:05 PM > *To:* hahnt@us.ibm.com; public-wsc-wg@w3.org > > *Subject:* RE: Is the padlock a page security score? > > > > I agree. I like the weather analogy. There's no perfect security > indicator. But the more variables an indicator takes into account the more > it approaches the asymptote. > > > > I guess the alternative would be to throw up our hands and say all > security context indicators are useless. > > > ------------------------------ > > *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > *On Behalf Of *Timothy Hahn > *Sent:* Thursday, January 10, 2008 12:54 PM > *To:* public-wsc-wg@w3.org > *Subject:* RE: Is the padlock a page security score? > > > Hi all, > > This whole discussion is subjective. What is useful for one person could > very well be useless to someone else. > > An analogy - weather forecasts about the possibility of rain today. Does > such a score indicate whether I will get rained on? No. Does it help me > decide whether or not to wear a hat or carry an umbrella? Yes. There is no > way that people other than meteorologists (and some would argue, even them) > will accurately interpret isobars, cloud patterns, and doppler radar to > determine whether it will rain. But people can get a feeling for the > chances of rain based on a 0-100% estimate. > > I think the same is true for the notion of a page security score. Does it > imply that the user will definitely, without a doubt, not get "taken"? No. > Does it give the user something with which to make a choice? Yes. In this > light, I still feel that page security scores are good things to consider. > > Regards, > Tim Hahn > IBM Distinguished Engineer > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 > > > From: > > <michael.mccormick@wellsfargo.com> > > To: > > <ifette@google.com>, <Anil.Saldhana@redhat.com> > > Cc: > > Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, < > Mary_Ellen_Zurko@notesdev.ibm.com> > > Date: > > 01/10/2008 01:34 PM > > Subject: > > RE: Is the padlock a page security score? > > > ------------------------------ > > > > > I would ask the same question about a binary indicator. The padlock does > not mean it's safe to enter a credit card. > ------------------------------ > > *From:* Ian Fette [mailto:ifette@google.com <ifette@google.com>] * > Sent:* Thursday, January 10, 2008 12:26 PM* > To:* Anil Saldhana* > Cc:* McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; > Mary_Ellen_Zurko@notesdev.ibm.com* > Subject:* Re: Is the padlock a page security score? > > I still don't understand what anything beyond a binary result is supposed > to tell a user. I'm on a site with "Medium" security - what does that mean? > Does that mean that I should give them my credit card or not? > > On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote: > > Maybe there is an opportunity to associate "High/Medium/Low" or > "Strong/Medium/Low" based on page security score with the padlock. > * > *michael.mccormick@wellsfargo.com wrote: > > Sure, I agree the padlock is a binary representation of a boolean > security > > score formula based on a single security variable (SSL on main page). A > > degenerate case IMHO - but still technically a page security score. > > > > A security score algorithm should take into account most (if not all) of > the > > variables we enumerated under "What is a Secure Page?" Perhaps the note > > should state that explicitly. Then padlocks wouldn't qualify. > > > > _____ > > > > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] > On > > Behalf Of Timothy Hahn > > Sent: Thursday, January 10, 2008 10:40 AM > > To: public-wsc-wg@w3.org > > Subject: Re: Is the padlock a page security score? > > > > > > > > Mez, > > > > I'll toss in my view that the padlock is an example of a page security > > score. In most user agents, this seems to be pretty much "binary" (on > or > > off) though I think we've heard from some folks that there are some > > "embellishments" on their display of the icon which would provide more > > gradations based on information received. > > > > On the bright side of such a visible item - it is relatively easy to > > describe and for people to grasp the meaning of. > > > > On the down side of the padlock - ... well, we've had lots of that > > discussion on this list already - see the archives. > > > > Regards, > > Tim Hahn > > IBM Distinguished Engineer > > > > Internet: hahnt@us.ibm.com > > Internal: Timothy Hahn/Durham/IBM@IBMUS > > phone: 919.224.1565 tie-line: 8/687.1565 > > fax: 919.224.2530 > > > > > > > > > > From: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> > > > > To: public-wsc-wg@w3.org > > > > Date: 01/10/2008 11:10 AM > > > > Subject: Is the padlock a page security score? > > > > _____ > > > > > > > > > > > > If not, why not? > > > > Mez > > > > > > > > > > > > -- > Anil Saldhana > Project/Technical Lead, > JBoss Security & Identity Management > JBoss, A division of Red Hat Inc.* > *http://labs.jboss.com/portal/jbosssecurity/ > > >
Received on Thursday, 10 January 2008 19:17:10 UTC