W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

Re: Is the padlock a page security score?

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Fri, 11 Jan 2008 17:54:02 -0500
Message-ID: <4787F38A.5050407@cs.cmu.edu>
To: Anil Saldhana <Anil.Saldhana@redhat.com>
CC: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>

Yes, but the point that Ian was making is that that's not an additional 
factor.  It's just more of the same factor.

serge

Anil Saldhana wrote:
> 
> Additional virtual factor is the KBA. Rather than scout for a scanner or 
> the retina or the mobile, the picture acts as the additional 
> *incomplete* factor.
> 
> Ian Fette wrote:
>> Which is still just a single factor (what you know)...
>>
>> On Jan 11, 2008 2:26 PM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote:
>>
>>> Many of the US banks are going towards multi-factor knowledge based
>>> authentication, like displaying a favorite picture of yours and such.
>>>
>>>
>>> Mike Beltzner wrote:
>>>> michael.mccormick@wellsfargo.com wrote:
>>>>> There seems to still be some lingering misunderstanding about the
>>>>> security score.  It does not specify how the score should be presented
>>>>> in primary chrome.  The UA is free to render it as anything from a
>>>>> padlock to a color-coded address bar to a traffic light to whatever.
>>>>> The raw score is not displayed in the primary UI.
>>>> The disagreement is in that I don't believe a single "score" will ever
>>>> hold value. A recommendation or advice based on a score, is what I 
>>>> would
>>>> suggest we advocate in our document.
>>>>
>>>> The user who needs a recommendation for action (ie: "Is this page
>>>> safe?") won't benefit from a score ("72% safe!"), as it won't hold any
>>>> specific meaning to them.
>>>>
>>>> The user who wants to know more about why a specific recommendation has
>>>> been given (ie: "Why are you saying that this page is suspicious, it
>>>> looks like my bank!") won't benefit from a score ("because it's onlye
>>>> 72% safe!") because they need more detail.
>>>>
>>>> Both of these users are served by a system where security risks are
>>>> called out by the browser ("Note: This page is suspicious!
>>>> (Details...)") and then further explanation is given (the certificate
>>>> changed, it's not high on the network of trust, etc).
>>>>
>>>> cheers,
>>>> mike

-- 
/*
PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Friday, 11 January 2008 22:54:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC