W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2008

Re: ACTION-374 - proposed re-written text for 6.3, Page Security Score

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Wed, 23 Jan 2008 17:13:09 -0500
To: public-wsc-wg@w3.org
Message-ID: <OF65017E8C.038F9490-ON852573D9.00790DF1-852573D9.007A08FB@us.ibm.com>
Ian,

Thanks for the feedback.

I tried to express a level of indirection between what is displayed (I 
referred to this as a "visual indicator") and the value itself (which I 
referred to as the "value").  This indirection was meant to allow for a 
difference between what is displayed and the "raw score" value itself.

I welcome suggestions on making this more clear in the write-up.

Relative to your desire for MAY vs. SHOULD - given the different opinions 
of the people that have been discussing this, I made the bold decision 
that SHOULD seemed appropriate.

Regards,
Tim Hahn
IBM Distinguished Engineer

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




From:
"Ian Fette" <ifette@google.com>
To:
Timothy Hahn/Durham/IBM@IBMUS
Cc:
public-wsc-wg@w3.org
Date:
01/23/2008 04:55 PM
Subject:
Re: ACTION-374 - proposed re-written text for 6.3, Page Security Score



I'm still unclear on the following two points:

The user agent SHOULD provide a visual indicator in primary chrome
which varies relative to the "security confidence estimate" value.
Examples of such visual indicators (non-normative) are gauges,
thermometers, a selection of several textual descriptions, and
color-gradations.

The visual indicator SHOULD be especially conspicuous in display when
the "security confidence estimate" value is different than the value
which was observed for the loaded page in previous visits to the
loaded page.

It sounds to me like there was a lot of agreement on the call that
changes in this score might be informative. I don't think there was
any agreement that the raw score itself was informative. I don't
understand why we're saying that the score SHOULD be indicated in
primary chrome, nor do I understand why it makes sense to show it if
the score has changed (i.e. "Hey, this was 78 and now it's 68" -
"Great, what does that mean"). I think it may make sense (MAY) to call
out what changed, but calling out the score (either normally, or even
when it changes) still makes no sense to me.

I would love to see these SHOULD -> MAY

-Ian

On Jan 23, 2008 10:41 AM, Timothy Hahn <hahnt@us.ibm.com> wrote:
>
> To Mez:
>
> I agree with your proposal and will make that be so in the draft.
>
> To Mike:
>
> While I, myself, would prefer stronger language, I worded the updates 
per
> the discussion from the group (during the weekly conference call as well 
as
> on the mailing list).
>
> Regards,
>
> Tim Hahn
>  IBM Distinguished Engineer
>
>  Internet: hahnt@us.ibm.com
>  Internal: Timothy Hahn/Durham/IBM@IBMUS
>  phone: 919.224.1565     tie-line: 8/687.1565
>  fax: 919.224.2530
>
>
>
>
>  From: Mary Ellen Zurko/Westford/IBM@IRIS
>  To:
> Timothy Hahn/Durham/IBM@IBMUS
>  Cc:
> public-wsc-wg@w3.org
>  Date: 01/23/2008 01:29 PM
>  Subject: Re: ACTION-374 - proposed re-written text for 6.3, Page 
Security
> Score
>  ________________________________
>
>
>
> I propose that you also change the title of the section to "Security
> Confidence Estimate"
>
>           Mez
>
>
>
>
>
>
>  From:
> Timothy Hahn/Durham/IBM@IBMUS
>  To:
> public-wsc-wg@w3.org
>  Date:
> 01/23/2008 11:29 AM
>  Subject: ACTION-374 - proposed re-written text for 6.3, Page Security 
Score
>  ________________________________
>
>
>
>
>
> Hi all,
>
> From last week's meeting (16 January 2008) I took an action to propose
> re-written text for the "Page Security Score" section.
>
> From the latest wsc-xit draft, the current text reads:
>
> --- Start ---
> 6.3 Page Security Score
>
> See also: ISSUE-129
>
> Please refer to the following entries in the Working Group's Wiki for
> relevant background information: 
RecommendationDisplayProposals/PageScore
>
> The user agent MUST reduce the state of all security context information
> made available to a single value. A partial order MUST be defined on the 
set
> of possible values.
>
> The user agent MUST make the security context information value 
available to
> the end user, in either primary or secondary chrome.
>
> The user agent MUST make the formula by which the value is calculated
> available to the end user. Documentation of the user agent is the 
likeliest
> place.
>
> The form of the indicator of this value will depend on the user agent 
and
> end user abilities. The user agent SHOULD provide a a primary chrome
> indicator
>
> --- End ---
>
> Here is my proposed re-written text:
>
> --- Start ---
> 6.3 Page Security Score
>
> See also: ISSUE-129
>
> Please refer to the following entries in the Working Group's Wiki for
> relevant background information: 
RecommendationDisplayProposals/PageScore
>
> The user agent SHOULD provide a means of reducing the collection of 
security
> context information which is available for any loaded page to a numeric
> value (termed a "security confidence estimate").
>
> The calculation algorithm for the "security confidence estimate" MAY be 
made
> selectable by the end user or offered by separately installed user agent
> plug-ins.
>
> The user agent SHOULD provide a visual indicator in primary chrome which
> varies relative to the "security confidence estimate" value.  Examples 
of
> such visual indicators (non-normative) are gauges, thermometers, a 
selection
> of several textual descriptions, and color-gradations.
>
> The visual indicator SHOULD be especially conspicuous in display when 
the
> "security confidence estimate" value is different than the value which 
was
> observed for the loaded page in previous visits to the loaded page.
>
> The user agent MAY elect to display a visual indicator in primary chrome
> only when a change in "security confidence estimate" values is observed.
>
> The user agent MUST make the details of all available security context
> information available to the end user, in either primary or secondary
> chrome.
>
> If a "security confidence estimate" is provided, the provider of the
> implementation MUST make the calculation algorithm by which the 
"security
> confidence estimate" value is calculated available to the end user.
> Documentation for the user agent or plug-in which is employed is the
> likeliest place.
>
> The visual realization of the "security confidence estimate" value will
> depend on the user agent and end user abilities.
>
> --- End ---
>
>
> Tim Hahn
> IBM Distinguished Engineer
>
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
>
> [attachment "smime.p7s" deleted by Mary Ellen Zurko/Westford/IBM]
>
>
>




Received on Wednesday, 23 January 2008 22:13:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:20 UTC