- From: W3C CCG Meetings <meetings@w3c-ccg.org>
- Date: Wed, 20 May 2026 01:42:54 +0000
- To: public-credentials@w3.org
- Message-ID: <CA+ChqYeADfwgcRLq26pTCSd9tgu+sztokVQ3q9fGfnG1hyG9rA@mail.gmail.com>
This meeting focused on the usability and accessibility of security information in open-source software packages, specifically discussing attestations and their presentation on package registry pages. The discussion highlighted the challenges in communicating complex security concepts to various user types, from security architects to incidental consumers. The project explored how to present attestation information effectively, emphasizing the need for clear, trustworthy signals and user-friendly documentation. The session concluded with a call for further contributions to the ongoing open-source design and implementation efforts related to these security features. *Topics Covered:* - *Attestation Definition and Purpose:* Attestations were defined as signed statements providing verifiable information about a software package's build process, contents, and security checks, serving as a signal of trust. The project aimed to clarify what attestations are versus what users assume them to be. - *User Personas and Trust Signals:* Research identified distinct user personas (security architects, pragmatic developers, incidental consumers) with varying levels of security knowledge and trust-building behaviors, often relying on social proof and visual cues. - *Usability Challenges with Security Information:* A significant challenge identified was the "big green check mark problem" where users, regardless of their expertise, tend to disengage when presented with simplified trust signals like "confirmed" or "verified," indicating a need for careful design that balances ease of use with educational components. - *Visual Design and Information Presentation:* The project explored various UI/UX approaches, including icons, badges, dedicated security sections, and digestible information within existing package registry pages, to effectively communicate attestation and provenance data without overwhelming users. - *The Role of Documentation and Friction:* While users desired documentation for in-depth understanding, the consensus was that making secure actions the simplest default path (e.g., through a "check attestation" button) would be more impactful than relying solely on education, especially for pragmatic and incidental users. - *Contribution and Future Work:* The securing software repositories repository was identified as the primary place for further contribution, with ongoing work in implementation and conversation needed to advance the usability of security information in open-source packages. *Action Items:* - Individuals interested in contributing to the usability and implementation of attestation features should visit the "securing software repositories" repository and join the associated working group. - Further exploration and refinement of UI/UX elements for communicating security information, particularly in the context of verifiable credentials, is encouraged. Text: https://meet.w3c-ccg.org/archives/w3c-ccg-atlantic-2026-05-19.md Video: https://meet.w3c-ccg.org/archives/w3c-ccg-atlantic-2026-05-19.mp4 *CCG Atlantic - 2026/05/19 12:01 EDT - Transcript* *Attendees* Alex Higuera, Benjamin Young, Brent Zundel, Caroline Sinders, Dmitri Zagidulin, Elaine Wooton, Erica Connell, Eriol Fox, Greg Bernstein, Harrison Tang, Hiroyuki Sano, Ivan Dzheferov, JeffO - HumanOS, Jennifer Meier, Kayode Ezike, Mahmoud Alkhraishi, Phillip Long, Rob Padula, Will Abramson *Transcript* Mahmoud Alkhraishi: Hello everyone. Caroline Sinders: Hi everyone. Mahmoud Alkhraishi: We'll get started in four minutes. Rob Padula: That's good. Caroline Sinders: Okay, great. I'll go grab a water real fast. Eriol Fox: Just FYI,… Eriol Fox: I'm going to try to use this device, which I'm on now looking and speaking on, but there's a possibility that it might disconnect because of some troubles that I have with this device. If it does, then I've got a second device that I can join from, but we'll see how it goes. Mahmoud Alkhraishi: No worries. Mahmoud Alkhraishi: We'll hold off if we have to. Mahmoud Alkhraishi: We're just going to give it another couple of minutes till the five minute mark and then we'll get started. Mahmoud Alkhraishi: Thank you for joining us today. It is Tuesday the 19th of May for our CCG call. Just as a quick reminder, we have a code of ethics and professional conduct. Please make sure that you review it and you adhere to it. All anyone can participate in our CCG calls, but any sub substantive contributors to the CCG must have signed our full IPR agreements. before we get on to today's topic, do we have any announcements anybody wants to make? All right. Mahmoud Alkhraishi: I have one which is that we're running a little bit low on speakers going forward. we had a few that had to drop off and so if anybody would like to, bring up a topic bring up a speaker, please feel free to reach out to any of the chairs and we'll make sure that we get them on. next week will be our quarter 2 review where hopefully we're going to go through the state of CCG so far and we're going to look forward to any improvements. All right, with that having been said, Caroline, is it you who's going to be starting us off, or is it Ariel? please go ahead. Take it away. 00:05:00 Eriol Fox: I think it's me. hello I am going to start this off with admitting that I am very much off of the back of a full eight hour workday. so I'm going to do my best to talk about this project that I worked on a little under a year ago. and hopefully it can spark some interesting thoughts and topics and debates around the usability and the accessibility of security information like attestations like sbombs software bill of materials and how those are displayed to people that intend to use opensource software packages particularly Eriol Fox: this project is about that on package registry pages specifically. but also to some extent it's a really interesting project where from my perspective as a person that does usability design user experience in the open source software space and previously what when I was doing this project a little bit more intensely in the privacy and security space than I do right now in my role. It's really encouraging and interesting to see usability being taken seriously and being really focused on around these kinds of topics like how do we understand security information? Eriol Fox: What does it actually mean to people that are either, looking to help other people that want to use tools stay safe or if you want to use a tool, how do you understand whether or not your supply chain is really secure or not? so that being said, you might then have already gathered that I'm not necessarily on the technical and as far as the privacy coding developer side of things. I'm on the usability design side of things. But I'm going to jump in. I'm going to share my screen. I hope that's okay. Just so that I know kind of what I'm doing what I'm referring to. And I'm also going to drop a Eriol Fox: drop a link in the chat. So, this is the project that we're going to be talking about today. I'm just going to give a little bit of background information before I kind of launch into the slides that I have prepared and then I believe Carol is going to jump in after I'm finished with talking about attestations to kind of talk about what they are bringing. but this project was funded by let's see it was actually funded I think possibly by Google actually let me just double check anyway you can find out exactly how it came to be actually in this issue here which I'm sharing on the screen was the actual funding request for the securing software repositories Eriol Fox: working group the amount of funding that the entire project had. So not just the usability aspects of things but also what the problem statement was and what they wanted to try and investigate by funding this work. Essentially it was that the open SSF was need and if you're unfamiliar with the open SSF I'm sure somebody can maybe find a link to the open SSF and drop that in the chat as well. I don't have it handy at the moment. but to fund some user interface and user experience investigation work into what kind of UI visuals if any do we need for salsa provenence. thank you so much Benjamin for putting that in the chat. Eriol Fox: for any kind of security certification information in these specific registries. npm, ruby gems and pipi to begin with. so essentially it was a project that was broken into a number of different phases. So you can find out the information of how it started on this issue. And then the first link that I drop also has the link to the project task board. And I guess one thing that I find really found really exciting about this work is we did all of the UIUX usability research as in the open as possible which is not that normal or not that typical for usability UXUI work in let alone open source from as deep into kind of security topics. 00:10:00 Eriol Fox: So you can actually kind of take a look at the done column over here and see all the different kind of processes of what we did and how we segmented this project so there's a good paper trail of what the funding got spent on so there's a lot of user usability testing processes and scripts out there what we learned from usability testing how we applied it to the style guide and what we ended up delivering as this is what we think UI could look like based off of the investigation that we did as well as a good amount of documentation that ended up getting done as well. So that's the various places that I encourage you to go to find out more information about this work. As you can see, this repo hasn't been updated since October 2020 2025. Eriol Fox: I do believe last time I spoke to the OpenSSF team that were working on this, they were just about to enter into the implementation phase, which is essentially implementing the style changes, the visual usability changes into I think Pippi first as well as the documentation build for this work which is a bit behind. own schedule. But hey, sometimes that's how projects go. I worked on this project when I used to work at an organization called Super Bloom Design, which is listed in the work planning team. I no longer work there. So, I won't be talking much about what they do as an organization unless people are particularly interested in that. I now work at the Open Home Foundation on home assistant as a designer. So, I have been working there for a little while now. Eriol Fox: But let's talk about the attestations work and so I don't know whether this audience particularly here understands or knows what an attestation is. I certainly didn't as a designer in open source coming into this project. Can I just get some kind of indication of who in the room might feel confident about… Eriol Fox: what they think an attestation is for open source software or other software either in the chat or some emoji responses or come off mute. Mahmoud Alkhraishi: So I think we're reasonably comfortable,… Mahmoud Alkhraishi: but I do think it's a good idea to just go over it really quickly. Eriol Fox: Okay. Okay. Cool. Eriol Fox: I guess it's always good to hear another person's interpretation of a security term, but yeah, an attestation as far as I would define it through the work that I did trying to learn about them is a signed statement. It provides verifiable information about something so from docker docker which would refer to the docker images or specifically it basically should describe a record of how it was built, what was inside, security checks that have been passed and from my understanding of attestations also signed by an authority of some description. Eriol Fox: or some verifiable source. Essentially, either an organizational affiliation or kind of like a verifiable organization data models for artistations. Interesting. Good so yeah, this is something that somebody we'll get a little bit into some of the research side of things as well. this is essentially a signal of trust is what I would define this as is a signal for user trust of verified This is what I expect it to be. again there's another definition here. Eriol Fox: One of the death one of the ways in which in the project team endeavored to understand what an attestation was is we tried to break it down into everyday relatable kind of metaphors or terms. so you can kind of see on the slide at the moment there's a image of a sort of older person, a apple with an with a label that says apple from granny's farm and sort of like a series of documents of the grandma, the apple trees, the apples going into a cart, going into a truck, going to a store, being bought with a label by a person. 00:15:00 Eriol Fox: And we often used that kind of food labeling any kind of labeling about the origin of something, where it's come from and where it's gotten to as an easily kind of pick to pick from the ether of general knowledge of this is what we could describe an attestation as to anybody that didn't have detailed knowledge about how an attestation might apply specifically to open source software or supply chain security. so it's a trust mechanism for somebody to validate the integrity of something asserted by a provider, vendor or an organization. Eriol Fox: So yeah, but I think one of the things that I found particularly difficult to understand as a usability expert as well as many of the users that we did user testing with and user research with who were the people that needed to understand what an attestation was in order to use a package was that they attestations can be run automatically and they can also be verified using a human process as Eriol Fox: And this is still kind of part of an attestation which is quite hard to understand and parse for people that don't know about that or there's an assumption from a lot of the you users and people that we interviewed that an attestation is either automatically kind of an automatic process that happens and that there is no way to verify it in a kind of quote unquote manual way at all that certainly ended up being a lot of what we heard from the participants in the research as completely a skill set that was beyond a lot of people consuming software packages. Eriol Fox: So a lot of our work was really trying to understand in simplistic terms how can we communicate what an attestation is to as many people as possible in these places where people are going to be downloading or using software packages. lots of reasons I don't think I really actually need to talk about the reasons why maybe open source software package security matters to this audience but there are a lot of things that again we learned as usability experts like what are the risks involved in this and really as usability experts we do also need to understand what the risks are involved in order to communicate those risks in an effective and effective and as condensed as appropriate Eriol Fox: way to again end users at varying levels of knowledge. So typos squatting is something that came up when we were learning about security generally of software packages. the build supply chain which is more directly linked to attestations of software packages and compromise critical dependencies and use packages being built using secure practices. Eriol Fox: So the thing that we discovered as we were investigating this work is that the users developers the people that are down using open source software packages are forced to implicitly trust public repositories or registries and risk any vulnerabilities or maliciousness in the package supply chain or else validate every package that they import or use or want to use as well as the depend dependencies that package relies In reality, in our research, very few people are doing this process and really only doing this process or even attempting to do this process if it was one part of their job to be like a security practitioner in an actual paid role. Eriol Fox: But funnily enough, even if they were paid in a paid role to do that kind of process, if they were also using open source software packages in personal projects, they weren't necessarily doing the same practices with their personal projects as they were the projects that they were paid to do because there was more of a risk associated with their paid work than they assumed or they decided with their personal work. or if you were working on some kind of financial wallet based technology. so there were people that worked in security so people that had a real focus on the security of the packages that they were using or the dependencies that they were using in their work or it also didn't have to be paid work in order for it to be important to them. 00:20:00 Eriol Fox: We did some research with some people working on very critical security internet security infrastructure and to them whether they were getting paid or not or doing open source contributions it was still very important for them to do a lot of security practices but that's mostly because they were contributing to established internet security infrastructure and tools. but the third kind of use case were basically anybody that was working anywhere near wallet technology. So people doing stuff with various cryptocurrencies and things like that. what did the open SSF want us to work on as usability experts? Eriol Fox: Essentially they wanted us to understand how to take a lot of information about what an attestation is or what is assumed an attestation is try and break it down to what actually is an attestation. what is the information that is contained within an attestation as opposed to what is assumed to be contained within an attestation which gets kind of confusing quite quickly especially if you look at what's already on package registry pages as far as provenence information. a lot of average users that don't really know can't really tell the difference between what security information is being told to them under what kind of headings and labels and whatever. it doesn't mean a lot to them to currently how the information is separated and displayed essentially. Eriol Fox: But it is very important to make sure that information is accurate and meaningful and trustworthy and also they were really interested in this consistency of visual trust signals and cues across multiple repositories and registries. There was some effort here by the open SSF to I don't really like using this word but to standardize when you're trying to use something from one package registry you see how attestations are visually represented there and also for some reason if you're on another registry doing stuff with other kinds of packages you see similar information or similar visual trust signals there so that you can better trust overall the information is given to you because actually it's Eriol Fox: being supported by multiple different entities as such. So they really see whether there was a way to standardize this information in order to help people trust better and trust more. I'm going to go a little bit more quickly since I don't know how much time I've got versus how much time Carol's got, but I want to make sure Carol has enough time. But we did a lot of desk research and understanding and just a lot of time was spent as I've said already of usability experts and the designers trying to understand what are our testations how are they different to thank you Carol how are they different to provenence information how is it communicated how is it different to software build materials how is it automatically generated do people typically consume it using a graphical Eriol Fox: able user interface on registry pages. If they don't, then how is it viewed and consumed in the kind of CLI other places. So, we did a lot of explorative work to try and get to the point of how we could understand it well enough in order to communicate it which is often just a challenge generally in design and designing for security is tricky. if you don't understand the security practices, it's hard to design for them. We formed user personas just to give us an understanding of who we wanted to talk to. the user personas were really only just for that purpose of we want to make sure that we talk to a variety of individuals and everyone in between these personas if we can. but we want to make sure we hit these kinds of profiles. we did We did initial interviews on what is trust? What is security? What are your practices? Eriol Fox: some general understanding of how you assess security in open source software packages and the supply chain. How important is it to you? What would happen if you didn't do that and something went wrong, what could go wrong and all these kinds of explorative questions. And then the second round was after we did some visual explorations on communicating at attestation information and got direct feedback on whether or not this communicated the information that the users needed to see and find and whether or not it conveyed the terms, the understanding Mahmoud Alkhraishi: I think she just dropped,… 00:25:00 Caroline Sinders: No. Yeah. Mahmoud Alkhraishi: which is unfortunate. Eriol Fox: Sorry, that's what happens when this machine disconnects. I'm just going to keep going and see whether I can get through on this machine. we then developed visuals. We tested them and then we did documentation and then we published the style guide. Everything was done in 12 to 14 weeks. It was actually supposed to be done in 12 weeks, but we had to push for an extra couple of weeks because doing this kind of work is hard and it takes time. what is currently on registry pages. You can just see a little bit of information here on the package registry pages that we were looking at. I think there are a little bit more detail here this is the check some codes that can be manually checked but often I think automatically checked again. it has been a while since I done this work and hopefully I'm still remembering everything right. Eriol Fox: And then we've got provenence information here about the build summaries, all this kind of stuff with transparency log. this is essentially what is being shown on the three registry pages currently. These are our different personas that we were trying to speak to and understand how they understood attestations. So the first one's a security architect. These are typically the people working on as I said before wallet based technology anything to do with finance even non crypto finance just regular finance these were some of the people that we would describe as security architects but also anyone again working on internet security infrastructure or whose role it was to some extent they were paid to be extra careful about Eriol Fox: security of dependencies, software, etc. So, these were these persona ones, the security architects tended to be the one the people that could accur as they could they could confidently describe what an attestation meant to them, all the different terms meant to them. they are the ones that could do things like man manually checking cryptographic signatures and things like that. so they were all the people that felt confident enough that even if there was an automated process or visual signals of secure securess in the open source packages, but they knew that they could check those things. Eriol Fox: But it's also funny that the security architects also used a lot of the same methods that the pragmatic developers and the incidental consumers as personas did as well, which basically once you're a pragmatic developer or an incidental consumer. Basically, the level of being able to manually check security stuff reduces either in official role or interest or time. the pragmatic developers don't necessarily not care about security but they are just not equipped with that extra knowledge of knowing how to find out information how to confirm security information themselves. They would need to spend significant time exploring how to do those kinds of things. And they have heard of different terms and they could describe providence sbombs and things like that. Eriol Fox: But they also again like the security architects and also the incidental consumers mostly just relied on other signals of trust. and so to get down to the in incidental consumers, they are people that absolutely unaware of complex security issues. they're not interested for whatever reasons they may be in understanding what the security risks are or don't think that that applies to them. and they are the ones using visual signals of trust. Eriol Fox: And these visual signals of trust that again all these personas relied on were things like does the maintainer's profile picture and name correlate to the same maintainer that is listed on wherever the repository is and can I find the link to the repository for this package. so they're doing kind of like does this Does match this profile picture? Eriol Fox: download numbers. If a package has got a load of downloads, stars even, they automatically trust it. this can't be insecure if it's got this many downloads. And this is interesting then where you separate kind of the information like some pragmatic developers and incidental consumers might not quite understand that there are different versions of the package. 00:30:00 Eriol Fox: So they might actually be on an old version of the package not, but they're not really checking the build version and things like that, whereas the security architects are a little bit more detailed in what they were looking for. But to be completely honest, a lot of the security architects were checking those same things. Are there a lot of downloads? Are there a lot of stars? Do these names match these names? And then they were going into the security verification processes. Whereas pragmatic developers and incidental consumers, we're not doing those things essentially. So how can we make attestation information better for all of these people because we want it to be good for all of these people. So we did a bunch of user research, these interviews, these conversations showing having people take us through their workflow, show us what they understood of various security things. Eriol Fox: One of the tricky things about doing user research in the security space with developers, I'm just, doing a little insight into the user research side of things. which is often when you do user research about a complex topic is people in when you're interviewing them or having a conversation with them still a lot of people will feel the need to try and impress you as an interviewer. So, it's actually took us a long time to try and encourage these folks to admit when they didn't quite understand a term or when they needed it explaining more clearly. That's just one of the challenges about doing user research and talking to users in some of these spaces is sometimes the dynamic of research you do have to spend some time with people to get kind of clear, honest, upfront answers. Eriol Fox: But as I was saying about all of the personas use social proof or what was it called? the web of trust or there's another term which I'm maybe forgetting the exact words of but this whole interconnected series of pieces of information that they used to indicate that they trusted a package from a particular page. only the security architects and some pragmatic developers investigate further. some of which were doing these sandbox test environments, especially if they were working on these really critical projects. again, people working on more risky systems or hard-to-reach systems. So, the hard-to-reach systems were people that were working on maybe hardware which was physically in a location that they actually physically couldn't get to. Eriol Fox: So, the risky situation is that, it's actually impossible to get to a piece of hardware that's in space or in the deep ocean. So, you have to be a lot more careful with what you're doing on those systems because you actually can't get to them to I know this is a silly way of saying to that, but to unplug them or whatever, it's harder to do that kind of stuff than when you have hard-to-reach systems. so if you downloaded a malicious package used malicious, there was a flaw in the dependency tree and it was on a satellite, then banking, finance, and crypto wallets, as I've said. Eriol Fox: So this was a really interesting piece of re the research that got surfaced was all of the people that we researched with were really fine with critical information being repeated when it's important because this is kind of like a weird thing that goes counter to a lot of best practice of UI and UX which is like if you repeat information it annoys bores users, It can sometimes make users think that there's bugs or it's just incorrect information. It makes them suspicious. But with security information, if these users saw provenence information repeated, so you have a provenence section that had the build history and also an attestation that had the same build history. Eriol Fox: It's repeated in two different places. But they said that that was fine because they wouldn't miss it. So if they maybe missed it in provenence, they'd catch it in the attestation or missed it in the attestation, they'd catch it in the provenence section. But also, it gave them confidence to see the same thing repeated twice in two different places. It gave them more confidence that it was the correct build. as opposed to those if those two things were different. so said it was the build history in both places and it took them to different places that's when there wouldn't be trust. 00:35:00 Eriol Fox: So weirdly repeating information especially if it's critical we had the same thing with the sha check sum even if that was repeated in multiple places people were like no this is fine it means it if you repeat this to us it's important everyone took similar steps when they were checking builds but different orders so it was really tricky to at one point we thought maybe there is a process that we can take people through to check an attestation. Maybe we can help teach them in a registry page. This is what an attestation is and this is the process that you go through to check it. But everybody does the stuff in different orders. So we can't really dictate an order particularly because people want to jump around for the order that they already have established themselves. we could do that in documentation for beginner users, but again that was a big topic of conversation we went down. Eriol Fox: Yeah, but everyone needed docs hands down you needed documentation. so they actually didn't want lots of detailed information in the registry pages. They wanted to be sent out documentation and they did visit documentation which is also good to confirm in research that if somebody says they want documentation but then doesn't visit the documentation then it's not really matching but anyway people want documentation and they were looking at documentation to check and then they Eriol Fox: wanted detailed information in a dedicated security page, but also quick visual references like badges or symbols or icons. and this was because not every visit to a package page on a registry or looking at something they want to use in open source software was a high security scrutiny visit. So, they weren't always going to be using the security pages. they were more likely to be using badges, symbols, icons, and quick information. But if they knew that a security page existed with more detailed information, then they could go there when it's a high security scrutiny visit. let's talk about some visuals. I'm going to kind of go through this quite quickly, but we did a lot of early explorations into how do you even put an attestation into kind of like an icon or a symbology? How do you communicate what a build is, what signing is? Eriol Fox: We came up with this kind of one towards the bottom here to kind of test out the visual which is just an kind of, phys physical signature with a pen in a box. but we did test out what if we had images of boxes for packages and bricks for the build as well. but we didn't really have enough time in the allocation of the budget to really fully explore unique visual elements. we kind of settled on the signature for this work because it was much more important to figure out how big where in the page in what sequence and with what interactions do people need this information when they need it. Eriol Fox: And then also to some extent what kind of wording is good for an attestation especially as we were exploring later on there are attestations which you can have multiple attestations across multiple aspects of the build. but we kind of came down to some of this information of a vendor confirms that this had this done to it in this location by this process using the source and build detailed and then with as much kind of text information as needed but also just giving people Eriol Fox: the option that they could explore that information if they wanted to with drop downs and sections that opened up. But we also explored a lot of when do we put a version number for a package? What does the word confirmed and I learned a lot in this project from a usability perspective about what people assume when you use certain words. And the two words that became really critical in this work were the word confirmed and the word verified. And how quickly as soon as a user of any level of security knowledge sees the word confirmed or the word verified that they automatically switch their brains off and they're great confirmed and verified by somebody. I don't have to make the decision myself. it's been confirmed and verified by for me. Great. 00:40:00 Eriol Fox: And especially that gets more prevalent the kind of lower confidence of security in security knowledge that somebody has. there's a few different visual styles that we ended up exploring. We got to three different treatments that we ended up having in the final published delivery of the project. We had one that we called the medium amount of effort, and the high amount of effort. Eriol Fox: Really the high amount of effort is what we aimed for registry pages to use because this basically was the introduction of an entire new security section either a tab section or a new page or some kind of new security section for people alongside some of this smaller information in the sidebar sections. and let's take a look at this So we've got here for this example this is MPM. So here there would be some information on the left hand side. You can kind of see the sidebar information near a lot of that social proof information that was looking for So everybody remember everybody was looking for a GitHub name or some kind of username from a maintainer, a profile picture, downloads, the repository link, the ver they were also looking for the version number and things like that. Eriol Fox: So we wanted to put small amounts of critical information about the build and attestations near that information but we didn't want to overload people. but then we could take them to a new security section on npm. so this security tab then had information for security advisories, provenence, attestations, how it was signed, all of that kind of information that you would be looking for or they would be looking for. Eriol Fox: And then there was other sections underneath build. this kind of the sidebar section had a build section. It had an attestation section. It had an integrity section with a check sum. The thing that kind of was kind of optional in this version was whether or not you ended up having an integrity section with the check sum in the sidebar. But we basically advised that there should be a build information and minimal attestation information and then another place to get more detailed information. yeah, this is what I talked about around the word words confirmed and verified. hard words to use. Then we talked about inclusion and localization because a lot of things are different other places in the world that are not majority kind of English speaking. what happens when you have a longer word in a different language? Eriol Fox: What happens when the term signature written with a pen in some cultures where they use a stamp for their signature and then of course right to left. so that was part of what we delivered is that we didn't get to look into that in depth in the style guide but we wanted to make sure that it was something we flagged when we delivered. But yeah, that is the quick whistle stop tour of the attistation stuff and I will stop now because I think there's only 15 minutes but if you have questions I might have time for a bit of question from car. Mahmoud Alkhraishi: So we normally end at the 55 minute mark and I Carol I don't know if this is enough time for you. Okay. Caroline Sinders: So I'm a collaborator of Arrols. I didn't work on this project. but I'm very interested in attestations. I also have a slight stutter so sometimes certain words are hard for me to say attestations. but I'm also the executive director of convocation research and design. We're a human rights lab where we believe privacy and security are human rights. we also do security services. Caroline Sinders: So they'll do rapid security trainings. We also do security audits both of organizations and of tools. we're a vendor with the open technology funds security lab. and I'm also prior to entering UX design I was a photojournalist. so I'm very interested in things around let's say verifiability or how you could also think of things like attestations in images. which is something Adobe's been working with content credibility certificates. so part of my interest also in joining was just to sort of say hi and support Aerrol and sort of also mention that this is something my lab is interesting in working on and collaborating with Arrol in the future. and… 00:45:00 Caroline Sinders: Yeah, go ahead Ariel. Sorry. Eriol Fox: So if you hadn't all gathered,… Eriol Fox: this was an opensource project. So this part of the project got paid for in the way that I kind of talked about at the beginning, but it is now an open-source design project. So folks like Caro that are still working in this space because I no longer kind of work in this space although I want to see this I want to see the interest in the usability of security information atestistations grow. this is why it's good to have other designers join and other researchers join in because yeah o opensource design caro is part of open source design one of the other maintainers that maintain open source design. Eriol Fox: So if it wasn't clear it was partly because Caro is part of the open source design movement as well. Let's see. Yeah. Sorry, Carrie. Caroline Sinders: Yeah, that's kind of about it. Caroline Sinders: I'm sort of more here to support and also be a part of the conversation just and just say also this is something that I think also in a human rights context is incredibly helpful and important. Caroline Sinders: So some of those vulnerable users Errol was describing those are the users we work directly with either tool builders who are directly serving those users or human rights defenders, journalists, activists and that also includes designers and technologists in spaces where there's rising authoritarianism or there is currently authoritarianism in place or those that are just fearful of surveillance. And so things like attestations are really important in our mind at comication how can we help people better understand and assess the different tools that they're using or could be using how do we think about how trust sort of manifests if you will outwardly? How can we make it easier for people to assess different types of projects? Caroline Sinders: So that's also kind of the interest that I have as the executive director of convocation, but also convocation as an org, what our interest is. so yeah. Mahmoud Alkhraishi: Are there any questions from the group? Dmitri Zagidulin: So I want to say thank you so much to both of you. This has been amazingly helpful and really funny. And I say that so this group deals with a lot with attestations and… Eriol Fox: Okay. Yeah. Yeah. Dmitri Zagidulin: our jargon for it is verifiable credentials, right? So things like ranging anywhere from 50% off coupons for breakfast cereals to diplomas, critical attestations, medical degrees, anything you can think of, And in designing our software, what we call credentials wallets, we definitely have all of these problems that you run into and lots more UI UX needs to be done, but I was especially gratified to see and amused how you termed whenever somebody saw the word confirmed or verified, they turned their brain off. Dmitri Zagidulin: We have what we call the big green check mark problem over here too. Eriol Fox: Yes, it was. Eriol Fox: So, again, just reaffirming what you are saying about the big green check mark. Again, when people saw the build version with the check mark next to it, it was Again, they just turned their brain off. they were like, "Yeah, it's got a green check mark. I trust it." it's but where has that check mark come from? And I see a hand up but initially I think the expectation from the open SSF was design us a badge and I was like what if we didn't design you a badge because the reason that badges aren't going to do what you need it to do is because people will see a badge and they'll automatically think this is fine when really what are you trying to do? Eriol Fox: So a lot of our initial work was hey what is the aim here? Is it some amount of gentle education because it is possible to do gentle education whilst also having UI feedback that confirms existing knowledge and that was the balance that we were trying to strike here and we got most of the way there. I still don't think this is perfect work but then again I think no work that I do is perfect. yeah,… 00:50:00 Eriol Fox: dental education because I see another hand. If you want to go ahead,… Mahmoud Alkhraishi: Yeah. … Eriol Fox: please. Yeah. Mahmoud Alkhraishi: so I have on the same topic, did it matter at all the source of the check mark? I know you said not really, but is this a case of I know npm, I know Docker, they put a check mark, I'm going to trust it, so it's fine, or is it a case of literally any check mark anywhere actually gets that response? Mahmoud Alkhraishi: So I guess my question is, do I see a check mark on npm? And I assume npm also did something to check it. Eriol Fox: That's a good question,… Eriol Fox: right? Yes. Mahmoud Alkhraishi: Or is it a case of any Eriol Fox: So things So agreed, typo squatting check have you am I on npm? is this what I expect to be seeing or am I kind of on a very smart spoof in some way? there was that process of implicitly trusting the vendor if they saw the name. Eriol Fox: There was also the same or a similar problem with the attestation information like text as if it was signed by Pippi it was like okay Pippi have signed it and it was kind of like we just about got into the territory of trying to test whe whether a attistation actually no we did test this now I remember we tested whether or not an attestation from a known brand, let's just call it what it kind of is, a brand, was more trustworthy than a less known brand or some other attestation. And it was very much so. It was kind of like I know GitHub actions or I know GitHub or I know MPN. Yes, I trust it more because I know the name. Eriol Fox: the same I think the green check mark was only trusted in specificness around the iconography if it was next to information that also made sense. So in that respect, what we couldn't do was just put a new icon, which is kind of like a check mark with a signature attestation, and kind of just do that because it wasn't next to any important information. And that was like people need the context of what this verified badge is verifying. if it's a check mark or if it's some kind of confirmation of good has to be next to relevant information. Eriol Fox: So, there's a few different things going on with this, but hopefully there's, as you can kind of maybe see with the screen share that I'm doing at the moment, I try to break down all the elements of all the UI and kind of say, this is important here for this reason and this reason. But yeah, I see another hand for a question. Mahmoud Alkhraishi: So I'm just going to open for if there's any other questions. Eriol Fox: Yeah. Mahmoud Alkhraishi: If not, I have some more. Mahmoud Alkhraishi: Okay. I'm not seeing one thing that I'm going to push back on is on the idea that gentle education might be a way forward for this. I think your earlier comment about even people who do security in their day jobs when they do things on their personal life don't go for the most secure route goes against that right because I know better… Eriol Fox: Yep. Mahmoud Alkhraishi: but it's just not convenient enough so I'm not going to do it or it's not high stakes enough and… Mahmoud Alkhraishi: I think that's the core of the problem in an ideal world the secure way is the simplest and… Eriol Fox: Yeah. Yeah. Mahmoud Alkhraishi: correct way and that's what I get out of the box and then everything else I need to go and do inconvenient things to accomplish, right? Eriol Fox: Yeah. I haven't it I guess it's kind of… Mahmoud Alkhraishi: And so that's my one comment on education not really being where we should focus as a Eriol Fox: what from my perspective what I would kind of say on that is I don't think it's wasted effort to look at education but it's appropriate education because those security folks might not need it but certainly the pragmatic developers and the incidental users need it. They need that support and they need it in the documentation and they know how to look through documentation but they also need it in those moments that are going to Carrie would back me up with this which is appropriate moments of friction. So we don't want to make it too easy for them to trust a check mark. Eriol Fox: But I think kind of what you're saying is it's more complex than one answer for sure. 00:55:00 Mahmoud Alkhraishi: So I'm not saying education wasted effort. I'm not saying education is a bad idea. I'm merely saying that for a higher reward for our effort, I think we should focus on making things secure by default so that even if I don't have the education, things are secure for me anyway. Eriol Fox: Yes. Yeah. Mahmoud Alkhraishi: And that if we focus on making the convenient path, then you're going to get a significantly higher bang for your buck. But education is always good. It's always the correct thing to do, but it's not a silver bullet in this specific instance. at least using, what I know. Yeah. No,… Eriol Fox: On this note, I know we're at over time. You said you usually finish 52, but one of the Okay. Mahmoud Alkhraishi: we're good to go. Eriol Fox: One of the visual treatments that we experimented with was what you see when you kind of automate it automatically checks it's like all this information that's being checked in and you get the thing that says yes everything has been checked securely and everything is secure and it's kind of like the stuff that you see in six store. and It was weird doing usability testing on the stuff you basically see in Sig Store because it's like some people completely switch off and some people are like, "Yes, this is the information that I want to interrogate and look at." Eriol Fox: But we were experimenting with what if there was in a more friendly user interface a way to get that kind of something is processing and you can check it within the registry page as opposed to in the CLI but if there was a way of doing that same kind of process then that could help. So it was kind of like what if you took out the component where you needed to find the two pieces of information that get to manually check them against each other or whatever if you're checking signatures and you press a button. Eriol Fox: So I think it was like we experimented with a button that could say check at a station and you click that button because you're like I'm going to check the attestation and it does something that checks the attestation and gives you visual kind of feedback with that. so in a way that was kind of like, you're making it easy by default by having a button there and you don't have to do any extra effort, but you're also getting a little bit of a download of maybe I'm learning how a process happens. There's also some interesting stuff around where and when you should show anything which is labeled security advisories. you can all read if you're curious. Eriol Fox: there's so much information to read. Mahmoud Alkhraishi: So I guess the last question is… Mahmoud Alkhraishi: where can we contribute and how can we push this work forward? Eriol Fox: Yeah. Yeah. Yeah. Yeah. that's so exciting to hear. So I'm pretty sure this is the page version of it. I that if you go onto the SSF I think you should be able to find the repository. is a little ways away, but that repository is still active, I believe. And I think that that's where the best place to go is to go there. Let me see if Really let me see if I can get to it easier using one of these links. I'll be really embarrassed if this link doesn't work anymore from my slides, but there we go. yeah. So, again, yeah, the securing software repositories repo is here. Eriol Fox: And I guess I would say I wouldn't be doing a good job. The securing software repositories working group is a really cool working group. Like I learned tons while I was there. anybody's welcome to join. you can go to the working group. You can talk about this work. You can ask about how to contribute to it. You can ask how the implementation is going. but yeah, this work is all here. This attestation UI and UX work is all here. I think the main thing that I was concerned about leaving this project where it was was there's still some stuff to do on it. There's still some in investigation implementation to be done, conversations to be had. but yeah, that's the best place to go to find what's happening. Yeah. Mahmoud Alkhraishi: Thank you both for your time and thank you everybody for being with us today. This was an absolutely wonderful presentation and have a great rest of your day. Eriol Fox: You too. Thank you. Bye-bye. Meeting ended after 01:00:06 👋 *This editable transcript was computer generated and might contain errors. People can also change the text after it was created.*
Received on Wednesday, 20 May 2026 01:43:04 UTC