Re: Secure Chrome from Thomas Roessler on 2006-04-14 (public-usable-authentication@w3.org from April 2006)

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 14 Apr 2006 16:24:49 +0200
To: Dan Schutzer <dan.schutzer@fstc.org>
Cc: 'George Staikos' <staikos@kde.org>, public-usable-authentication@w3.org
Message-ID: <20060414142449.GV28531@lavazza.does-not-exist.org>

One idea that I took away from the workshop in this area was
the one of training users to rely on different "ceremonies" for
entering sensitive information or logging into sites: In this
context, there would only be a very limited set of restrictions
to the browser chrome in default mode, and a heavily
stripped-down mode that can be enabled interactively as part of
such a ceremony, through a secure attention key.

Restrictions on the default mode could be quite limited in this
scenario, since trust could be derived from following the
ceremony (e.g., having used a secure attention key); the safer
mode that is entered by the ceremony could then be focused on
the conspicuous display of certain metainformation.

Of course, this approach would require quite a bit of usability
testing in comparison to approaches where heavier restrictions
on the default browsing environment could counter fakes.

Ultimately, there may quite well be changes to be made on both
sides that could be beneficial.

The near-term question that needs to be answered, though, is if
there might be enough momentum behind these ideas to warrant
starting formal work on them.

So, guys, how's it looking?

-- 
Thomas Roessler, W3C   <tlr@w3.org>

On 2006-04-12 14:50:30 -0400, Dan Schutzer wrote:
> From: Dan Schutzer <dan.schutzer@fstc.org>
> To: 'George Staikos' <staikos@kde.org>, public-usable-authentication@w3.org
> Date: Wed, 12 Apr 2006 14:50:30 -0400
> Subject: RE: Secure Chrome
> List-Id: <public-usable-authentication.w3.org>
> X-Spam-Level: 
> X-Archived-At: http://www.w3.org/mid/E1FTkQL-0004WI-GZ@lisa.w3.org
> 
> 
> I think, just as the web browsing experience now allows a user to set and
> change various levels of security and privacy depending on the website, I
> would think they could be induced to allow websites and customers to select
> for more high risk transactions a safe browsing mode to be invoked. It is an
> idea whose time may have come. I as a user would welcome such modes within
> my control, so that when I am transacting and exchanging highly sensitive
> information, I can work in a more secure mode.
> 
> -----Original Message-----
> From: public-usable-authentication-request@w3.org
> [mailto:public-usable-authentication-request@w3.org] On Behalf Of George
> Staikos
> Sent: Wednesday, April 12, 2006 1:55 PM
> To: public-usable-authentication@w3.org
> Subject: Re: Secure Chrome
> 
> 
> On Tuesday 11 April 2006 18:30, Mary Ellen Zurko wrote:
> > No active content at all. Zippo. No javascript. No Java. No ActiveX.
> >
> > Web browsing the way nature intended :-).
> >
> > Yes, there's a lot of things you couldn't do with such a browser. But it
> > has the benefit of simplicity.
> 
>   Do you think any website developers will ever accept such a thing? :-)  I 
> think not...
> 
> -- 
> George Staikos
> KDE Developer				http://www.kde.org/
> Staikos Computing Services Inc.		http://www.staikos.net/
> 
> 
> 
> 
>

Received on Friday, 14 April 2006 16:23:58 UTC