- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 21 Jun 2006 09:56:26 +0200
- To: "James A. Donald" <jamesd@echeque.com>
- Cc: public-usable-authentication@w3.org
On 2006-06-21 09:11:30 +1000, James A. Donald wrote: > I think you are guilty of premature optimization. One > question surely is: what problem does one want to solve > using Secure Chrome and Secure MetaData? The (maybe relatively modest) proposal here is to end up in a state in which at least vigilant users are able to reliably and easily tell in what kind of security context they operate. This brings up three three questions: - What information should be presented, as a baseline? There's context to individual transactions (TLS in particular) that can help, and there's context in terms of user agents' historic memory that might help. - How do you present that information so people get it? - How do you keep attackers from tampering with this display? How do you keep them from spoofing it? With respect to usability, this approach to scoping quite consciously pushes one of the really hard problems to the sidelines for the moment: How do you get users out of routine? How do you wake them up, so they become vigilant in the first place? Likewise, e-mail authentication is out of scope. If you think you have a more productive scope and direction of work to offer, let everybody hear it. Or comment on the charter drafts to which I pointed last night, and make concrete proposals. But please don't repeat over and over (together with Chris Drake) that "the problem can't be broken into pieces." This is not helpful at all. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 21 June 2006 07:56:34 UTC