- From: James A. Donald <jamesd@echeque.com>
- Date: Fri, 23 Jun 2006 07:31:09 +1000
- To: public-usable-authentication@w3.org
--
Chris Drake wrote:
> The word "Chrome" is so cool that nobody wants to put
> it back on the shelf where it belongs!
In the paper world, letterhead conveys trust, though
perhaps it should not, trust in the message, which is
part of the reason that fake websites work so well.
Obviously we have to make this instinctive reaction work
for the user, rather than against him - which means that
the web site's control of the stuff at the top of the
screen should depend on the recipients trust in the
domain - whitelisting as in the Netcraft toolbar, CA
certificates, and past visits to the domain or messages
from the domain that passed the spam filter. In
particular, past successful logins to the domain, as in
Trustbar and some incarnations of Passpet.
(I fear that someone is going to tell me that the users
reaction to general appearance of the top of his window
is off topic, or "out of scope" also.)
I rather like Phillip Hallam-Baker's phrase "Secure
Internet Letterhead" - which unfortunately now means his
specific proposal and RFC 3709. If it had instead
meant a trusted path for conveying identity and trust
information to the user, (trusted path assuming your
computer is not owned) which is almost what we now mean
by "secure chrome", this would have established the
right user factor orientation to this discussion.
I restrain myself from discussing Ebay's success and
PKI's failure in providing trust information to users,
since everything that Ebay does to succeed is quite
clearly out of scope for this list.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
AVayE7tumsJ8TFYzGCST0ClHA6WeaX5jKV2cI8i6
4GlamBdlaVt12yNUEBEPZKGFd89jN4gveKxgwjYpM
Received on Thursday, 22 June 2006 21:31:22 UTC