RE: DNSSEC indicator from Mary Ellen Zurko on 2007-04-26 (public-usable-authentication@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 26 Apr 2007 09:11:04 -0400
To: <sthomas2@ups.com>
Cc: public-usable-authentication@w3.org
Message-ID: <OFCBDACA93.316FBBFC-ON852572C9.0047F61D-852572C9.00486B74@LocalDomain>

I agree with all that. However, in WSC related discussions, it would be 
incorrect to assume that asking what a particular piece of security 
context information means, and if it's meaningful to the user, means a 1x1 
mapping between meaningful information and display indicators (though for 
all I know that was where Thomas was going). From my point of view, my 
belief is that we will recommend a very small number of indicators, with a 
model (and extra information for the very curious) behind them that hangs 
together and makes sense. It might in fact be (and I think it has to be) 
that a variety of information will map to a single state of an indicator. 
In a sense, that is always true of user interfaces. But the place of every 
piece of information needs to be meaningful to the user. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




<sthomas2@ups.com> 
Sent by: public-usable-authentication-request@w3.org
04/26/2007 08:19 AM

To
<public-usable-authentication@w3.org>
cc

Subject
RE: DNSSEC indicator







Dick is quite right. DNSSEC could indeed provide another tool in the
toolbox to make sure that the network is doing what the user really
wants. My issue, though, is elevating the DNSSEC status to a
human-visible indication. The more indicators that are displayed to a
user, the less likely the user is to pay attention to them. Research is
already showing that users are ignoring the indications that browsers
give them today. For that reason, browser designers need to be very
parsimonious in displaying security indications and focus on showing
information that is really important. Given the relative rarity of
attacks involving improper name resolutions, a DNSSEC indication would
not seem to have enough value to justify its use.

Stephen 

-----Original Message-----
From: Dick Hardt [mailto:dick@sxip.com] 
Sent: Thursday, 26 April 2007 8:10 AM
To: Thomas Stephen (SKD8YPG)
Cc: public-usable-authentication@w3.org
Subject: Re: DNSSEC indicator


There is unlikely to be a single silver bullet that solves *all* the 
issues. It is useful to know that the client really is connected to 
www.micros0ft.com if that is what the client wants to connect to.

DNSSEC is not going to solve social phishing attacks, but it does 
enable other technology such as CardSpace etc. to have increased 
certainty on what is going on.

-- Dick

Received on Thursday, 26 April 2007 13:11:09 UTC