[LC Comment on Web Security Context: User Interface Guidelines] Missing an audience section? from Francois Daoust on 2008-09-12 (public-usable-authentication@w3.org from September 2008)

From: Francois Daoust <fd@w3.org>
Date: Fri, 12 Sep 2008 18:47:32 +0200
To: public-usable-authentication@w3.org
Message-ID: <48CA9D24.6050201@w3.org>

Hi,

I stumbled upon several obscure terms and sentences while reading the 
spec (see list below). The terms are not defined. As far as I can tell, 
they are all basic terms when one is used to dealing with security on 
the Web.

Even though it contains "Security", the title looks friendly, and 
doesn't seem to infer that a technical background on security is 
required. Since there is no audience section, I expect I'm reasonably 
well-versed into Web matters to understand the spec. That is not the 
case: I understand the clauses, which is good, but I sometimes fail to 
understand the rationale behind them.

Depending on the audience you are targeting, you may not want to define 
these terms in the spec. That is the gist of this comment: the audience 
is not defined. If your primary target is security experts, no need to 
read the following list. If your primary target is user interface 
developers, you should clarify them. In any case, you should probably 
mention it and precise the expected knowledge before reading the spec so 
that readers know what to expect beforehand.

Here is the list of security-related topics that are not so common for 
other communities (well, "for me" at least, that is ;)):
- Section 5: The "TLS" acronym is actually never defined (only mentioned 
in the references part).
- Section 5.1.5: "use of TLS provides confidentiality protection 
services against passive attackers". What is a "passive attacker"?
- Section 5.1.5: "this can be strong evidence that protection against an 
active attacker has been achieved as well". What is an "active attacker"?
- Section 5.1.5: "evidence that a man in the middle attack occurs". For 
once, I know what a "man in the middle attack" refers to, but I'm not 
sure everyone does.
- Section 5.2: "for both confidentiality and integrity protection". I 
get the difference but that may be worth a little explanation as well.
- Section 7.1.1: same thing with "phishing" and "spoofing" although 
probably known by more people.
- Section 8.2: "OCSP" stands for?

As a side note, I am totally fine with the relative complexity created 
by the multiple definitions the spec already contains. Precision is good!

Thanks,

Francois Daoust,
W3C Staff Contact,
Mobile Web Best Practices Working Group.

Received on Friday, 12 September 2008 16:48:05 UTC