Re: ACTION 33: Goals / Non Goals from Michael(tm) Smith on 2006-12-11 (public-wsc-wg@w3.org from December 2006)

From: Michael(tm) Smith <mikes@opera.com>
Date: Mon, 11 Dec 2006 16:25:28 +0900
To: public-wsc-wg@w3.org
Message-ID: <20061211072527.GG4816@malware>

"Hallam-Baker, Phillip" <pbaker@verisign.com>, 2006-12-07 11:57 -0800:

> I spent some time trying to decant these from the minutes of the
> meeting, they appear to me to state what we want to do at the
> high level. How far do we want to drill down and give specifics?
> 
> Goals
> 
> *	Catalog the existing context information provided to the users of the Web.

Yes. That seems like a reasonably well-bounded task. I don't think
we need to decide how far down to drill on that one. It'll just be
a matter of documenting current application behavior.

> *	Consider the interpretations that users reasonably infer from existing information.

That one, on the other hand, doesn't seem well-bounded at all to
me. What conclusions we find about interpretations that users are
currently making will depend on who we ask. I'm not sure how
reasonable it would be to expect to get any kind of agreement
on this.

> *	Set out a series of use cases and abuse cases specifying
> commonplace security sensitive Web transactions and likely forms
> of criminal attack respectively.

Yes. Not how much drilling down will be needed on that one. Maybe
it's more a matter of just deciding how many use cases to include.

> *	Analyze context information the user requires to safely
> complete the proposed use cases and prevent abuse cases.

Yes. Boundaries of that will just depend on the specific use cases.

> *	Perform a gap analysis to identity areas where the context
> information provided to the user is either insufficient or
> misleading

Yes. But while it might be relatively easy to describe a case
where a user agent provides users with information that's
misleading, describing cases where a UA provides users with
"insufficient" information is a whole other matter.

> *	Propose changes to the presentation of existing context
> information and additional context information that might be
> provided to close the identified security gaps.

Yes. But I doubt we'll need to drill down on that one until we've
got work on the other tasks farther along.

  --Mike

Received on Monday, 11 December 2006 07:25:49 UTC