- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Wed, 1 Nov 2006 09:25:07 -0500
- To: pbaker@verisign.com
- Cc: public-wsc-wg@w3c.org
- Message-ID: <OF440CC855.24B7A4AA-ON85257219.004EDCFF-85257219.004F31A2@LocalDomain>
One of the topics I want to bring up here and at the f2f is how we'll deal with the issue of level setting around and agreeing on user acceptance and behavior. It's my belief that this will be one of the biggest difficulties in coming to concensus; how we'll agree about usability and users. It would be optimal if we could do some actual user studies, although that wouldn't cover "users learn" types of arguments. Something to think about, and I appreciate all thoughts on that topic. As a side note, I would like to encourage folks to discuss any of the items on the agenda of the f2f beforehand on the email list, particularly if they have input and might not make it. Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect "Hallam-Baker, Phillip" <pbaker@verisign.com> Sent by: public-wsc-wg-request@w3.org 10/31/2006 12:28 PM To Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3c.org> cc Subject RE: Greetings The term 'frustrated by the various "artifacts"' reminded me that there is another important issue here, the insecure clutter that is getting stuffed into browsers without thought for the security issues. For example, favicons have been spreading quickly. But there is no bar to having a favicon that looks like a padlock icon. It is pretty easy to create a favicon that makes a page appear to use SSL. We need to have a clear distinction between control and data. Users should be able to trust the browser to display content in the content window and restrict the chrome area to data that is trustworthy. For years people have been telling me that 'users want' flash animations, etc. that can make whatever use of the user's screen they choose. Now the same people tell me to use Firefox pretty much because of what it does not allow. The control bar on my broswer belongs to me, it should not be possible for a content provider to disable it. We have a 'stop downloading' button. Why can't I click that to stop the execution of Javascript &ct. on a page? Clearly it will take time to get from where we are to where we want to be. But it would be nice if there was at least a clickbox that would enable a single comprehensive set of browser configurations that is secure and repeatable. Ad hoc constraints on javascript are creating as much of a problem as the early spam filters that kicked out 10% false positive. If the set of capabilities was predictable and detectable content providers would be much better off. From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Timothy Hahn Sent: Tuesday, October 31, 2006 10:10 AM To: public-wsc-wg@w3c.org Subject: Greetings Hello! My name is Tim Hahn and I am looking forward to working with this group. I have been somewhat frustrated by the various "artifacts" which different HTTP clients/browsers use to convey whatever security-related information has been sent from HTTP servers to which the browser is connected. The current state-of-the-art seems to be more annoying to users than informative, and even for security professionals can be confusing to interpret. I have worked for IBM for 16 years as a developer, designer, architect, and strategist. I have been working on several of IBM's directory and security-related product offerings for over 10 years, dating back to Distributed Computing Environment, through LDAP directory services, and currently on authentication, access control, and identity management product offerings. I have participated in several standards bodies in the past including DMTF and IETF working groups. I am looking forward to meeting all of you, either in person in NYC or on the list. Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Durham/IBM@IBMUS phone: 919.224.1565 tie-line: 8/687.1565 fax: 919.224.2530
Received on Wednesday, 1 November 2006 14:31:47 UTC