control, data, users

One of the topics I want to bring up here and at the f2f is how we'll deal 
with the issue of level setting around and agreeing on user acceptance and 
behavior. It's my belief that this will be one of the biggest difficulties 
in coming to concensus; how we'll agree about usability and users. It 
would be optimal if we could do some actual user studies, although that 
wouldn't cover "users learn" types of arguments. Something to think about, 
and I appreciate all thoughts on that topic. 

As a side note, I would like to encourage folks to discuss any of the 
items on the agenda of the f2f beforehand on the email list, particularly 
if they have input and might not make it. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




"Hallam-Baker, Phillip" <pbaker@verisign.com> 
Sent by: public-wsc-wg-request@w3.org
10/31/2006 12:28 PM

To
Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3c.org>
cc

Subject
RE: Greetings






The term 'frustrated by the various "artifacts"' reminded me that there is 
another important issue here, the insecure clutter that is getting stuffed 
into browsers without thought for the security issues.
 
For example, favicons have been spreading quickly. But there is no bar to 
having a favicon that looks like a padlock icon. It is pretty easy to 
create a favicon that makes a page appear to use SSL. 
 
We need to have a clear distinction between control and data. Users should 
be able to trust the browser to display content in the content window and 
restrict the chrome area to data that is trustworthy.
 
For years people have been telling me that 'users want' flash animations, 
etc. that can make whatever use of the user's screen they choose. Now the 
same people tell me to use Firefox pretty much because of what it does not 
allow. 
 
The control bar on my broswer belongs to me, it should not be possible for 
a content provider to disable it.
 
We have a 'stop downloading' button. Why can't I click that to stop the 
execution of Javascript &ct. on a page? 
 
 
Clearly it will take time to get from where we are to where we want to be. 
But it would be nice if there was at least a clickbox that would enable a 
single comprehensive set of browser configurations that is secure and 
repeatable. Ad hoc constraints on javascript are creating as much of a 
problem as the early spam filters that kicked out 10% false positive. If 
the set of capabilities was predictable and detectable content providers 
would be much better off.
 

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] 
On Behalf Of Timothy Hahn
Sent: Tuesday, October 31, 2006 10:10 AM
To: public-wsc-wg@w3c.org
Subject: Greetings


Hello! 

My name is Tim Hahn and I am looking forward to working with this group. 

I have been somewhat frustrated by the various "artifacts" which different 
HTTP clients/browsers use to convey whatever security-related information 
has been sent from HTTP servers to which the browser is connected.  The 
current state-of-the-art seems to be more annoying to users than 
informative, and even for security professionals can be confusing to 
interpret. 

I have worked for IBM for 16 years as a developer, designer, architect, 
and strategist.  I have been working on several of IBM's directory and 
security-related product offerings for over 10 years, dating back to 
Distributed Computing Environment, through LDAP directory services, and 
currently on authentication, access control, and identity management 
product offerings.  I have participated in several standards bodies in the 
past including DMTF and IETF working groups. 

I am looking forward to meeting all of you, either in person in NYC or on 
the list. 

Regards, 
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530