- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Wed, 22 Nov 2006 12:36:20 -0500
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-wsc-wg@w3.org,"Doyle, Bill" <wdoyle@mitre.org>
- Message-ID: <OF5832AB03.36477925-ON8525722E.005E73A5-8525722E.0061F2EA@LocalDomain>
Good writeup Bill. And I appreciate the pro active nature of your floating a recommendation. It gives us an example in a space we're all familiar with to discuss how we'll assess or drive the usability of our recommendations. Here's a starter list, a variant of which should make its way to the assumptions section of our Note (or perhaps there's overlap with the Goals section as well): Methods that lend credence to the usability of a recommendation: o Results from a user/usability test (lab testing, contextual testing, etc.) o Results from applying an accepted usable design technique (personas) o Results from real world use of the recommendation o Review/critique of or generation by an acknowledged usability expert o Results from applying accepted techniques for expert review of usability o Foundational principles apply to or drove the recommendation I'm guessing none of these yet apply to your recommendation below. A start (although it may be premature) would be to consider what the user model would be for this information; how a user could understand it, and how they would use it (how they would act on it). I personally would find it hard to rank a list of algorithm/key size pairs by strength (though I imagine I could do it with a bit of research), but then I wouldn't know what to do in any particular context with the outcome. How strongly do I need to protect my authentication to my bank? Subsequent account driven interactions with them? Interactions within my enterprise with company confidential data? With even more sensitive date (for example, acquisition discussions)? Web site purchases where I'm using my credit card, so the credit card provider gives me some protection if it's stolen and misused, but there is a subsequent hassle factor should that happen? Social networking? Social networking on a sensitive or private topic? > > Browsers should make use of SSL session information and present this > > information in a way that depicts the actual strength of the SSL > > connection. Ways to define strength could include the use of the latest > > cipher suites and longest keys allowed.
Received on Wednesday, 22 November 2006 17:50:09 UTC