- From: Robert Yonaitis <ryonaitis@hisoftware.com>
- Date: Tue, 3 Apr 2007 20:51:46 -0400
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>, <yonaif4a@erau.edu>
- Message-ID: <AAD1044DDFFCC84895A899314A72FB6C952FC2@be04.exg3.exghost.com>
Hello All:
Please accept my following comments to the following document:
http://www.w3.org/TR/wsc-usecases/ <http://www.w3.org/TR/wsc-usecases/>
The following are offered as comments, questions and or suggestions.
4.2 Comments
Our limitations on the definition of user agents could be counter-productive and the way this is currently worded may allow groups to say that they don't need to present security information because a client application does not fall into the category listed by the group in 4.2.
I think that it would make sense for this group and our recommendations to reference industry accepted common standards and definitions-thus I would suggest that user agents actually refers to a client application through which one is accessing the Web.
Web User Agent from Wikipedia.org
"Web user agents range from web browsers <http://en.wikipedia.org/wiki/Web_browser> to search engine <http://en.wikipedia.org/wiki/Search_engine> crawlers <http://en.wikipedia.org/wiki/Web_crawler> ("spiders"), as well as mobile phones <http://en.wikipedia.org/wiki/Mobile_phone> , screen readers <http://en.wikipedia.org/wiki/Screen_reader> and braille <http://en.wikipedia.org/wiki/Braille> browsers used by people with disabilities." (2007). User agent - Wikipedia, the free encyclopedia. Retrieved April 3, 2007, from Wikipedia, the free encyclopedia Web site: http://en.wikipedia.org/wiki/User_agent
This is a great definition (IMHO) and is the one I would recommend.
As an additional note, I believe that we should additionally specifically reference that the Security information being presented also complies with the W3C Web Content Accessibility Guidelines (WCAG 1.0 A) and of course WCAG 2.0 (Note: although there might be value in referencing other standards i.e. US standards, it would not make sense to also include EU, Dutch, UK, and others, so for harmonization and simplification it is best to stick with W3C Standards)
Section 6 - Use Cases Comments
6.2 - My suggestion for this section is to either remove "some local application" or replace it with "a local or SaaS application". I make this distinction because
1. Software may be provided with increasing frequency as a service, and that SaaS could potentially hide some common items we are discussing
2. "Local" is limiting especially if we are using some sort of software distribution service, etc. While in the past comments I have said that we need to be unambiguous in the case of defining where an application is being launched from I would recommend that we be ambiguous or at least more general.
6.5 Scenarios - Comments
I am unclear as to the purpose of the scenarios based on my reading of them. For example in scenario number 12-what is that we are trying to illustrate? What is the goal in this case? Do we intend to recommend what to do in this case to the user, and if so will we define skill levels? Alternatively, are we going to suggest how a site validation tool would react to this case? I am assuming Betty is a novice user, perhaps my grandmother. If it was my grandmother I would advise her to not use the site. Not because it is unsafe, but because there would be doubt that my grandmother could not evaluate the risk. I am of course am just trying to understand the intent of the scenarios in this working draft. If the group could clarify this a more clear understanding would help me to make better comments back to the group.
Another case I might recommend:
User buys software, registers and activates it via software. This is actually done via a connected http server, but is it secure? And how should a company let the user know as personally identifiable information is being transferred over the Internet, perhaps without the users understanding?
7 Available security information comments
7.1 - 7.7, This whole section seems very light and could use some expanded definitions. It seems as if we are enumerating types but not defining them in any way. Average users reading this will be at a loss. It seems that if one of the goals of our group is to educate, it may be important to clearly define everything we can so as to be unambiguous. For example
7.2 presence of dynamic content.
What does this refer to and will there be techniques of any type to define this further? I would suggest clarification.
Thank you for your time, and I offer my time to work on this document in any way that the group sees fit!
Cheers,
Robert B. Yonaitis
Founder and CTO
HiSoftware
http://www.hisoftware.com/ <https://exg3.exghost.com/exchweb/bin/redir.asp?URL=http://www.hisoftware.com/>
603-496-7414
The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.
Received on Wednesday, 4 April 2007 00:57:38 UTC