- From: Bob Pinheiro <bob.pinheiro@fstc.org>
- Date: Wed, 04 Apr 2007 05:44:39 -0700
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
Section 10.2 (Learning from Past Efforts) states that "A growing body of research documents presentation techniques that have not proved effective in providing usable security." Section 10.3 (Implementation and Testing), which discusses the types of testing that the Working Group will undertake, states that "Usability testing will verify that the recommendations provide usable display of security context information." Given the past experiences cited in 10.2, it is not inconceivable that when the recommendations undergo usability testing, some will fall short of whatever criteria is set for "acceptable" usability. This suggests that the process of developing recommendations may need to be iterative; that is, the recommendations may need to be modified on the basis of the usability testing. It is also likely to be true that any of the recommendations for presentation techniques or security context information made by the Working Group will either be ignored or misunderstood by some number of Internet users, or will otherwise be subject to successful attacks. I understand that the actual usability testing that can be performed by the Working Group will depend on available resources to perform the testing. However, it may turn out that for some of the use case scenarios discussed in Section 6.5, the Working Group will have no recommendations for the presentation of security information that is determined to be adequately "usable." Such results may suggest that for those use cases, it may be more appropriate to think in terms of "safe browsing" alternatives. That is, in some cases, it may be unreasonable to expect that users will recognize certain security context information that will prevent them from falling victim to fraud. In those cases, it may be more appropriate to consider an alternative that invokes a browser specially configured for "safe browsing", which would allow access only to certain websites satisfying some set of criteria or characteristics.
Received on Wednesday, 4 April 2007 12:49:37 UTC