Re: ISSUE-37: qualify your interrupts (from public comments) from Mary Ellen Zurko on 2007-04-18 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 18 Apr 2007 08:36:41 -0400
To: Web Security Context WG <public-wsc-wg@w3.org>
Message-ID: <OFFAB6CB72.50B93F3B-ON852572C1.0045289C-852572C1.00454A05@LocalDomain>

I think we're good on this one.

And as we've discussed, not all presentation techniques can be (easily) 
spoofed. Those relying on "shared secrets" (petnames, tartans, personal 
information), for example. And of course, input rituals are not "only" 
presentation techniques. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/15/2007 10:48 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


To
public-wsc-wg@w3.org
cc

Subject
ISSUE-37: qualify your interrupts (from public comments)








ISSUE-37: qualify your interrupts (from public comments)

http://www.w3.org/2006/WSC/Group/track/issues/37

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html

qualify your interrupts 
where it says, in 2.4 User awareness of security information
  The Working Group will recommend presentation techniques that
   integrate the consumption of security information by the user into
   the normal browsing workflow. Presenting security information in a
   way that is typically ignored by the user is of little value.
please consider
Yes.  The WAI-ARIA technologies are targeted to bring into the fold of 
accessible web content newer, more integrated high-usability interaction 
gestures (such as transient flyouts for information or action), as opposed 
to 
older gestures such as loading a whole new page or launching a popup 
dialog. 
We should work together. And yes, you sometimes have to get the user's 
attention.  But on the other hand there are real "boy crying wolf" 
problems if 
you contend too hard for the user's attention. 
Why? 
There is a rather unruly free-for-all going on out there vying for the Web 

wanderer's attention.  How do you get the user's appropriate attention? In 

part by not seeking it unnecessarily.  I know you are addressing this in 
part 
under 2.2.  But it also goes for how you blend the security message into 
the 
flow vs. distinguish it so that it is recognized for what it is.  All 
presentation-based distinctions (2.3) are subject to imitative spoofing 
attacks.  The communication of a "continuing all clear" security status 
should 
be something the user is likely to ignore.  Because it doesn't represent a 

change from what the user has internalized about their dialog context, nor 

anything that the user needs to do something about.  The trick is to have 
the 
user's field of focus infiltrated with rationally-chosen gestures of 
graded 'initiative-grabbing' quality for the communication of different 
hazard 
or reassurance levels in the security context.  Contemporary 
rich-interaction 
Web and installed applications afford a greater variety of such gestures 
with 
more subtle variation in attention- or initiative-grabbing quality.  Yes, 
we 
want to get with the program in this regard.

Received on Wednesday, 18 April 2007 12:36:53 UTC