W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: ISSUE-37: qualify your interrupts (from public comments)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 18 Apr 2007 08:36:41 -0400
To: Web Security Context WG <public-wsc-wg@w3.org>
Message-ID: <OFFAB6CB72.50B93F3B-ON852572C1.0045289C-852572C1.00454A05@LocalDomain>
I think we're good on this one.

And as we've discussed, not all presentation techniques can be (easily) 
spoofed. Those relying on "shared secrets" (petnames, tartans, personal 
information), for example. And of course, input rituals are not "only" 
presentation techniques. 


Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/15/2007 10:48 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


ISSUE-37: qualify your interrupts (from public comments)

ISSUE-37: qualify your interrupts (from public comments)


Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org


qualify your interrupts 
where it says, in 2.4 User awareness of security information
  The Working Group will recommend presentation techniques that
   integrate the consumption of security information by the user into
   the normal browsing workflow. Presenting security information in a
   way that is typically ignored by the user is of little value.
please consider
Yes.  The WAI-ARIA technologies are targeted to bring into the fold of 
accessible web content newer, more integrated high-usability interaction 
gestures (such as transient flyouts for information or action), as opposed 
older gestures such as loading a whole new page or launching a popup 
We should work together. And yes, you sometimes have to get the user's 
attention.  But on the other hand there are real "boy crying wolf" 
problems if 
you contend too hard for the user's attention. 
There is a rather unruly free-for-all going on out there vying for the Web 

wanderer's attention.  How do you get the user's appropriate attention? In 

part by not seeking it unnecessarily.  I know you are addressing this in 
under 2.2.  But it also goes for how you blend the security message into 
flow vs. distinguish it so that it is recognized for what it is.  All 
presentation-based distinctions (2.3) are subject to imitative spoofing 
attacks.  The communication of a "continuing all clear" security status 
be something the user is likely to ignore.  Because it doesn't represent a 

change from what the user has internalized about their dialog context, nor 

anything that the user needs to do something about.  The trick is to have 
user's field of focus infiltrated with rationally-chosen gestures of 
graded 'initiative-grabbing' quality for the communication of different 
or reassurance levels in the security context.  Contemporary 
Web and installed applications afford a greater variety of such gestures 
more subtle variation in attention- or initiative-grabbing quality.  Yes, 
want to get with the program in this regard.
Received on Wednesday, 18 April 2007 12:36:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:36:44 UTC