- From: Stuart E. Schechter <ses@ll.mit.edu>
- Date: Mon, 23 Apr 2007 15:43:38 -0400
- To: Web Security Context WG <public-wsc-wg@w3.org>
The introduction to the note should include a hyperlink to the charter. In talking with MeZ, she thinks 90% of what we're doing is fighting impersonation attacks. Fighting impersonation means making it easier to for users to know what site they are communicating with, and reducing the number of cases in which impersonation can cause harm (the number of security-critical decisions that require users to verify the identity of the site.) If this were reflected in the note, the goals and scope would be oodles more clear. For example, "security information" could be transformed into the much more descriptive "information used to authenticate the site". Looking at the goals in Section 2 of the note, I don't see how password managers, which reduce the likelihood that a user will enter a password into an impersonation site, would fit into our goals. MeZ tells me that she believes there is a rough consensus that are inline with our goals. Stuart proposes a new goal between 2.5 and 2.6: Title: "Reduce the number of scenarios in which users' security depends on their ability to authenticating a site" Content: "No matter how well security information is presented, there will always be users who, in some situations, will behave insecurely even in the face of harsh warnings. Thus, the working group will also recommend ways to reduce the number of situations in which users' security will be compromised if they fail to recognize an impersonation attack or other security failure." With regard to section 3.1 (Goals), I think it's very hard to make sense of what's in scope and out of scope given that there are 20 use cases. It sounds like consensus is that average user's everyday activities in are in scope, and that exceptional cases and expert use cases are out of scope (so long as they attacker can not cause and exploit exceptional cases.) Why don't we just say something to that effect? I think Section 7 documents "Security information available to the user agent", and so this should be it's title. In section 8, we jump to merits of the status quo without what the status quo is. Are we going to start by defining the status quo? If so, the status quo of what? Perhaps "Current mechanisms for conveying site authentication information to users?"
Received on Monday, 23 April 2007 19:44:45 UTC