Re: ISSUE-69: New goal--Reduce the number of scenarios in which users\' security depends upon authenticating sites from Mary Ellen Zurko on 2007-04-25 (public-wsc-wg@w3.org from April 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 25 Apr 2007 16:36:08 -0400
To: Web Security Context WG <public-wsc-wg@w3.org>
Message-ID: <OF02AC9589.3298BB73-ON852572C8.00708C2E-852572C8.00712AD9@LocalDomain>

I like the idea of having a goal in this space. I'd like to propose an 
alternative wording that is more in line with the wording of our charter. 
So I'm sure Stuart will like it less, because it is more abstract and 
opaque. 

   Title:   "Reduce the number of scenarios in which users need to make 
trust decisions."
   Content: "No matter how well security context information is presented, 
there
will always be users who, in some situations, will behave insecurely even 
in
the face of harsh warnings.  Thus, the working group will also recommend
ways to reduce the number of situations in which users need to make trust 
decisions."



          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




Web Security Context Issue Tracker <dean+cgi@w3.org> 
Sent by: public-wsc-wg-request@w3.org
04/25/2007 10:38 AM
Please respond to
Web Security Context WG <public-wsc-wg@w3.org>


To
public-wsc-wg@w3.org
cc

Subject
ISSUE-69: New goal--Reduce the number of scenarios in which users\' 
security depends upon authenticating sites








ISSUE-69: New goal--Reduce the number of scenarios in which users' 
security depends upon authenticating sites

http://www.w3.org/2006/WSC/Group/track/issues/69

Raised by: Stuart Schechter
On product: Note: use cases etc.

Looking at the goals in Section 2 of the note, I don't see how password
managers, which reduce the likelihood that a user will enter a password 
into
an impersonation site, would fit into our goals.  MeZ tells me that she
believes there is a rough consensus that are inline with our goals. Stuart
proposes a new goal between 2.5 and 2.6:

   Title:   "Reduce the number of scenarios in which users' security 
depends
on their ability to authenticating a site"
   Content: "No matter how well security information is presented, there
will always be users who, in some situations, will behave insecurely even 
in
the face of harsh warnings.  Thus, the working group will also recommend
ways to reduce the number of situations in which users' security will be
compromised if they fail to recognize an impersonation attack or other
security failure."

Received on Wednesday, 25 April 2007 20:36:11 UTC