- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Mon, 6 Aug 2007 23:31:40 -0000
- To: "W3 Work Group" <public-wsc-wg@w3.org>
Responding to the section about the PII bar... A b I expect we will still recommend a proposal if it requires some training, so to maximize the chances of passing, I don't think I'll try for no training. B a The second clause is redundant, since it's impossible to complete the bootstrap scenario without entering a petname. B b This attention sequence can be the exact same one used by the form fillers built into today's web browsers; therefore I expect the use rates to be the same. B c Don't understand B d Don't understand B e I think this is saying the same thing as: <http://www.w3.org/2006/WSC/drafts/rec/#piieditor-expected-tendency> B f The petname is not intended as a defense against Picture-in-Picture attacks. The PII data strings and the chrome customization provides this defense. There's no expectation that a petname will be globally unique or hard to guess. For example, choosing the petname "paypal" for the Paypal.com site is perfectly reasonable. C a 1 The attention key used in the PII bar is *not* a secure attention key. It's perfectly fine if users don't know if or how they entered it. The attention key is merely a convenient shortcut to get keyboard focus into the PII bar. For example, using the down arrow key, as browsers currently do to activate the form filler, is perfectly fine. Alernatively, it's also fine for users to just use the mouse to move the input focus to the PII bar. C a 2 Again, petnames are not expected to be unique or unguessable. Everyone could use the exact same petname and that would be fine. The important feature of a petname is that it came from the user, rather than the named entity. It's about the name assignment process, not the text characters in the name. The petname names who the user thinks they are interacting with. This name MUST come from the user, rather than the named entity, since a phisher would choose to have the petname of the impersonated site. The bootstrap phase of the PII bar integrates entry of the petname with authentication of the site. The browser's form filler only becomes accessible after passing through the bootstrap phase. Partial completion of the bootstrap phase is not an option. It's either all the way through, or nothing at all, so balking at the entry of the petname is not really an option. C b 1 The only difference in user actions between the PII bar form filler and today's form fillers is the distance of the drop down menu from the input field. Key press and/or mouse click counts should be identical. By putting the PII bar form filler menu at the bottom of the window, the user can throw the mouse in the same way they do to access the menu bar, or back/forward buttons. Alternatively, the attention key does this navigation in one keystroke. C b 2 We should put together some more detailed spoofing scenarios. D I agree. It would be nice if Mozilla, or Microsoft, or another browser vendor, would host a code sprint for this WG to bootstrap this effort. I'm willing to do the coding, but could use some help finding the needed APIs. For example, AFAICT, IE7 still does not provide an API to access the SSL certificate. --Tyler -- [1] "RecommendationUsabilityEvaluationFirstCut - W3C Web Security Context Wiki" <http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstC ut#head-19caf4993d486f3f77f40171acc200d22fbf016e> ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Rachna Dhamija Sent: Tuesday, July 31, 2007 6:22 PM To: W3 Work Group Subject: first cut usability walk through The usability group is starting to analyze the proposed recommendations. Our first goal is to clearly state the expected user behavior in each proposal and to map this to what is known from previous studies. Proposal authors: Did we capture your expected user behavior correctly? Is there anything you disagree with or would like to add? http://www.w3.org/2006/WSC/wiki/RecommendationUsabilityEvaluationFirstCu t (Note: this is a work in progress- each write up is by a different author and does not represent consensus by our group yet). Rachna
Received on Monday, 6 August 2007 23:33:08 UTC