Re: ACTION-125: use case rework from Mary Ellen Zurko on 2007-02-08 (public-wsc-wg@w3.org from February 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 8 Feb 2007 16:17:29 -0500
To: "Thomas Roessler <tlr" <tlr@w3.org>
Cc: public-wsc-wg@w3.org
Message-ID: <OF6F2D20F5.E2E8C4FF-ON8525727C.007191F5-8525727C.0074F53D@LocalDomain>

> sensitive information -- be it credentials or personal data.  He
> might be interested in downloading software for his local system,
> fully aware that this implies that he trusts the software provider
> to behave correctly far beyond the confines of the browser sandbox.

Or more likely, not fully aware of it. 

> 5. In the advertising leading up to a re-run of the 1970s movie
> classic "The Sting," Doyle sees an offer for a new-fashioned
> investment that he can't refuse, offered by a brand that he has
> heard of before.  He memorizes the URL that is given toward the end
> of the advertising.  Coming back home, he mis-types the URI at
> first, corrects a spelling error, and then reaches a web site that
> matches the investment firm's branding and name.  He's asked for
> identifying information that he provides.
> 
> Destination site:    no prior interaction, known organization
> Navigation:        typing 
> Intended interaction:    submission of sensitive information
> Actual interaction:    sbumission of sensitive information
> 
> Variations: The URI that Doyle typed can be correct or not.
> Orthogonal to this, he can end up on the web site he intended to
> interact with, or not. 

I'm unclear on why. If he typed it properly, then the ad before The Sting 
was a scam? 

> Doyle might also have typed a keyword
> glanced from the movie screen into a search box.
> 


> 18. [Current 6.11; reworked to be more clearly in scope]
> 
> Vicki is interested in finding out more about art auctions in the
> greater Boston area.  She engages a search engine and tries to
> follow a link there.  Her web browser consults a reputation service
> which has recorded that the link target will attempt to subvert the
> browser and install malicious software.

Tyler, in another email you asked about reputation services:
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Feb/0009.html
This one does not seem covered by the examples you gave. Though it might 
be covered by something else (I don't see blacklist there; that would be 
the reputation service referenced here). 

Stuart, ACTION-124 gives yesterday as a due date for your threat tree 
work. Now that you've got this in hand, please put in a realistic date on 
that one. Thanks.
        Mez

Received on Thursday, 8 February 2007 21:17:46 UTC