RE: ACTION-125: use case rework

On your misuse case comment, I thought Stuart's threat trees would cover 
that. Stuat, will they? 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




<michael.mccormick@wellsfargo.com> 
Sent by: public-wsc-wg-request@w3.org
02/09/2007 01:23 AM

To
<tlr@w3.org>, <ses@ll.mit.edu>
cc
<public-wsc-wg@w3.org>
Subject
RE: ACTION-125: use case rework







Thomas,

I think that, as far as they go, the updated use cases are generally
excellent (as I mentioned in my previous note to MEZ re ACTION-78).

In order to validate whether these use cases completely cover what users
need browser security indicators to provide them, I suggest a simple
"CIA+R" test can be applied:

Confidentiality: Users want to know if sensitive information is being
kept confidential.  They may not know exactly what encryption is... but
they know they don't trust their ISP with the same information they
trust their doctor or banker with.

Integrity: Users want to know if information they send to the site, or
pages they receive back from the site, has been altered. 

Authenticity: Users want to know if the site is really the one they
think it is.

Reputation: Some users also want to know if a site has had problems or
has a good track record.

Most of the current use cases seem designed to address the Authenticity
requirement.  Use case 18 does address Reputation.  Use case 19 sort of
addresses Confidentiality but apparently only in the physical world
(Betty wonders "whether others nearby will be able to eavesdrop on her
interactions".)  None seem to address Integrity.

You're no doubt familiar with the concept of misuse cases.  Maybe that's
what needed to close the gaps; a few misuse cases such as:

 - Malicious ISP sys admin Eve is trying to steal credit card numbers
from web server logs.  Luckily Alice's web browser lets her know all her
sensitive information is encrypted when she send it to Bob's Bank.
[confidentiality, integrity]

 - Malicious criminal Mallory has set up a web site that looks just like
Bob's Bank.  Luckily Alice's web browser catches the fact that the
site's SSL certificate has the wrong domain when Google inadvertently
sends her to Mallory's site instead of Bob's. [authenticity]

 - Bob's Bank is breached by hackers but Alice didn't see the story
about it in the newspaper and she hasn't yet received her SB1386
notification letter.  Luckily Alice's web browser has downgraded the
reputation of Bob's site, alerting her to the news of the breach before
she even logs on. [reputation]

Mike

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Thomas Roessler
Sent: Tuesday, February 06, 2007 6:46 PM
To: ses@ll.mit.edu
Cc: public-wsc-wg@w3.org
Subject: ACTION-125: use case rework


Here's proposed material following from the use case structuring
discussion that we had in San Jose; this is intended to be input
material for Stuart's threat trees.  This is a first cut -- I've made
edits to some of the existing use cases, changed some of them, and so
on.  I suspect that Stuart might be tempted to change things to be a bit
more rigorous; Rachna, Maritza and MEZ might be on the look-out for
spelling out user mental models more reasonably than I have done.

<snip>

Received on Monday, 12 February 2007 23:18:47 UTC