ACTION-69 Differential Use Case Analysis on User Expectations from Hallam-Baker, Phillip on 2007-01-22 (public-wsc-wg@w3.org from January 2007)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Mon, 22 Jan 2007 13:37:46 -0800
To: <public-wsc-wg@w3.org>
Message-ID: <198A730C2044DE4A96749D13E167AD37010D36D1@MOU1WNEXMB04.vcorp.ad.vrsn.com>

One of the principal problems we face is that the traditional padlock security interface establishes an expectation of security that is not met. The padlock icon tells the user 'this page is secure', its real semantics are 'this page was retrieved fvia an encrypted channel'.

Throughout we have been attempting to apply traditional use case type techniques that are designed to allow assement of functionality. We and others have arrived at a de facto modification of this approach that allows it to be applied to security issues. In this note I am attempting to formalize that which we do already.

Differential use case analysis of usage scenarios.

The objective of applying usability enginering to the security user interface is to allow the user to correctly and reliably differentiate a legitimate site from a fake site established by an attacker. We do this by defining sets of use cases and abuse cases.

The response to a use/abuse case may be one of three possible values:

1. Afirmation that the action is safe
2. Warning that the action is unsafe
3. Netural: neither warning nor affirmation given

In each case we want to maximize the number of correctly assigned Affirmations, Warnings while minimizing the number of Warnings presented in safe cases and never providing an affirmation in an abuse case.

First we define the user situations in which the user response is to be evaluated:

1. Inexperienced user using the technology for the first time
2. Experienced user who uses the technology on a frequent (e.g. daily) basis for an extended period of time
3. User who is being assisted by customer support

Next we define our task situations:

1. User types in a naked domain name into the address bar (www.example.com)
2. User types in a domain name prefixed by a secure protocol (https://www.example.com)
3. User follows a link from a site via unsecured http
4. User follows a link from a site via http secured by SSL with a domain validated certificate
5. User follows a link from a site via http secured by SSL with an Extended Validation certificate
6. User follows a link from an unsigned email
7. User follows a link from an email that is signed by a party considered to be trustworthy

In cases 2, 4, 5, 7 it might be considered that there is an expectation of security on the part of the user.

In each case we have a use case and a matching abuse case. The use case being that the user is directed to a legitimate site, the abuse case being that the user is directed to an illegitimate site.

Received on Monday, 22 January 2007 21:38:24 UTC