Re: Page Security Score proposal from Mary Ellen Zurko on 2007-06-15 (public-wsc-wg@w3.org from June 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 15 Jun 2007 10:16:36 -0400
To: <michael.mccormick@wellsfargo.com>
Cc: public-wsc-wg@w3.org
Message-ID: <OF3D528673.B34EFE3E-ON852572FB.0049051F-852572FB.004E6CA5@LocalDomain>
Thanks Mike. This proposal touches on several other areas. So I'm trying 
to wrap my head around the basic question "Why a numeric score?". Since 
you rightly reference PageInfo, it isn't only about making what the inputs 
are explicit. 

I believe we're likely to achieve concensus that there should be some 
primary SCI display (there are accessibility and device 
size/characteristics to be accounted for orthogonally, as well as the 
multicultural aspect raised by Bruno/ANEC; I assume those and do not 
explicitly address them here). To the extent there is a primary SCI 
display, it will have to have some sort of levels or gradations (on/off, 3 
levels as in "what is a secure page", 4 levels as this proposal suggests, 
99 levels/gradations as this proposal also suggests). No one seems to be 
proposing something with no levels as a primary SCI (that is currently 
relegated to secondary SCI in PageInfo, and rightly so in my opinion). We 
discussed the issue of medium/high risk situations that are pure display 
(no input) during one of the lightening discussions I led, and there 
seemed to be concensus that there would be pure display use cases of 
medium/high risk data, which also points towards concensus around a 
primary SCI display. Now would be the time for any participant to indicate 
that we did not have concensus on the need for recommendations around a 
primary display of SCI which reflects some level or gradation of security 
that is meant to be usable for trust decisions. 

Goal #vocabulary (2.3) says we will "recommend a set of terms, indicators 
and metaphors for consistent presentation of security information to 
users, across all web user agents. For each of these items, the Working 
Group will describe the intended user interpretation ..." That does argue 
for us standardizing on the indicators and what they mean to the user. So 
the gap in my mind between numeric score and our goals is, what is the 
intended user interpretation (user meaning) of the levels/gradations of 
the score? 

Taking it from the other direction, here are some intended user 
interpretations I could imagine might help with trust decisions on the 
web. (Side comment, we got any research or other data on what user 
interpretations would actually be useful to users? Audian, is that 
something that you could do as a low cost usability test?)

1. We don't know enough/anything about the trustabillity. It's new 
territory, you haven't been there before, the other wonky security things 
don't show anything especially amazing or especially suspicious. Proceed 
as you would in a new neighborhood. 

2. There's something fishy about this site. Don't trust it with anything 
you really care about. Don't use anything it says in any situation that 
involves something you consider risky. 

3. This site is trustworthy for commerce. You can safely give it your 
name, address, phone number, and whatever financial information seems 
appropriate to you in trustworthy commerce (credit card, password, ssn, 
mother's maiden name,....). 

4. This is a site you've been to before and you've got some history with 
it. What we show you reminds me of what that history is (a petname, the 
most meaningful parts of the domain name, etc.), so that you can remember 
what you trust this site for and use it for that (again). 

5. This is a site someone you trust has said is trusted for some context. 
Here are displays for both those concepts; it should help you figure out 
what you can safely do here. 

Some other user interpreations I could imagine we might like, but I can't 
see how they'd fly. 

6. This site is using all the best cryptography and PKI. But there is no 
additional semantic meaning we can give to it. Trust it for something, 
maybe. After all, they must have invested x$ in a certificate from some 
CA.

7. This site is part of your place of business. Trust it with everyone 
work related (I personally really want this one, but don't see a way to do 
it beyond 4 and 5 above). 

8. This site allows all kinds of crazy bad security things to happen like 
XSS and CSRF and the social networking/web 2.0 hack du jour. Run away fast 
(I don't see how to make this one happen beyond 1 and 2). 

If you buy the premise that the levels have to be meaningful to the user, 
then I don't see how scores can map to user meaningful levels with "no 
surprises". I do see how combinations of security context information 
could. Either way, we also have the problem that security context 
information marches on, and there will be new ones, and new values, and 
new attacks. As Mike points out, that will mean the need for 
updates/iterations on the mappings of SCi to SCI displays. 




<michael.mccormick@wellsfargo.com> 
06/09/2007 01:17 AM

To
<Mary_Ellen_Zurko@notesdev.ibm.com>
cc
<public-wsc-wg@w3.org>
Subject
Page Security Score proposal






I converted this recommendation to the correct template; see 
http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScore. 
Thanks, Mike

From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] 
Sent: Wednesday, June 06, 2007 6:51 AM
To: McCormick, Mike
Subject: RE: lightening discussion
Received on Friday, 15 June 2007 14:16:54 UTC