Small number of Primary SCI displays from Mary Ellen Zurko on 2007-06-15 (public-wsc-wg@w3.org from June 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 15 Jun 2007 12:13:56 -0400
To: Johnathan Nightingale <johnath@mozilla.com>
Cc: public-wsc-wg@w3.org
Message-ID: <OFB1F57FB8.548DB241-ON852572FB.00577EE3-852572FB.0058F43B@LocalDomain>

Hi Johnathan,

I actually agree with most of that. I realize now that I did gloss over 
one alternative on the very abstract level of discussion/concensus I was 
hoping we'd achieve sometime soon, so let me just call that part out as 
part of this discussion. 

> not explicitly address them here). To the extent there is a primary 
> SCI display, it will have to have some sort of levels or gradations 
> (on/off, 3 levels as in "what is a secure page", 4 levels as this 
> proposal suggests, 99 levels/gradations as this proposal also 
> suggests). No one seems to be proposing something with no levels as 
> a primary SCI (that is currently relegated to secondary SCI in 
> PageInfo, and rightly so in my opinion). We discussed the issue of 
> medium/high risk situations that are pure display (no input) during 
> one of the lightening discussions I led, and there seemed to be 
> concensus that there would be pure display use cases of medium/high 
> risk data, which also points towards concensus around a primary SCI 
> display. Now would be the time for any participant to indicate that 
> we did not have concensus on the need for recommendations around a 
> primary display of SCI which reflects some level or gradation of 
> security that is meant to be usable for trust decisions. 

What I forgot, was that there was in fact the possibility of a _small_ 
number of SCI displays; perhaps one for identity, perhaps one for 
confidentiality. No one's turned that into a proposal yet, but it's been a 
theme in a number of our email discussions. 

Note also that binary (on/off) was meant to be explicitly part of what I 
considered levels or gradations. Two states, there/not there, etc. 

And I really did mean to be discussing "display only" situations; context 
where no input was being solicited from the user. 

Perhaps this will strike most folks as too obvious or modest. Or maybe not 
given your reaction :-). But I wanted to see if we at least had agreement 
(I will use that word instead of concensus as a pre-concensus kind of 
thing) on that direction. 

That we expect to have one or more recommendations on SCI primary display 
in "display only" (non input) mode of a user agent, that will cover a 
small number of indicators (at least one) which will have state (and 
therefore level, be it on/off, two modes, 3, 4, 99, something in that 
range). 

I don't mean to distract from conversation about scores at all, so I've 
renamed this thread. 

Since it's about agreement, not concensus, I'll take particpant silence 
for agreement :-). Though I love to be validated. Feel free to validate me 
1x1 if you're afraid of clogging up mailboxes with "yup, of course" kinds 
of messages. It is more a pulse taking thing.

Received on Friday, 15 June 2007 16:19:35 UTC