- From: <michael.mccormick@wellsfargo.com>
- Date: Mon, 18 Jun 2007 14:05:46 -0500
- To: <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: <public-wsc-wg@w3.org>
- Message-ID: <8A794A6D6932D146B2949441ECFC9D68040A9FA9@msgswbmnmsp17.wellsfargo.com>
Mez et al, One reason I advocate a numeric score is that it enables the agent to boil a large complex set of secondary security context & trust indicators down to a simple analog gauge-style primary indicator (speedometer, color, thermometer, etc.) As Tim Hahn eloquently explained, this type of UI is something that's familiar and intuitive to end users, and it can have value even if they don't know the particulars behind the mapping. Indeed, I feel that detailed secondary SCIs will never be usable to the average user. The reason I advocate a standard scoring formula is that it would give all these primary SCIs the same underlying semantics regardless of how they look or which agent / version is in use. I believe this kind of consistency would be very valuable to end users. I also suspect the process of developing a weighted scoring formula will prove a useful exercise for the web security community, because it forces us to sort through the many pieces of Page Security Info we've identified and evaluate their relative importance and interactions. Of course any straw man formula (including mine) should be tested with real users & web sites, and fine tuned as needed. I think there's room for more than one standard. WSC should put a stake in the ground to bootstrap the adoption process, while encouraging innovation from others who may have ideas for improving scoring algorithms. I like the page score plug-in concept Stephen Farrell suggested. Mike _____ From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] Sent: Friday, June 15, 2007 9:17 AM To: McCormick, Mike Cc: public-wsc-wg@w3.org Subject: Re: Page Security Score proposal Thanks Mike. This proposal touches on several other areas. So I'm trying to wrap my head around the basic question "Why a numeric score?". Since you rightly reference PageInfo, it isn't only about making what the inputs are explicit. I believe we're likely to achieve concensus that there should be some primary SCI display (there are accessibility and device size/characteristics to be accounted for orthogonally, as well as the multicultural aspect raised by Bruno/ANEC; I assume those and do not explicitly address them here). To the extent there is a primary SCI display, it will have to have some sort of levels or gradations (on/off, 3 levels as in "what is a secure page", 4 levels as this proposal suggests, 99 levels/gradations as this proposal also suggests). No one seems to be proposing something with no levels as a primary SCI (that is currently relegated to secondary SCI in PageInfo, and rightly so in my opinion). We discussed the issue of medium/high risk situations that are pure display (no input) during one of the lightening discussions I led, and there seemed to be concensus that there would be pure display use cases of medium/high risk data, which also points towards concensus around a primary SCI display. Now would be the time for any participant to indicate that we did not have concensus on the need for recommendations around a primary display of SCI which reflects some level or gradation of security that is meant to be usable for trust decisions. Goal #vocabulary (2.3) says we will "recommend a set of terms, indicators and metaphors for consistent presentation of security information to users, across all web user agents. For each of these items, the Working Group will describe the intended user interpretation ..." That does argue for us standardizing on the indicators and what they mean to the user. So the gap in my mind between numeric score and our goals is, what is the intended user interpretation (user meaning) of the levels/gradations of the score? Taking it from the other direction, here are some intended user interpretations I could imagine might help with trust decisions on the web. (Side comment, we got any research or other data on what user interpretations would actually be useful to users? Audian, is that something that you could do as a low cost usability test?) 1. We don't know enough/anything about the trustabillity. It's new territory, you haven't been there before, the other wonky security things don't show anything especially amazing or especially suspicious. Proceed as you would in a new neighborhood. 2. There's something fishy about this site. Don't trust it with anything you really care about. Don't use anything it says in any situation that involves something you consider risky. 3. This site is trustworthy for commerce. You can safely give it your name, address, phone number, and whatever financial information seems appropriate to you in trustworthy commerce (credit card, password, ssn, mother's maiden name,....). 4. This is a site you've been to before and you've got some history with it. What we show you reminds me of what that history is (a petname, the most meaningful parts of the domain name, etc.), so that you can remember what you trust this site for and use it for that (again). 5. This is a site someone you trust has said is trusted for some context. Here are displays for both those concepts; it should help you figure out what you can safely do here. Some other user interpreations I could imagine we might like, but I can't see how they'd fly. 6. This site is using all the best cryptography and PKI. But there is no additional semantic meaning we can give to it. Trust it for something, maybe. After all, they must have invested x$ in a certificate from some CA. 7. This site is part of your place of business. Trust it with everyone work related (I personally really want this one, but don't see a way to do it beyond 4 and 5 above). 8. This site allows all kinds of crazy bad security things to happen like XSS and CSRF and the social networking/web 2.0 hack du jour. Run away fast (I don't see how to make this one happen beyond 1 and 2). If you buy the premise that the levels have to be meaningful to the user, then I don't see how scores can map to user meaningful levels with "no surprises". I do see how combinations of security context information could. Either way, we also have the problem that security context information marches on, and there will be new ones, and new values, and new attacks. As Mike points out, that will mean the need for updates/iterations on the mappings of SCi to SCI displays. <michael.mccormick@wellsfargo.com> 06/09/2007 01:17 AM To <Mary_Ellen_Zurko@notesdev.ibm.com> cc <public-wsc-wg@w3.org> Subject Page Security Score proposal I converted this recommendation to the correct template; see http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScore <http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/PageScor e> . Thanks, Mike _____ From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com] Sent: Wednesday, June 06, 2007 6:51 AM To: McCormick, Mike Subject: RE: lightening discussion
Received on Monday, 18 June 2007 19:06:25 UTC